Bug 1845441

Summary: Fix flipping of service-account-issuer in kube apiserver operator
Product: OpenShift Container Platform Reporter: Michal Fojtik <mfojtik>
Component: kube-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, mfojtik, sttts, xxia
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1845440 Environment:
Last Closed: 2020-07-13 17:43:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1845440    
Bug Blocks:    

Description Michal Fojtik 2020-06-09 09:07:25 UTC 
+++ This bug was initially created as a clone of Bug #1845440 +++

Description of problem:

Jun 04 22:41:42.095 I ns/openshift-kube-apiserver-operator deployment/kube-apiserver-operator reason/ObservedConfigChanged Writing updated observed config:   map[string]interface{}{\n  	"admission": map[string]interface{}{"pluginConfig": map[string]interface{}{"network.openshift.io/ExternalIPRanger": map[string]interface{}{"configuration": map[string]interface{}{"allowIngressIP": bool(false), "apiVersion": string("network.openshift.io/v1"), "kind": string("ExternalIPRangerAdmissionConfig")}}, "network.openshift.io/RestrictedEndpointsAdmission": map[string]interface{}{"configuration": map[string]interface{}{"apiVersion": string("network.openshift.io/v1"), "kind": string("RestrictedEndpointsAdmissionConfig"), "restrictedCIDRs": []interface{}{string("10.128.0.0/14"), string("172.30.0.0/16")}}}}},\n  	"apiServerArguments": map[string]interface{}{\n  		"cloud-provider":         []interface{}{string("aws")},\n  		"feature-gates":          []interface{}{string("APIPriorityAndFairness=true"), string("RotateKubeletServerCertificate=true"), string("SupportPodPidsLimit=true"), string("NodeDisruptionExclusion=true"), string("ServiceNodeExclusion=true"), string("SCTPSupport=true"), string("LegacyNodeRoleBehavior=false")},\n- 		"service-account-issuer": []interface{}{string("https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com")},\n+ 		"service-account-issuer": []string{"https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com"},\n  	},\n  	"authConfig":         map[string]interface{}{"oauthMetadataFile": string("/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata")},\n  	"corsAllowedOrigins": []interface{}{string(`//127\.0\.0\.1(:|$)`), string("//localhost(:|$)")},\n  	... // 4 identical entries\n  }\n (785 times)

The issue is the service-account-issuer is flipping because of unstructured issuer slice type:

- "service-account-issuer": []interface{}{string("https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com")},
+ "service-account-issuer": []string{"https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com"}

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Ke Wang 2020-06-11 05:43:18 UTC 
Did a searching: https://search.apps.build01.ci.devcluster.openshift.com/?search=%22service-account-issuer%22%3A+%5C%5B%5C%5Dstring&maxAge=48h&context=1&type=bug%2Bjunit&name=&maxMatches=5&maxBytes=20971520&groupBy=job

Still found one error in this job https://prow.svc.ci.openshift.org/job-history/origin-ci-test/logs/release-openshift-origin-installer-e2e-aws-upgrade-rollback-4.5-to-4.6, this job did a rollback from 4.6 to 4.5.0-rc.1, the bug's PR https://github.com/openshift/cluster-kube-apiserver-operator/pull/882 was merged on June 9, but 4.5.0-rc.1 was created from registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-06-05-163714, 
so the fix is not in this release, the error occurred as expected.

Checking the latest OCP 4.5 release, 
$ oc adm release info registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-06-10-201008 --commits | grep -i kube-apiserver
  cluster-kube-apiserver-operator                https://github.com/openshift/cluster-kube-apiserver-operator                997124bee1fd55a95fd71aadbfc52add0aef0a04
 
$ git log --date local --pretty="%h %an %cd - %s" 997124b | grep '#882'
1af29fb3 OpenShift Merge Robot Tue Jun 9 18:55:35 2020 - Merge pull request #882 from openshift-cherrypick-robot/cherry-pick-880-to-release-4.5

We can see the PR is already in, move the bug verified.
Comment 4 errata-xmlrpc 2020-07-13 17:43:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409