Bug 1739262: RequestHeaders IdP: fix TLS handshake [4.1]

[stlaz]

OAuth server uses the APIServer wrapping for its endpoints. This
wrapping has its own RequestHeader IdP for the cluster admin login
with client cert. As a part of that, before the RequestHeader is
set, DelegatingAuthenticationOptions() adds its own ClientCA to
the serving info config.

The result of the above behavior is that during TLS handshake, when
the names for acceptable client certificate CAs are announced, the
CAs of the above mentioned apiserver RequestHeader IdP are announced.

When users configure their own RequestHeader IdP to be used in
OpenShift for the oauth-server to try to retrieve the users from,
oauth-server was not adding this RequestHeader's client CA name
among the acceptable client certificate CA names mentioned above.

This commit adds the client CA data from the user specified
RequestHeader IdP to 'GenericConfig.SecureServing.ClientCA',
which is later converted to tlsConfig object which defines the
data to be used in TLS handshakes.

/assign @deads2k

[openshift-ci-robot]

@stlaz: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Details

In response to this:

RequestHeaders IdP: fix TLS handshake

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@stlaz: This pull request references Bugzilla bug 1739262, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bug 1739262: RequestHeaders IdP: fix TLS handshake

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[stlaz]

/hold
This flag's backend changed in later versions, I need to see that this still works

[stlaz]

/hold cancel
the proper CA names are being announced

[stlaz]

/retest

[stlaz]

unit tests are failing because https://www.cvedetails.com/cve/CVE-2019-14809/ got fixed in golang 1.11, I wonder whether the rest is the same

[stlaz]

depends on #24111 for integration tests fix

[eparis]

/retest

[deads2k]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/oauthserver/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@stlaz: All pull requests linked via external trackers have merged. Bugzilla bug 1739262 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1739262: RequestHeaders IdP: fix TLS handshake [4.1]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.