Skip to content

CNTRLPLANE-3751: Add dynamic proxy CA reload for outbound IdP transports#244

Draft
tchap wants to merge 1 commit into
openshift:masterfrom
tchap:auth-proxy
Draft

CNTRLPLANE-3751: Add dynamic proxy CA reload for outbound IdP transports#244
tchap wants to merge 1 commit into
openshift:masterfrom
tchap:auth-proxy

Conversation

@tchap

@tchap tchap commented Jun 30, 2026

Copy link
Copy Markdown

When PROXY_TRUSTED_CA_FILE is set, the OAuth Server watches the proxy CA file on disk and rebuilds outbound HTTP transports when it changes. The proxy CA is combined with any static IdP CA in the transport's RootCAs, so TLS-intercepting or HTTPS proxies are trusted alongside IdP endpoints.

The dynamicCARoundTripper uses DynamicFileCAContent (fsnotify + periodic poll) and swaps the underlying transport atomically. On reload failure the old transport is preserved.

Summary by CodeRabbit

  • New Features

    • Added support for dynamically updating trusted CA certificates used by OAuth-related outbound connections.
    • OAuth and password-auth connections can now use proxy-trusted CA settings from server configuration.
  • Bug Fixes

    • Improved TLS client setup for authentication and provider requests, including better handling of certificate, key, and CA combinations.
    • Fixed CA reload behavior so existing connections remain usable while trust settings update in the background.

When PROXY_TRUSTED_CA_FILE is set, the OAuth Server watches the proxy CA
file on disk and rebuilds outbound HTTP transports when it changes. The
proxy CA is combined with any static IdP CA in the transport's RootCAs,
so TLS-intercepting or HTTPS proxies are trusted alongside IdP endpoints.

The dynamicCARoundTripper uses DynamicFileCAContent (fsnotify + periodic
poll) and swaps the underlying transport atomically. On reload failure
the old transport is preserved.
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 30, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@tchap: This pull request references CNTRLPLANE-3751 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

When PROXY_TRUSTED_CA_FILE is set, the OAuth Server watches the proxy CA file on disk and rebuilds outbound HTTP transports when it changes. The proxy CA is combined with any static IdP CA in the transport's RootCAs, so TLS-intercepting or HTTPS proxies are trusted alongside IdP endpoints.

The dynamicCARoundTripper uses DynamicFileCAContent (fsnotify + periodic poll) and swaps the underlying transport atomically. On reload failure the old transport is preserved.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 30, 2026
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.

Walkthrough

Adds a dynamicCARoundTripper that hot-reloads a proxy trusted CA bundle from a file, using an atomically-swapped http.Transport. OAuthServerConfig gains proxyTrustedCA (from PROXY_TRUSTED_CA_FILE env) and dynamicTransports fields; transport construction is moved to (*OAuthServerConfig).transportFor, which routes through the dynamic or static path; a post-start hook starts all dynamic watchers.

Changes

Dynamic Proxy CA Transport

Layer / File(s) Summary
ExtraOAuthConfig fields and startup hook
pkg/oauthserver/oauth_apiserver.go
ExtraOAuthConfig gains proxyTrustedCA and dynamicTransports fields. NewOAuthServerConfig reads PROXY_TRUSTED_CA_FILE into proxyTrustedCA. A new postStartHook (openshift.io-StartDynamicCAWatchers) starts each dynamicTransport's run(ctx) in a goroutine.
dynamicCARoundTripper implementation
pkg/oauthserver/dynamic_transport.go
New file introduces dynamicCARoundTripper: constructor loads DynamicFileCAContent and builds the initial transport; buildTransport assembles an x509.CertPool from optional IdP CA file and current proxy CA bundle; Enqueue atomically swaps in a new transport and closes idle connections on the old one; RoundTrip delegates to the atomic transport; run starts the file watcher.
OAuthServerConfig.transportFor
pkg/oauthserver/auth.go
Package-level transportFor/transportForInner replaced by (*OAuthServerConfig).transportFor and (*OAuthServerConfig).transportForInner. When proxyTrustedCA is set, creates and registers a dynamicCARoundTripper; otherwise builds a static TLS transport. All callers in getOAuthProvider and getPasswordAuthenticator updated to use c.transportFor(...).
Tests
pkg/oauthserver/dynamic_transport_test.go
Adds helpers for ephemeral CA/cert generation and TLS test servers. Five test cases: proxy-CA-only, combined IdP+proxy CAs, hot-reload after PEM overwrite, error resilience on corrupt PEM, and constructor failure on nonexistent file.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)


Comment @coderabbitai help to get the list of available commands.

@tchap

tchap commented Jun 30, 2026

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

openshift-ci-robot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@tchap: This pull request references CNTRLPLANE-3751 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tchap
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants