1632982 – Advanced Installer failed when specifying openshift_master_identity_providers for OpenID (AAD)

Bug 1632982 - Advanced Installer failed when specifying openshift_master_identity_providers for OpenID (AAD)

Summary: Advanced Installer failed when specifying openshift_master_identity_providers...

Keywords:
Status:	CLOSED DUPLICATE of bug 1627764
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.10.z
Assignee:	Scott Dodson
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-26 02:06 UTC by Takayoshi Tanaka
Modified:	2018-11-29 20:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-11-29 20:26:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Takayoshi Tanaka 2018-09-26 02:06:15 UTC

Description of problem:

Version-Release number of the following components:
# rpm -q openshift-ansible
openshift-ansible-3.10.47-1.git.0.95bc2d2.el7_5.noarch

# rpm -q ansible
ansible-2.4.6.0-1.el7ae.noarch

# ansible --version

ansible 2.4.6.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]


How reproducible:
Always

Steps to Reproduce:
1. Specify the openshift_master_identity_providers to configure OpenID configuration with AAD.

openshift_master_identity_providers=[{'name': 'aad', 'login': 'true', 'mappingMethod': 'claim', 'kind': 'OpenIDIdentityProvider', 'clientID': 'XXX', 'clientSecret': 'YYY', "claims": {"id": ["sub"], "preferredUsername": ["upn", "unique_name"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://login.microsoftonline.com/ZZZ/oauth2/authorize", "token": "https://login.microsoftonline.com/ZZZ/oauth2/token"}}]

2. Installer waited for a long time (over 6 hours) to wait for control plane pods to appear.

Actual results:
TASK [openshift_control_plane : Wait for control plane pods to appear]

Expected results:
Successfully installed.

Additional info:
Attached in private.

//Set Severity low because it's not found in a customer case.

Comment 2 Johnny Liu 2018-09-26 02:52:49 UTC

Should be duplicated with BZ#1627764.

Comment 3 Takayoshi Tanaka 2018-09-26 05:45:28 UTC

After checking the BZ#1627764 and upstream fix is only changed the LDAP Auth configuration. It doesn't make a change to OAuth configuration.

LDAP:
https://github.com/openshift/openshift-ansible/blame/e70f4e7019124e5d7a3a3b138cc1d26db08e924c/roles/lib_utils/filter_plugins/openshift_master.py#L162


OAUTH:
https://github.com/openshift/openshift-ansible/blame/e70f4e7019124e5d7a3a3b138cc1d26db08e924c/roles/lib_utils/filter_plugins/openshift_master.py#L366

After reviewing the repository, '/etc/origin/master/{}_openid_ca.crt'.format(idp['name']) is created only when ``openshift_master_openid_ca_file`` is defined.

openshift_master_openid_ca_file:
https://docs.openshift.com/container-platform/3.10/install_config/configuring_authentication.html

openid_ca is enbaled when openshift_master_openid_ca_file is defined.
https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.10.45-1/roles/openshift_master_facts/tasks/main.yml#L45


Only when openid_ca is enabled, the file is copied.
https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.10.45-1/roles/openshift_control_plane/tasks/main.yml#L74

However, the file is always referred even if openid_ca is not enabled.
https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.10.45-1/roles/lib_utils/filter_plugins/openshift_master.py#L365

This change has been merged in 3.10.42.

I wonder we should this sentence is executed only when the following condition:
> if not self._idp['openid_ca']:

Comment 4 Takayoshi Tanaka 2018-09-26 05:56:20 UTC

NOT > if not self._idp['openid_ca']:
BUT > if self._idp['openid_ca']:

Comment 5 Johnny Liu 2018-09-26 07:59:14 UTC

Yeah, just what is side in https://bugzilla.redhat.com/show_bug.cgi?id=1627764#c2, these issues was introduced by one same PR - https://github.com/openshift/openshift-ansible/pull/9731/

Keep this bug for tracking openid auth issue.

Comment 6 Steven Walter 2018-09-27 21:37:21 UTC

Customer encountered this previously. They were able to get the install to continue by removing the line referring to the CA in master-config.yaml as a workaround.

Comment 9 Leo 2018-11-01 09:53:00 UTC

As a workaround, you can specify the system CA bundle:

openshift_master_openid_ca_file: /etc/ssl/certs/ca-bundle.crt

Comment 10 Vadim Rutkovsky 2018-11-29 20:26:38 UTC

(In reply to Takayoshi Tanaka from comment #3)
> After checking the BZ#1627764 and upstream fix is only changed the LDAP Auth
> configuration. It doesn't make a change to OAuth configuration.

BZ#1627764 also applies to OpenID auth.

See https://bugzilla.redhat.com/show_bug.cgi?id=1633137 - documentation bug which describes the new behaviour:

either the admin creates /etc/origin/master/aad_openid_ca.crt on the hosts
or local file specified in `openshift_master_openid_ca_file` var
or CA file contents specified in `openshift_master_openid_ca`

*** This bug has been marked as a duplicate of bug 1627764 ***

Note You need to log in before you can comment on or make changes to this bug.