UNCLASSIFIED - NO CUI

sso.certificate_authority is ignored by Authservice throughout OIDC flow

My setup uses BB keycloak running on the same cluster as authservice.

Authservice ignores the certificate authority passed to sso.certificate_authority. The value does make it into the secret, however, when querying the jwks_uri + requesting tokens I receive SSL CERTIFICATE VERIFIED FAILED from the Authservice pod. Setting skip_verify_peer_cert in the 3 locations described here: https://github.com/istio-ecosystem/authservice/blob/master/docs/README.md will bypass these errors and allow a login as long as the istiocontrolplane istiooperator has spec.values.pilot.jwksResolverExtraRootCA added to it (related issue: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane/-/issues/90). I am able to get a successful login utilizing the following fix:

authservice:
  # TODO: Bigbang does not support creating a CA secret or mounting it to authservice. Their official supported way through sso.certificate_authority does not work to trust the jwks_uri w/ our certificate. Has to be in the system certs.
  # TODO: Piggybacking off an existing secret to add the ca.pem and then setting an environment variable to utilize it.
  postRenderers:
    - kustomize:
        patchesJson6902:
          - patch:
              - op: add
                path: /stringData/ca-bundle.crt
                value: {{ sso.certificate_authority | to_json }}
            target:
              kind: Secret
              name: authservice
              namespace: authservice
              version: v1
          - patch:
              - op: add
                path: /spec/template/spec/volumes/-1
                value:
                  name: tls-sso-ca
                  secret:
                    secretName: authservice
                    items:
                      - key: ca-bundle.crt
                        path: ca-bundle.crt
                    defaultMode: 420
              - op: add
                path: /spec/template/spec/containers/0/volumeMounts/-1
                value:
                  name: tls-sso-ca
                  mountPath: /etc/pki/tls/certs
            target:
              group: apps
              kind: Deployment
              name: authservice
              namespace: authservice
              version: v1

I've tried the fullchain, as well as the root CA (I am using a certificate that is signed by a globalsign root3 and intermediate CA) passed to sso.certificate_authority with no difference. The only solution that allows authservice to trust our keycloak https endpoint is the above fix and overwriting the ca bundle at /etc/pki/tls/certs/ca-bundle.crt

Edited by Austin Denton

UNCLASSIFIED - NO CUI