Bug 1632982

Summary: Advanced Installer failed when specifying openshift_master_identity_providers for OpenID (AAD)
Product: OpenShift Container Platform Reporter: Takayoshi Tanaka <tatanaka>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED DUPLICATE QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, clasohm, jokerman, mmccomas, rhbz, stwalter, vrutkovs
Target Milestone: ---   
Target Release: 3.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-29 20:26:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Takayoshi Tanaka 2018-09-26 02:06:15 UTC 
Description of problem:

Version-Release number of the following components:
# rpm -q openshift-ansible
openshift-ansible-3.10.47-1.git.0.95bc2d2.el7_5.noarch

# rpm -q ansible
ansible-2.4.6.0-1.el7ae.noarch

# ansible --version

ansible 2.4.6.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]


How reproducible:
Always

Steps to Reproduce:
1. Specify the openshift_master_identity_providers to configure OpenID configuration with AAD.

openshift_master_identity_providers=[{'name': 'aad', 'login': 'true', 'mappingMethod': 'claim', 'kind': 'OpenIDIdentityProvider', 'clientID': 'XXX', 'clientSecret': 'YYY', "claims": {"id": ["sub"], "preferredUsername": ["upn", "unique_name"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://login.microsoftonline.com/ZZZ/oauth2/authorize", "token": "https://login.microsoftonline.com/ZZZ/oauth2/token"}}]

2. Installer waited for a long time (over 6 hours) to wait for control plane pods to appear.

Actual results:
TASK [openshift_control_plane : Wait for control plane pods to appear]

Expected results:
Successfully installed.

Additional info:
Attached in private.

//Set Severity low because it's not found in a customer case.
Comment 2 Johnny Liu 2018-09-26 02:52:49 UTC 
Should be duplicated with BZ#1627764.
Comment 3 Takayoshi Tanaka 2018-09-26 05:45:28 UTC 
After checking the BZ#1627764 and upstream fix is only changed the LDAP Auth configuration. It doesn't make a change to OAuth configuration.

LDAP:
https://github.com/openshift/openshift-ansible/blame/e70f4e7019124e5d7a3a3b138cc1d26db08e924c/roles/lib_utils/filter_plugins/openshift_master.py#L162


OAUTH:
https://github.com/openshift/openshift-ansible/blame/e70f4e7019124e5d7a3a3b138cc1d26db08e924c/roles/lib_utils/filter_plugins/openshift_master.py#L366

After reviewing the repository, '/etc/origin/master/{}_openid_ca.crt'.format(idp['name']) is created only when ``openshift_master_openid_ca_file`` is defined.

openshift_master_openid_ca_file:
https://docs.openshift.com/container-platform/3.10/install_config/configuring_authentication.html

openid_ca is enbaled when openshift_master_openid_ca_file is defined.
https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.10.45-1/roles/openshift_master_facts/tasks/main.yml#L45


Only when openid_ca is enabled, the file is copied.
https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.10.45-1/roles/openshift_control_plane/tasks/main.yml#L74

However, the file is always referred even if openid_ca is not enabled.
https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.10.45-1/roles/lib_utils/filter_plugins/openshift_master.py#L365

This change has been merged in 3.10.42.

I wonder we should this sentence is executed only when the following condition:
> if not self._idp['openid_ca']:
Comment 4 Takayoshi Tanaka 2018-09-26 05:56:20 UTC 
NOT > if not self._idp['openid_ca']:
BUT > if self._idp['openid_ca']:
Comment 5 Johnny Liu 2018-09-26 07:59:14 UTC 
Yeah, just what is side in https://bugzilla.redhat.com/show_bug.cgi?id=1627764#c2, these issues was introduced by one same PR - https://github.com/openshift/openshift-ansible/pull/9731/

Keep this bug for tracking openid auth issue.
Comment 6 Steven Walter 2018-09-27 21:37:21 UTC 
Customer encountered this previously. They were able to get the install to continue by removing the line referring to the CA in master-config.yaml as a workaround.
Comment 9 Leo 2018-11-01 09:53:00 UTC 
As a workaround, you can specify the system CA bundle:

openshift_master_openid_ca_file: /etc/ssl/certs/ca-bundle.crt
Comment 10 Vadim Rutkovsky 2018-11-29 20:26:38 UTC 
(In reply to Takayoshi Tanaka from comment #3)
> After checking the BZ#1627764 and upstream fix is only changed the LDAP Auth
> configuration. It doesn't make a change to OAuth configuration.

BZ#1627764 also applies to OpenID auth.

See https://bugzilla.redhat.com/show_bug.cgi?id=1633137 - documentation bug which describes the new behaviour:

either the admin creates /etc/origin/master/aad_openid_ca.crt on the hosts
or local file specified in `openshift_master_openid_ca_file` var
or CA file contents specified in `openshift_master_openid_ca`

*** This bug has been marked as a duplicate of bug 1627764 ***