Can't remove public access from Super Administrator role

[grzleadams]

I deployed CE v9.1.1 via Helm chart (with ingress enabled, only using our default ingress certificate/enterprise CA instead of generating a certificate as described here) and everything seems to be working fine, except that when I go to remove public access from the Super Administrator role, I get the following error:

Cause: Granted access of the current administrator might be affected by this change.

I'm not sure why this is happening since we do have a match for CN in the client certificate, and it accepts that SuperAdmin certificate for authentication through our ingress, so the user's authorization really shouldn't change when that's removed:

It feels like I've misconfigured something but I have no idea what that is, so I appreciate any feedback. Let me know if any more information is needed as well.

[grzleadams]

Here are the values I used to deploy:

---
image:
  tag: 9.1.1
ejbca:
  useEphemeralH2Database: false
  env:
    DATABASE_JDBC_URL: jdbc:postgresql://postgresql.ejbca.svc.cluster.local:5432/postgres
    DATABASE_USER: postgres
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: postgresql
          key: postgres-password
services:
  directHttp:
    enabled: false
  proxyHttp:
    enabled: true
    type: ClusterIP
    bindIP: 0.0.0.0
    httpPort: 8081
    httpsPort: 8082
ingress:
  enabled: true
  className: <class>
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
    nginx.ingress.kubernetes.io/auth-tls-secret: ejbca/managementca-secret
  hosts:
    - host: "ejbca.<domain>"
      paths:
        - path: /ejbca
          pathType: Prefix
  tls:
    - hosts:
        - ejbca.<domain>

The managementca-secret contains only the EJBCA CA's public certificate.

[grzleadams]

It seems like the client certificate isn't being passed from ingress to the pod... I see Welcome to EJBCA Administration., not Welcome SuperAdmin to EJBCA Administration. which normally indicates such a problem (according to the docs). The thing is that I know the certificate is being passed at least to ingress, because otherwise I'd get a 400 (since we're verifying auth). I added the SuperAdmin.p12 to my browser and chose it when prompted, and the ingress controller allows configuration snippets (and the same controller works for SignServer, which requires the same configuration, just fine), so I'm not sure why the certificate wouldn't be getting passed to the upstream. Or, if it is, the EJBCA container isn't processing it.

[primetomas]

Have you looked at other posts here, and the available helm charts, for what environment variables you need to set in nginx/httpd ingress configurations?

[grzleadams]

Yeah, I searched all issues and discussions and didn't see anything matching this issue. I also confirmed that the ingress looks correct (snippets get added, client certificate is set to forward, etc.), which is what makes this confusing.

[primetomas]

Do you use the EJBCA helm charts, or made your own?

This looks very related: #745

Oh, I also see that you public access rule comes before the certificate access one, it's a "first match". So it might actually work, if it is the case that it matches you to the public rule first. This is just a bit of speculation, I don't have the possibility to try myself directly.

Did you look at the Helm chart tutorials btw? https://www.youtube.com/watch?v=jCRXwzX0XHM

(I'll be moving this from an issue to a discussion)

[grzleadams]

I'm using the EJBCA chart (1.0.7) from https://keyfactor.github.io/ejbca-community-helm. I looked through the available guides but in general you don't directly mess around with nginx configuration for ingress in Kubernetes (apart from app-specific configuration, which is provided by the chart in the form of snippets/annotations, which all look right). Isn't that discussion referring to using the nginx proxy as part of the deployment and not ingress?

How can I re-order those rules if I can't delete the public access one?

[primetomas]

This is not my personal expertice, to I'm running a bit blind here. Did you read this as well? https://docs.keyfactor.com/ejbca/latest/ejbca-helm-chart-building-blocks