Integrating MITMProxy with OpenShift Authentication Pod for Troubleshooting

Updated -

Below are steps on how to integrate the MITMProxy with OpenShift 4.x. This can be a useful guide for troubleshooting issues when communicating with external authentication providers.

NOTE: The following guide is only intended to be used in a test or development environment. This will impact your cluster authentication.

Downloads

Download the files used in this article here:

$ wget https://github.com/bostrt/ocp4-auth-mitm/archive/master.zip

Steps

Create Project, Pod, and Service

Create the following resources and initiate port forward so you can access the mitmproxy web interface:

$ cd /tmp
$ wget https://github.com/bostrt/ocp4-auth-mitm/archive/master.zip
$ unzip master.zip
$ cd ocp4-auth-mitm-master/
$ oc new-project mitmproxy; oc project mitmproxy
$ oc create -f resources/mitm-pod.yaml
$ oc create -f resources/mitm-service.yaml
$ oc port-forward svc/mitmproxy --address 127.0.0.1 8888:8081

NOTE: mitmproxy has as security measure preventing it from being accessible using a host name or OpenShift Route. You must use port forwarding. If you use the oc command from a SSH/Bastion host, you may have to use a combination of oc port-forward and SSH port forwarding.

At this point, you should be able to open http://127.0.0.1:8888 in your local web browser.

Extract CA Certificate from MITMProxy

$ oc exec -n mitmproxy mitmproxy cat /root/.mitmproxy/mitmproxy-ca-cert.pem > /tmp/mitmproxy-ca-cert.pem
$ oc create cm user-ca-bundle -n openshift-config --from-file=ca-bundle.crt=/tmp/mitmproxy-ca-cert.pem

Configure OpenShift to trust MITMProxy CA Certificate

DO NOT continue if you have configured a Proxy already.

Use the following to check if you have configured a Proxy or a trusted CA:

$ oc get proxy cluster -o yaml

Continue ONLY IF you do not have a trustedCA configured already.

$ oc patch proxy cluster --type=json -p '[{"op":"add","path":"/spec/trustedCA","value":{"name":"user-ca-bundle"}}]'

Disable the OpenShift Authentication Operator

The following steps must be done to prevent the Operator from overwriting upcoming changes. The very last step in this guide will re-enable the Operator.

$ oc patch clusterversion version --type json -p "$(cat resources/disable-operator-patch.yaml)"
$ oc scale --replicas=0 deploy/authentication-operator -n openshift-authentication-operator

Configure Proxy Environment Variables for Authentication

$ MY_NO_PROXY=$(oc get network cluster --template '{{(index .status.serviceNetwork 0)}},{{(index .status.clusterNetwork 0).cidr}},localhost')
$ oc set env deployment/oauth-openshift -n openshift-authentication HTTP_PROXY=http://mitmproxy.mitmproxy.svc:8080 HTTPS_PROXY=http://mitmproxy.mitmproxy.svc:8080 NO_PROXY=$MY_NO_PROXY
$ oc get pods -n openshift-authentication

Gathering Information from MITMProxy

If you are able to successfully port forward 8081->8888 to your local machine where a web browser exists, you can load http://localhost:8888 there to export any traffic.

NOTE: You can use a tool like https://jwt.io/ to decode the id_token and access_token in OpenID responses to help with troubleshooting.

Alternative Method Using Curl

If the port forwarding is not working for some reason, you can try this from the machine you execute oc commands on:

<make sure oc port-forward is still running>
$ oc port-forward svc/mitmproxy --address 127.0.0.1 8888:8081
<in another terminal on *same* server>
$ curl http://localhost:8888/flows/dump --output dump.bin

The data captured by MITMProxy will be written to dump.bin.

Cleanup

The following step will re-enable management of the OpenShift Authentication Operator. This includes scaling the operator back up and restoring all original settings you have set in the OAuth configuration.

$ oc patch clusterversion version --type json -p '[{"op":"remove", "path":"/spec/overrides"}]'

2 Comments

Just attempted this solution, I think the correct args for the mitm-pod.yaml is below:

args: ["--web-host", "0.0.0.0", "--ssl-insecure"]

--web-iface results in an error in the pod logs

Yes, you are correct. The web-iface flag was renamed to web-host. Thanks for commenting and the source project has been updated.

https://github.com/mitmproxy/mitmproxy/releases/tag/v5.1.0 https://github.com/bostrt/ocp4-auth-mitm/commit/7b13e7671b48a8a70e5d0dc73ddc4a8d2c230279