You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using VMware Tanzu (TKGI) version 1.17 which is providing a Kubernetes cluster in version 1.26.5
With the tkgi CLI we can fetch a kubeconfig which looks like this:
The k8s API is using a certificate signed with the VMware self signed CA.
The idp-issuer-url is hosted with a certificate signed with the Company Root CA
Now the issue:
As long as the id-token is within the 5 minutes validity, the k8s modules are working fine and are able to perform all tasks against the k8s API. Once the token is expired, it is trying to communicate with the idp-issuer-url and fails with the following error:
It looks like the modules are not using the certificate in idp-certificate-authority-data while talking to idp-issuer-url when trying to fetch a new token to verify the trust.
Switching over to shell module and running kubectl commands instead is working fine, even after the expiry.
In fact, this is one workaround, to just run something like kubectl get pods to refresh the token in the kubeconfig, then the modules start working again.
I can reproduce the issue with plain python commands and also able to solve it:
$ python3
Python 3.9.16 (main, May 31 2023, 12:21:58)
[GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] on linux
Type "help", "copyright", "credits" or "license"for more information.
>>> import requests
>>> response = requests.get('https://tkgi.domain.company:8443')
<<<< same error as above >>>>
When exporting the REQUESTS_CA_BUNDLE to point to a cert bundle which includes the company Root CA certificate the issue is gone. From what I understood, the requests API is using the cert bundle shipped with certifi python package.
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.trust.crt
$ python3
Python 3.9.16 (main, May 31 2023, 12:21:58)
[GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] on linux
Type "help", "copyright", "credits" or "license"for more information.
>>> import requests
>>> response = requests.get('https://tkgi.domain.company:8443')
>>> print(response)
<Response [200]>
I tried already to set the same environment variable for the k8s task in Ansible or in the shell where Ansible is executed, but without success.
Even replacing the .pem files that I found in the virtual env didn't helped...
I am not able to figure out which certificate bundle is used by the k8s module while talking to the idp-issuer-url or if any is used at all. From my perspective it should use the one that is given in the kubeconfig.
Maybe someone could have a look into the code to analyze this issue, which is IMHO a bug.
The module should use the CA certificate which is given in the kubeconfig when talking to the OIDC auth endpoint while refreshing the token.
ACTUAL RESULTS
Please see the summary above
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='tkgi.domain.company', port=8443): Max retries exceeded with url: /oauth/token/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
The text was updated successfully, but these errors were encountered:
SUMMARY
We are using VMware Tanzu (TKGI) version 1.17 which is providing a Kubernetes cluster in version 1.26.5
With the tkgi CLI we can fetch a kubeconfig which looks like this:
The k8s API is using a certificate signed with the VMware self signed CA.
The idp-issuer-url is hosted with a certificate signed with the Company Root CA
Now the issue:
As long as the
id-token
is within the 5 minutes validity, the k8s modules are working fine and are able to perform all tasks against the k8s API. Once the token is expired, it is trying to communicate with theidp-issuer-url
and fails with the following error:It looks like the modules are not using the certificate in
idp-certificate-authority-data
while talking toidp-issuer-url
when trying to fetch a new token to verify the trust.Switching over to
shell
module and runningkubectl
commands instead is working fine, even after the expiry.In fact, this is one workaround, to just run something like
kubectl get pods
to refresh the token in the kubeconfig, then the modules start working again.I can reproduce the issue with plain python commands and also able to solve it:
When exporting the
REQUESTS_CA_BUNDLE
to point to a cert bundle which includes the company Root CA certificate the issue is gone. From what I understood, the requests API is using the cert bundle shipped withcertifi
python package.I tried already to set the same environment variable for the k8s task in Ansible or in the shell where Ansible is executed, but without success.
Even replacing the
.pem
files that I found in the virtual env didn't helped...I am not able to figure out which certificate bundle is used by the k8s module while talking to the
idp-issuer-url
or if any is used at all. From my perspective it should use the one that is given in the kubeconfig.Maybe someone could have a look into the code to analyze this issue, which is IMHO a bug.
ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
Please see the summary above
EXPECTED RESULTS
The module should use the CA certificate which is given in the kubeconfig when talking to the OIDC auth endpoint while refreshing the token.
ACTUAL RESULTS
Please see the summary above
The text was updated successfully, but these errors were encountered: