Created attachment 1362863 [details] master-config from cluster Description of problem: Having setup OCP 3.7, SSO utilizes the hostname of the master instead of masterPublicURL. If an external load balancer pointed at my masterPublicURL, SSO does not work. Version-Release number of selected component (if applicable): OCP 3.7 latest as of this writing. How reproducible: 100% Steps to Reproduce: 1. Install OCP 3.7 single master, set masterPublicURL to external load balancer which forwards traffic to master. 2. Goto Kibana or something which uses SSO. Login, and see how you got redirected to your masters hostname and not masterPublicURL. If you change the hostname to the correct one, things works. Actual results: Redirect for SSO goes to your masters hostname and not masterPublicURL. Expected results: Redirect for SSO to masterPublicURL Additional info:
Does it work if you start the master passing the public url with --public-master flag ?
Is there a localized reproducer for this, i.e. demonstrable in some way with 'oc cluster up'? I tried passing --public-hostname='localmaster' to 'oc cluster up' with 'localmaster' being an extra /etc/hosts entry. Then I tried a jenkins login, which redirected me to the 'localmaster' address. Do you see any difference with a Jenkins login vs. Kibana?
Hey guys, I don't have a localized reproducer I'm afraid. I'll check regarding Jenkins tomorrow. If we can sync this somehow, I can install a cluster and provide you with SSH/root/cluster-admin access. Only issue is that I can't really keep the cluster up more than 2 days (due to cost). Would that work? I just need your public SSH keys to set it up. E-mail me if it works for you and let me know when you need the cluster up.
Should this be a real issue, it would be very troublesome, as it would mean that SSO wouldn't work properly for people with load balancer infront of their masters (including all HA and most cloud installs)
Hi Magnus, were you able to note any difference with Jenkins? I sent an email about syncing up with your reproducer but had not heard back. In the meanwhile I have a few questions about the setup that may give us more clues. In your cluster does Kibana use oauth-proxy? If so, oauth-proxy checks the master at /.well-known/oauth-authorization-server in order to discover the oauth endpoints. I checked the behavior of setting masterPublicURL and it propagated to this discovery information like I would expect. If you check your master for /.well-known/oauth-authorization-server when it's not working do you see the the wrong URL? Do you have the config for the Kibana deployment that we can look at (to verify oauth-proxy container arguments if any)?
Closing this for now.. Please reopen if you run into the issue again or can provide some additional info.
Sorry for the delay. No, actually, Jenkins is OK. It's just Kibana which redirects in a faulty manner.. that is weird. I've e-mail login credentials to the cluster.
I have identified something wrong with fluentd (pod failures). Not sure what it is at this point, but that means it's not auth related. I'm closing this bug.