Bug 1907613

Summary: oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install
Product: OpenShift Container Platform Reporter: Seth Jennings <sjenning>
Component: Cloud Credential OperatorAssignee: Seth Jennings <sjenning>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: high    
Version: 4.7CC: jdiaz, lwan
Target Milestone: ---Keywords: UpcomingSprint
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When installing on AWS, the cloud-credential-operator automatically created an OpenID discovery endpoint that could be used to externally authenticate service account tokens obtained with the TokenRequest API. This proved to be problematic as it involved changing the serviceAccountIssuer on the kube-apiserver, which invalidated any previously minted tokens. This functionality has been removed as a result. Creation and configuration of the OpenID discovery endpoint and serviceAccountIssuer must be done by the cluster admin at cluster installation time. The serviceAccountIssuer may not be changed after installation begins.
 Story Points: ---
Clone Of: 1906880
: 1911812 (view as bug list) Environment:
Last Closed: 2021-02-01 15:24:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1906880    
Bug Blocks: 1911812    

Comment 1 Seth Jennings 2020-12-14 20:22:27 UTC 
pick PR
https://github.com/openshift/cloud-credential-operator/pull/277
Comment 3 wang lin 2021-01-25 03:53:44 UTC 
Verified on 4.6.0-0.nightly-2021-01-22-123731

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-01-22-123731   True        False         104m    Cluster version is 4.6.0-0.nightly-2021-01-22-123731


1. controller oidcdiscoveryendpoint has been removed.
[lwan@lwan Downloads]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-01-22-123731   True        False         104m    Cluster version is 4.6.0-0.nightly-2021-01-22-123731
[lwan@lwan Downloads]$ oc get deployment/cloud-credential-operator -n openshift-cloud-credential-operator | grep controller=o

2. there is no serviceAccountIssuer field in authentication CR
$ oc get authentication cluster -o json | jq -r ".spec"
{}

3.there is no related OpenID discovery documents push to s3 bucket.

4.manifest CredentialsRequest cloud-credential-operator-s3 is removed.
$ oc -n openshift-cloud-credential-operator get CredentialsRequest -o json | jq -r '.items[] | select (.spec[].kind=="AWSProviderSpec") | .spec.secretRef'
{
  "name": "ebs-cloud-credentials",
  "namespace": "openshift-cluster-csi-drivers"
}
{
  "name": "cloud-credential-operator-iam-ro-creds",
  "namespace": "openshift-cloud-credential-operator"
}
{
  "name": "installer-cloud-credentials",
  "namespace": "openshift-image-registry"
}
{
  "name": "cloud-credentials",
  "namespace": "openshift-ingress-operator"
}
{
  "name": "aws-cloud-credentials",
  "namespace": "openshift-machine-api"
}
$ oc get credentialsrequest -n openshift-cloud-credential-operator cloud-credential-operator-s3 
Error from server (NotFound): credentialsrequests.cloudcredential.openshift.io "cloud-credential-operator-s3" not found
Comment 6 errata-xmlrpc 2021-02-01 15:24:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.15 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0235