Bug 2064392

Summary: multicloud oauth-proxy failed to log users in on web
Product: Red Hat Advanced Cluster Management for Kubernetes Reporter: Thuy Nguyen <thnguyen>
Component: InstallerAssignee: Jakob <jagray>
Status: CLOSED ERRATA QA Contact: txue
Severity: high Docs Contact: Christopher Dawson <cdawson>
Priority: unspecified    
Version: rhacm-2.5CC: dho, dhuynh, huichen
Target Milestone: ---Flags: bot-tracker-sync: rhacm-2.5+
Target Release: rhacm-2.5   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-09 02:09:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Error page none

Description Thuy Nguyen 2022-03-15 18:06:33 UTC
Created attachment 1866077 [details]
Error page

Description of problem: multicloud oauth-proxy failed to log users in on web


Version-Release number of selected component (if applicable):
- ACM 2.5.0-DOWNSTREAM-2022-03-14-13-03-46 (S4) 
- OCP 4.8.33

How reproducible:


Steps to Reproduce:
1. Replace openshift default ingress cert with a self-signed custom cert
2. Install ACM/MCH/MCE 
3. Log admin user into multicloud console

Actual results:
Error page gets displayed

Expected results:


Additional info:

ingress oauth-proxy log:
2022/03/14 22:30:02 provider.go:351: Delegation of authentication and authorization to OpenShift is enabled for bearer tokens and client certificates.
2022/03/14 22:30:02 oauthproxy.go:203: mapping path "/" => upstream "https://management-ingress.ocm.svc:8443/"
2022/03/14 22:30:02 oauthproxy.go:230: OAuthProxy configured for  Client ID: multicloudingress
2022/03/14 22:30:02 oauthproxy.go:240: Cookie settings: name:_oauth_proxy secure(https):true httponly:true expiry:12h0m0s domain:<default> samesite: refresh:after 8h0m0s
2022/03/14 22:30:02 oauthproxy.go:252: WARN: Configured to pass client specified bearer token upstream.
      Only use this option if you're sure that the upstream will not leak or abuse the given token.
      Bear in mind that the token could be a long lived token or hard to revoke.
2022/03/14 22:30:02 http.go:61: HTTP: listening on 127.0.0.1:4180
2022/03/14 22:30:02 http.go:107: HTTPS: listening on [::]:9443
I0314 22:30:02.498775       1 dynamic_serving_content.go:130] Starting serving::/etc/tls/private/tls.crt::/etc/tls/private/tls.key
2022/03/15 17:53:26 oauthproxy.go:445: ErrorPage 500 Internal Error configmap "oauth-serving-cert" not found

Comment 1 Kevin Cormier 2022-03-15 18:15:09 UTC
We have reported this to OpenShift here: https://bugzilla.redhat.com/show_bug.cgi?id=2062347

Comment 6 errata-xmlrpc 2022-06-09 02:09:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4956

Comment 7 Eboni Booker 2023-01-04 06:22:01 UTC Comment hidden (spam)