Bug 1997906
| Summary: | htpasswd provider for auth is not working as expected and give 401 error when user try to login | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> |
| Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> |
| Status: | CLOSED ERRATA | QA Contact: | liyao |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.8 | CC: | aos-bugs, cfergeau, gbuchana, mfojtik, surbania, xxia |
| Target Milestone: | --- | Keywords: | NeedsTestCase |
| Target Release: | 4.8.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-27 08:15:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1978193 | ||
| Bug Blocks: | |||
|
Comment 2
Standa Laznicka
2021-10-05 07:36:07 UTC
Raising priority since this seems to be causing trouble in a CI/CD pipepline as noted in https://bugzilla.redhat.com/show_bug.cgi?id=2010502 Any news on this issue? It appears we may have a customer hitting this issue (I can provide details if you'd like)! Follow the steps in Comment 0 and use 4.8.0-0.nightly-2021-10-18-115810 to do the verification 1. delete secret openshift-authenticator-certs $ oc delete secret -n openshift-oauth-apiserver openshift-authenticator-certs secret "openshift-authenticator-certs" deleted 2. check whether new created csr is using generateName with random suffix rather than previous fixed name 'system:openshift:openshift-authenticator' $ oc get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION ... system:openshift:openshift-authenticator-s8mgr 8s kubernetes.io/kube-apiserver-client system:serviceaccount:openshift-authentication-operator:authentication-operator Approved,Issued 3. check labels 'authentication.openshift.io/csr: openshift-authenticator' is added to the new csr $ oc get csr system:openshift:openshift-authenticator-s8mgr -o yaml | grep -A5 -B5 'labels' apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: creationTimestamp: "2021-10-19T08:49:21Z" generateName: system:openshift:openshift-authenticator- labels: authentication.openshift.io/csr: openshift-authenticator name: system:openshift:openshift-authenticator-s8mgr resourceVersion: "39133" uid: 619c5a1f-b389-4fba-bad6-e81ce19f6f2a spec: 4. delete secret openshift-authenticator-certs again $ oc delete secret -n openshift-oauth-apiserver openshift-authenticator-certs secret "openshift-authenticator-certs" deleted 5. check whether new created csr is using different random suffix from the previous one $ oc get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION ... system:openshift:openshift-authenticator-s8mgr 2m21s kubernetes.io/kube-apiserver-client system:serviceaccount:openshift-authentication-operator:authentication-operator Approved,Issued system:openshift:openshift-authenticator-sm9kq 14s kubernetes.io/kube-apiserver-client system:serviceaccount:openshift-authentication-operator:authentication-operator Approved,Issued 6. check whether there are errors in authentication-operator pod logs, no error like in Comment 0 appears, which is expected with the fix $ oc logs <pod-name> -n openshift-authentication-operator Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.8.17 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3927 |