OpenShift: Cannot inject custom CA for oauth endpoint

[X-dark]

Bug description

When using a oauth endpoint with a custom CA on OpenShift, I cannot get the certificate verification to work. It seems that #363 imply that the CA should be in /run/secrets/kubernetes.io/serviceaccount/ca.crt. This is only the case for API endpoint not OAuth endpoint (which by default get the wildcard Ingress router certificate).

We can inject the custom CA with a configmap [1] but we cannot overwrite the path above as it is already a mounted secret.

[1] https://docs.openshift.com/container-platform/4.6/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[manics]

Hi 👋 This sounds like a configuration problem rather than a bug. As you've mentioned in opendatahub-io-contrib/jupyterhub-odh#75 (comment) it's like to be related to a central certificate store rather than something in oauthenticator.

Other SSL issues have been discussed in the past on the community forum https://discourse.jupyter.org/ so would you mind posting there instead? Thanks!

[support]

Hi there @X-dark 👋!

I closed this issue because it was labelled as a support question.

Please help us organize discussion by posting this on the http://discourse.jupyter.org/ forum.

Our goal is to sustain a positive experience for both users and developers. We use GitHub issues for specific discussions related to changing a repository's content, and let the forum be where we can more generally help and inspire each other.

Thanks you for being an active member of our community! ❤️

[X-dark]

@manics well seems strange to me to hardcode a cacert which is not guaranteed to contain the CA chain of the OAuth endpoint. Will wait for more feedback on the downstream issue then.

[wseaton]

This should hopefully be fixed in #410 due to us adding support for the pycurl backend.

[galshi]

@wseaton I see that you've removed the pycurl import from #410, is there a fix in the work for this issue?

[wseaton]

@galshi removing the pycurl import shouldn't have affected anything, as it is on by default: #410 (comment)

[galshi]

@wseaton Thanks, didn't notice that.
Custom CA verification still doesn't work for me though, @X-dark have you been able to solve it?