Add OIDC custom CA certificate support via idp-certificate-authority attributes

[Copilot]

OIDC authentication fails when identity providers use custom CA certificates. The Go client supports this via idp-certificate-authority and idp-certificate-authority-data kubeconfig attributes, but the JavaScript client ignores them.

Changes

• Modified src/oidc_auth.ts:

  • Added CA certificate detection from idp-certificate-authority and idp-certificate-authority-data config attributes
  • Created custom https.Agent with CA when present
  • Implemented fetch-compatible wrapper using Node.js https module that applies the agent
  • Passed custom fetch to openid-client v6's discovery() via customFetch option

• Added tests for both file-based and base64-encoded CA configurations

Implementation

The openid-client v6 library exposes a customFetch symbol for request customization. When custom CA is configured, we create an https.Agent with the CA and wrap https.request in a fetch-compatible interface:

const agent = new https.Agent({ ca });
const customFetchFn = async (url: string, options: any): Promise<Response> => {
    const urlObj = new URL(url);
    const requestOptions: https.RequestOptions = {
        hostname: urlObj.hostname,
        port: urlObj.port,
        path: urlObj.pathname + urlObj.search,
        method: options?.method || 'GET',
        headers: options?.headers || {},
        agent: agent,
    };
    // ... returns Response-compatible object
};

configuration = await oidc.discovery(
    issuerUrl,
    clientId,
    undefined,
    undefined,
    { [oidc.customFetch]: customFetchFn },
);

This ensures all OIDC requests (discovery and token refresh) use the custom CA.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>OIDC auth does not handle custom CA certs</issue_title>
<issue_description>Looking at the Go client implementation, one is able to use trusted IDP certs with idp-certificate-authority or idp-certificate-authority-data attributes. See: https://github.com/kubernetes/kubernetes/blob/a3ccea9d8743f2ff82e41b6c2af6dc2c41dc7b10/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go#L41-L42

Currently the OIDC auth implementation does not handle those attributes at all which means the oidc auth will fail when the idp uses custom CA. (custom == something not bundled in node itself).

For pure node clients one could use NODE_EXTRA_CA_CERTS to point to local CA bundle file with the idp CA in it. For us this does not work as we're building an Electron based app that does no allow one to extend the CA bundles at all. :(</issue_description>

Comments on the Issue (you are @copilot in this section)

@brendandburns We'd be happy to take a PR to add this support.

Thanks!</comment_new>
<comment_new>@brendandburns
/remove-lifecycle-stale</comment_new>
<comment_new>@brendandburns
fwiw, I looked into the oidc client library here:

https://github.com/panva/node-openid-client/blob/2dfa313f24bab351344932b7b1c67c9cab6031f8/lib/helpers/client.js

And I don't think that the library supports custom Certificate Authorities.</comment_new>
<comment_new>@brendandburns
/lifecycle frozen</comment_new>
<comment_new>@brendandburns
@panva can you give a code sample of how to pass that through? The last time I looked at the code path I didn't see a way to pass that through from the OIDC client interface in the library.</comment_new>

• Fixes OIDC auth does not handle custom CA certs #360

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[brendandburns]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, Copilot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [brendandburns]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment