Bug 1906880

Summary: oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install
Product: OpenShift Container Platform Reporter: Seth Jennings <sjenning>
Component: Cloud Credential OperatorAssignee: Seth Jennings <sjenning>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: high    
Version: 4.7CC: lwan
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
When installing on AWS in 4.6, the cloud-credential-operator automatically created an OpenID discovery endpoint that could be used to externally authenticate service account tokens obtained with the TokenRequest API. This proved to be problematic as it involved changing the serviceAccountIssuer on the kube-apiserver, which invalidated any previously minted tokens. This functionality has been removed in 4.7. Creation and configuration of the OpenID discovery endpoint and serviceAccountIssuer must be done by the cluster admin at cluster installation time. The serviceAccountIssuer may not be changed after installation begins.
 Story Points: ---
Clone Of:
: 1907613 (view as bug list) Environment:
Last Closed: 2021-02-24 15:42:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1907613, 1911812    

Description Seth Jennings 2020-12-11 16:18:20 UTC 
Description of problem:

oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install by setting the serviceIssuerURL on the Authentication cluster CR.

This was thought to be safe when we did it in 4.6, but it turns out it is not and changing this value requires a full cluster restart, which there is not mechanism for today.

We should remove this controller and leave configuration of the endpoint as a pre-install exercise for the user.
Comment 2 wang lin 2020-12-15 09:44:30 UTC 
Verified on payload: 4.7.0-0.nightly-2020-12-14-165231

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2020-12-14-165231   True        False         6h25m   Cluster version is 4.7.0-0.nightly-2020-12-14-165231

1. controller oidcdiscoveryendpoint has been removed.
[lwan@lwan Downloads]$ oc logs cloud-credential-operator-65cd57bfff-lqp8f -c cloud-credential-operator | grep controller=o
[lwan@lwan Downloads]$ 
2. there is no serviceAccountIssuer field in authentication CR
$ oc get authentication cluster -o json | jq -r ".spec"
{}
3.there is no related OpenID discovery documents push to s3 bucket.
Comment 5 errata-xmlrpc 2021-02-24 15:42:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633