Bug 1989055
| Summary: | logins to the web console fail when custom certificate is in use for the OpenShift oauth-server | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Standa Laznicka <slaznick> |
| Component: | Management Console | Assignee: | Jakub Hadvig <jhadvig> |
| Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.9 | CC: | aos-bugs, bparees, jokerman, kdoberst, liyao, mfojtik, nmukherj, slaskawi, snalawad, spadgett, surbania, xxia, yapei |
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:43:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 1991603 has been marked as a duplicate of this bug. *** *** Bug 1991346 has been marked as a duplicate of this bug. *** Fix open however blocked by test flakes. Investigating Hi @yapei! Thanks for testing this. The console route health condition you are seeing is expected when using a self signed certificate that OCP is not aware of (hence the "x509: certificate signed by unknown authority" error) The console will continue to function as expected even with these failed checks. The condition is calling out a potential problem with the certificate configuration and that the console-operator may face issues. If we remove these checks, it will not be clear that a self signed certificate is being used. Let me know if you have any additional questions! Li Yao, could you double test / check (maybe with Dev)? Should it be normal to see any (here, 'console') operator with Available=False no matter what reason? Sounds very strange. Thx > The console route health condition you are seeing is expected when using a self signed certificate that OCP is not aware of (hence the "x509: certificate signed by unknown authority" error)
That's wrong, the status of a healthy operator with a healthy deployment can never be False;False;False. Besides, the configuration Yadan Pei changes only involves the certificate of the oauth-server, the route check for the console should still be passing.
Devs must investigate, this looks like a bug in the console-operator.
with new fixes in console-operator#582, now console operator is reporting correct Available status when customized certs is being used for oauth route, console-operator is not reporting x509 : certificate signed by unknown authority error $ all steps are same with comment 7 $ oc get co | grep -e authentication -e console authentication 4.9.0-0.nightly-2021-09-05-192114 True False False 112m console 4.9.0-0.nightly-2021-09-05-192114 True False False 117m Moving to VERIFIED *** Bug 2003718 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |
Description of problem: Starting 4.9, it is possible to configure the OpenShift oauth-server to use a user-custom certificate. During user login, the web console needs to communicate directly with the oauth-server in order to be able to retrieve an access token for the user. Version-Release number of selected component (if applicable): 4.9 How reproducible: 100% Steps to Reproduce: 1. create a wildcard or an oauth-server's hostname specific certificate and store it in a secret 2. configure the ingress.config such that it contains this custom route settings: componentRoutes: - hostname: <the original oauth-server's hostname> name: oauth-openshift namespace: openshift-authentication servingCertKeyPairSecret: name: <custom-oauth-cert> 3. wait for the authentication operator to pick up the changes and start all the oauth-servers with the new certificate 4. attempt to log in to OpenShift with an IdP of your choice Actual results: The login fails. Expected results: I'm able to login to OpenShift and use the web console. Additional info: The authentication operator now publishes the cert chain used in the oauth-server in the openshift-config-managed/oauth-serving-cert config map. The console should trust the certificate in its .data["ca-bundle.crt"] field.