Bug 1959149
Summary: | Creating a new custom ingress-controller triggers an oauth-apiserver rollout | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Clayton Coleman <ccoleman> |
Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> |
Status: | CLOSED DUPLICATE | QA Contact: | pmali |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.8 | CC: | aos-bugs, mfojtik |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-11 07:32:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Clayton Coleman
2021-05-10 19:17:45 UTC
Note my naive expectation was non-default ingress controllers didn't automatically cause oauth to rollout because oauth should only care about router certs for the router its route is exposed on (which technically is part of the inferred logic from route status). However, if *every* ingress controller automatically exposes oauth, that could be bad for other reasons, and our testing needs a way to keep those from selecting those routes / disable that logic / bypass rollout. We shouldn't remove the flexibility to expose oauth on a different ingress controller, but we need to be more cautious about the impact of extra controllers on core oauth infra. The fix in library-go resource syncer has finally been merged, this is being fixed as a part of https://bugzilla.redhat.com/show_bug.cgi?id=1950379 *** This bug has been marked as a duplicate of bug 1950379 *** |