Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pinniped CLI not auto discovering certificateAuthorityDataSource content #2178

Open
devantler opened this issue Jan 9, 2025 · 2 comments
Open

Pinniped CLI not auto discovering certificateAuthorityDataSource content #2178

devantler opened this issue Jan 9, 2025 · 2 comments

Comments

@devantler
Copy link

What happened?

I tried to run pinniped get kubeconfig after configuring my Supervisor and Concierge to work via a GitHubIdentityProvider, FederationDomain, and JWTAuthenticator. I use Jetstacks trust manager to copy my ca-bundle with the correct ca.crt to a Secret in the namespace of the Concierge.

When setting the JWTAuthenticator's spec.tls options with certificateAuthorityData and the value of the ca.crt the pinniped cli can autodiscover the value of certificateAuthorityData. But when setting it with the certificateAuthorityDataSource pinniped cli is unable to autodiscover the value of certificateAuthorityDataSource.key.

See https://kubernetes.slack.com/archives/C01BW364RJA/p1736351917591009 for more info.

What did you expect to happen?

I expected the the pinniped CLI to autodiscover the tls configuration set in my JWTAuthenticator .

What is the simplest way to reproduce this behavior?

Switch between using certificateAuthorityData and certificateAuthorityDataSource in a JWTAuthenticator, and execute pinniped get kubeconfig.

In what environment did you see this bug?

  • Pinniped server version: 2.3.5 (Helm)
  • Pinniped client version: v0.36.0
  • Pinniped container image (if using a public container image): 0.36.0-debian-12-r0
  • Pinniped configuration (what IDP(s) are you using? what downstream credential minting mechanisms are you using?): GitHub, Cert Manager, Trust Manager
  • Kubernetes version (use kubectl version): v1.32.0
  • Kubernetes installer & version (e.g., kubeadm version): kind v0.26.0 go1.23.4 darwin/arm64
  • Cloud provider or hardware configuration: kind v0.26.0 go1.23.4 darwin/arm64
  • OS (e.g: cat /etc/os-release): MacOS 15.2
  • Kernel (e.g. uname -a): Darwin Kernel Version 24.2.0
  • Others: ??

What else is there to know about this bug?

A workaround is to feed in the necessary information to the pinniped cli:

pinniped get kubeconfig --oidc-ca-bundle ca-bundle.crt # where the ca-bundle.crt file contains the value of the ca.crt for the CA used to create the pinniped tls cert.
@cfryanr
Copy link
Member

cfryanr commented Jan 9, 2025

Thanks for creating this issue! And thanks for also documenting the workaround for the community.

As discussed in Slack, this was an oversight and should be improved.

Might you have any interest in creating a PR to fix this? If not, the maintainers will get to it when we can.

@devantler
Copy link
Author

Hi @cfryanr,

Our team currently do not have the time/resources to do the contribution, and we deemed the workaround good enough for now. So we will not be doing a contribution on the short run.

We do however want this to work (and we have made an issue on it in our own backlog), so the priority might change, and we might pick it up then. So let's just see who gets time first 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cfryanr @devantler