Bug 1628837

Summary: [3.11] master static pod failed to start when kerberos auth is set
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: DocumentationAssignee: Latha S <lmurthy>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact: Latha S <lmurthy>
Priority: high    
Version: 3.11.0CC: mmccomas, sdodson, wmeng
Target Milestone: ---Keywords: Regression
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1628834 Environment:
Last Closed: 2022-07-07 11:20:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1628834    
Bug Blocks:    

Description Johnny Liu 2018-09-14 07:22:16 UTC 
Just checked openshift-ansible-3.11.6-1, the same issue as 3.10, so this issue should also happen with 3.11.

+++ This bug was initially created as a clone of Bug #1628834 +++

Description of problem:

Version-Release number of the following components:
openshift-ansible-3.10.47-1.git.0.95bc2d2.el7_5.noarch

How reproducible:
Always

Steps to Reproduce:
1. Enable kerberos auth for a fresh install
openshift_master_identity_providers=[{'name': 'kerberos_auth', 'login': 'true', 'challenge': 'true', 'mappingMethod': 'claim', 'kind': 'RequestHeaderIdentityProvider', 'headers': ['X-Remote-User'], 'challengeURL': 'https://host-8-252-241.host.centralci.eng.rdu2.redhat.com/challenging-proxy/oauth/authorize?${query}', 'loginURL': 'https://xxx/login-proxy/oauth/authorize?${query}', 'clientCA': '/etc/origin/master/ca.crt'}]
2.
3.

Actual results:
master api failed to start.
api log:
<--snip-->
I0914 06:39:00.315873       1 plugins.go:84] Registered admission plugin "StorageObjectInUseProtection"
Invalid MasterConfig /etc/origin/master/master-config.yaml
  oauthConfig.identityProvider[0].provider.clientCA: Invalid value: "/etc/origin/master/kerberos_auth_request_header_ca.crt": could not read file: stat /etc/origin/master/kerberos_auth_request_header_ca.crt: no such file or directory

In QE's testing, we do not intend to specify a local customized ca file, just want to utilize the master ca.crt generated when master bootstrap. The was working well for several years, now this becomes broken.

Expected results:
No breaking for install

Additional info:
This is similar to BZ#1627764, I dig into code a little:
    def __init__(self, api_version, idp):
        super(RequestHeaderIdentityProvider, self).__init__(api_version, idp)
        self._allow_additional = False
        self._required += [['headers']]
        self._optional += [['challengeURL', 'challenge_url'],
                           ['loginURL', 'login_url'],
                           ['clientCA', 'client_ca'],
                           ['clientCommonNames', 'client_common_names'],
                           ['emailHeaders', 'email_headers'],
                           ['nameHeaders', 'name_headers'],
                           ['preferredUsernameHeaders', 'preferred_username_headers']]
        self._idp['clientCA'] = \
            '/etc/origin/master/{}_request_header_ca.crt'.format(idp['name'])

I think _idp['clientCA' should be set *ONLY* when clientCA is not specified by user in openshift_master_identity_providers.
Comment 1 Michael Gugino 2018-11-29 19:18:08 UTC 
Moving to documentation.