OIDC - X509: certificate signed by unknown authority

[ReggieCarey]

Problem

failed to initialize server: server: Failed to open connector oidc: failed to open connector: failed to create connector oidc: failed to get provider: Get https:///oauth2/default/.well-known/openid-configuration: x509: certificate signed by unknown authority

Background

Given that my environment is behind a corporate firewall and I'm reaching out to a public IDP, I run into unknown certificate authority.

I thought I might roll my own version of the image but that did not succeed. And its not easily repeatable

So I thought I might upload a complete ca-certificates.crt to a ConfigMap and then update the dex deployment yaml:

    spec:
      volumes:
        - name: config
          configMap:
            name: dex
            items:
              - key: config.yaml
                path: config.yaml
            defaultMode: 420
        - name: ca-certificates
          configMap:
            name: ca-certificates
            items:
              - key: ca-certificates.crt
                path: ca-certificates.crt
            defaultMode: 440

...

          volumeMounts:
            - name: config
              mountPath: /etc/dex/cfg
            - name: ca-certificates
              mountPath: /etc/ssl/certs

Lo and behold! It works. If you're running into this type of problem, this solution worked for me.

Question

Is there a better, more appropriate way to handle this? (My dex is deployed via Kubeflow v1.5.1 manifests)

Cheers