Bug 1639589 - OpenShift 3.10 Missing CA for LDAP Config during upgrade
Summary: OpenShift 3.10 Missing CA for LDAP Config during upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.10.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: 3.10.z
Assignee: Vadim Rutkovsky
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On: 1614414
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-16 07:19 UTC by Jaspreet Kaur
Modified: 2019-01-10 09:27 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: master config for LDAP identity provider was not updated during 3.9 -> 3.10 upgrade Consequence: LDAP authentication was broken after update to 3.10 Fix: CA file is copied on masters and configuration is amended to use it Result: LDAP authentication works after cluster upgrade
Clone Of: 1614414
Environment:
Last Closed: 2019-01-10 09:27:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0026 None None None 2019-01-10 09:27:16 UTC

Comment 10 Vadim Rutkovsky 2018-10-17 18:25:54 UTC
Created https://github.com/openshift/openshift-ansible/pull/10432

Comment 11 Vadim Rutkovsky 2018-10-26 09:09:41 UTC
Fix is available in openshift-ansible-3.10.63-1

Comment 12 Gaoyun Pei 2018-10-29 08:07:18 UTC
Verified with openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm

With the following two parameters defined in ansible inventory file, upgrade an ocp-3.9 cluster to 3.10.

openshift_master_identity_providers=[{'name': 'LDAP_auth', 'login': 'true', 'challenge': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['uid'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'url': 'ldap://test.com:389/ou=People,dc=my-domain,dc=com?uid'}]
openshift_master_ldap_ca_file=/extra-ansible/files/ldap.ca.crt

During upgrade, the specified ldap ca file would be copied to master as /etc/origin/master/LDAP_auth_ldap_ca.crt, oauthConfig.identityProviders of master-config.yaml also got updated correspondingly. 


  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: LDAP_auth
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - uid
        preferredUsername:
        - uid
      bindDN: ''
      bindPassword: ''
      ca: /etc/origin/master/LDAP_auth_ldap_ca.crt
      insecure: false
      kind: LDAPPasswordIdentityProvider
      url: ldap://test.com:389/ou=People,dc=my-domain,dc=com?uid

Comment 13 Victor Hernando 2018-11-07 10:57:21 UTC
Hi,

Do we know when this will be released, which errata or .z release will include that and the estimated date of that release?

Thanks in advance!

Comment 15 errata-xmlrpc 2019-01-10 09:27:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0026


Note You need to log in before you can comment on or make changes to this bug.