Bug 1615275
Summary: | cookie_secret don't meet the kibana require after upgrade | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Anping Li <anli> |
Component: | apiserver-auth | Assignee: | Simo Sorce <ssorce> |
Status: | CLOSED ERRATA | QA Contact: | Chuan Yu <chuyu> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.11.0 | CC: | anli, aos-bugs, jcantril, jkarasek, juzhao, mkhan, rmeggins, ssorce |
Target Milestone: | --- | ||
Target Release: | 3.11.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-11 07:24:39 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anping Li
2018-08-13 08:39:48 UTC
@Mo, Can you provide any advice here? I am moving this to the auth team since we own the proxy. Can we get the full YAML of the templates used to create these components as well as the output of: oc get all -o yaml oc get secrets -o yaml This error comes from the newly used oauth-proxy. The problem is that the previously used fabric8io/openshift-auth-proxy had different requirements on cookie secrets. I suggest that we re-generate the cookie secret during upgrade. The upgrade playbook reads secrets and certs from the file system, if they exist. So deleting the secret file before running the generate certs task should solve the problem. Page refresh in browser and a fresh log-in will be necessary after the update. Simo, Is there something here to be 'fixed' in the component or simply a usage bug as identified in the PR? Do we simply need to regen the secret On our side we'll eventually take care of this, but for now on your side just regen the secret. Commits pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/a696933a304d00cb3891ec49d938084037aa7954 Bug 1615275. Regenerate session_secret if it can't be used with oauth-proxy session_secret generated by 3.10 is 200 bytes. oauth-proxy can use 16, 24 or 32 bytes session_secret. https://github.com/openshift/openshift-ansible/commit/2fb6224c12fffd7862a0e0cceba4eac57279c652 Merge pull request #9613 from t0ffel/master Bug 1615275. Regenerate session_secret if it can't be used with oauth-proxy *** Bug 1618581 has been marked as a duplicate of this bug. *** The kibana can be started and login after update by openshift-anisble:v3.11.0-0.17.0.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652 |