#76 Support ssl cert auth
Closed: Fixed 6 years ago Opened 6 years ago by ralph.

... because kerberos in openshift won't work until we globally kill canonicalization and we can't wait that long.


I've spent some time on investigating this. It turns out that this might be more complicated than we thought. Basically, to get it work, we need:

  • Switch to “passthrough” route so that TLS termination is handled on the pod level.
  • Configure Nginx/Apache on the pod level for doing ssl client certificate authentication.

More details of this approach can be found here[1]. I'm not sure if it is worth to do so since our idea is just to find an easy way to work around the kerbrose issue. Maybe there is a third option or we should go back to fix the kerberos issue in OpenShift. Thoughts?

[1] https://developers.redhat.com/blog/2017/01/24/end-to-end-encryption-with-openshift-part-1-two-way-ssl/

Well the kerberos fix might really be year out or more... So I think we'll still be forced to do SSL cert

FWIW, we may be able to copy what was done for ODCS in https://pagure.io/odcs/pull-request/132

@ralph the problem though is that the TLS termination needs to be done by the side that verifies the client certificate, and with most Openshift routes, TLS is terminated by the openshift proxies.
If you want to use passthrough (basically, have the pod terminate TLS), that means you need to get the TLS server certificate for the route in all the pods as well.
(do note that none of this will work in the Fedora Infra because of other layers as well, I don't know whether that's the case in RH's Openshift too. But then I'm assuming that for Fedora, we are going to remain using OIDC for everything.)

FWIW, we may be able to copy what was done for ODCS in https://pagure.io/odcs/pull-request/132

We could, but at first we need to implement two-way authentication in OpenShift.

(do note that none of this will work in the Fedora Infra because of other layers as well, I don't know whether that's the case in RH's Openshift too. But then I'm assuming that for Fedora, we are going to remain using OIDC for everything.)

Yeah, this is just for internal use. In fedora, we will stick with OIDC.

Metadata Update from @dcallagh:
- Issue assigned to mjia
- Issue set to the milestone: 0.5

6 years ago

Metadata Update from @gnaponie:
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @dcallagh:
- Issue close_status updated to: Fixed

6 years ago

Login to comment on this ticket.

Metadata