Bug 1639589

Summary: OpenShift 3.10 Missing CA for LDAP Config during upgrade
Product: OpenShift Container Platform Reporter: Jaspreet Kaur <jkaur>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: high Docs Contact:
Priority: high    
Version: 3.10.0CC: aos-bugs, dmoessne, erich, gpei, jkaur, jokerman, jtudelag, mmccomas, mrobson, scuppett, vhernand, vlaad, vrutkovs
Target Milestone: ---   
Target Release: 3.10.z   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: master config for LDAP identity provider was not updated during 3.9 -> 3.10 upgrade Consequence: LDAP authentication was broken after update to 3.10 Fix: CA file is copied on masters and configuration is amended to use it Result: LDAP authentication works after cluster upgrade
 Story Points: ---
Clone Of: 1614414 Environment:
Last Closed: 2019-01-10 09:27:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1614414    
Bug Blocks:    

Comment 10 Vadim Rutkovsky 2018-10-17 18:25:54 UTC 
Created https://github.com/openshift/openshift-ansible/pull/10432
Comment 11 Vadim Rutkovsky 2018-10-26 09:09:41 UTC 
Fix is available in openshift-ansible-3.10.63-1
Comment 12 Gaoyun Pei 2018-10-29 08:07:18 UTC 
Verified with openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm

With the following two parameters defined in ansible inventory file, upgrade an ocp-3.9 cluster to 3.10.

openshift_master_identity_providers=[{'name': 'LDAP_auth', 'login': 'true', 'challenge': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['uid'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'url': 'ldap://test.com:389/ou=People,dc=my-domain,dc=com?uid'}]
openshift_master_ldap_ca_file=/extra-ansible/files/ldap.ca.crt

During upgrade, the specified ldap ca file would be copied to master as /etc/origin/master/LDAP_auth_ldap_ca.crt, oauthConfig.identityProviders of master-config.yaml also got updated correspondingly. 


  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: LDAP_auth
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - uid
        preferredUsername:
        - uid
      bindDN: ''
      bindPassword: ''
      ca: /etc/origin/master/LDAP_auth_ldap_ca.crt
      insecure: false
      kind: LDAPPasswordIdentityProvider
      url: ldap://test.com:389/ou=People,dc=my-domain,dc=com?uid
Comment 13 Victor Hernando 2018-11-07 10:57:21 UTC 
Hi,

Do we know when this will be released, which errata or .z release will include that and the estimated date of that release?

Thanks in advance!
Comment 15 errata-xmlrpc 2019-01-10 09:27:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0026