Bug 1670733

Summary: Optional config maps / secrets are not handled correctly in IDP config
Product: OpenShift Container Platform Reporter: Chuan Yu <chuyu>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.0CC: aos-bugs, mifiedle, nagrawal, slaznick
Target Milestone: ---Keywords: TestBlocker
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:42:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Chuan Yu 2019-01-30 09:44:03 UTC
Description of problem:
when configure github idp 'ca' field, the field not handled correctly in IDP config

Version-Release number of selected component (if applicable):
oc get clusterversion
NAME      VERSION                             
version   4.0.0-0.nightly-2019-01-29-025207 

How reproducible:

Steps to Reproduce:
1.when configure github idp 'ca' field is optional, but pod logs display `MountVolume.SetUp failed for volume "v4-0-config-user-idp-1--ca-crt" : configmap "v4-0-config-user-idp-1--ca-crt" not found`,so after edit oauth resource, the new authentication pod can not create successfully.And set 'ca: {}',still have this problem.

apiVersion: config.openshift.io/v1
kind: OAuth
  name: cluster
  - name: htpassidp
    challenge: true
    login: true
    mappingMethod: claim
    type: HTPasswd
        name: htpass-secret
  - name: github 
    challenge: false 
    login: true 
    mappingMethod: claim
    type: GitHub
      ca: {}
      clientID: c8ae7fa7fb268595719b 
          name: my-secret 

Actual results:
pod failed to create.

Expected results:
The pod created successfully.

Additional info:
Also tried the Google IDP, the clientSecret still could not mount to the openshift-authentication pod.

Comment 1 Standa Laznicka 2019-01-30 16:37:30 UTC
Already tracked in https://jira.coreos.com/browse/AUTH-232

Comment 4 Chuan Yu 2019-02-13 03:06:10 UTC
Since the PR has merged, moved to ON_QA to verify.

Comment 5 Chuan Yu 2019-02-13 03:07:41 UTC
The github and google IDP working now.
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.nightly-2019-02-12-005016   True        False         17h       Cluster version is 4.0.0-0.nightly-2019-02-12-005016

Comment 8 errata-xmlrpc 2019-06-04 10:42:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.