1639589 – OpenShift 3.10 Missing CA for LDAP Config during upgrade

Bug 1639589 - OpenShift 3.10 Missing CA for LDAP Config during upgrade

Summary: OpenShift 3.10 Missing CA for LDAP Config during upgrade

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.10.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.10.z
Assignee:	Vadim Rutkovsky
QA Contact:	Gaoyun Pei
Docs Contact:
URL:
Whiteboard:
Depends On:	1614414
Blocks:
TreeView+	depends on / blocked

Reported:	2018-10-16 07:19 UTC by Jaspreet Kaur
Modified:	2019-01-10 09:27 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: master config for LDAP identity provider was not updated during 3.9 -> 3.10 upgrade Consequence: LDAP authentication was broken after update to 3.10 Fix: CA file is copied on masters and configuration is amended to use it Result: LDAP authentication works after cluster upgrade
Clone Of:	1614414
Environment:
Last Closed:	2019-01-10 09:27:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0026	0	None	None	None	2019-01-10 09:27:16 UTC

Comment 10 Vadim Rutkovsky 2018-10-17 18:25:54 UTC

Created https://github.com/openshift/openshift-ansible/pull/10432

Comment 11 Vadim Rutkovsky 2018-10-26 09:09:41 UTC

Fix is available in openshift-ansible-3.10.63-1

Comment 12 Gaoyun Pei 2018-10-29 08:07:18 UTC

Verified with openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm

With the following two parameters defined in ansible inventory file, upgrade an ocp-3.9 cluster to 3.10.

openshift_master_identity_providers=[{'name': 'LDAP_auth', 'login': 'true', 'challenge': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['uid'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'url': 'ldap://test.com:389/ou=People,dc=my-domain,dc=com?uid'}]
openshift_master_ldap_ca_file=/extra-ansible/files/ldap.ca.crt

During upgrade, the specified ldap ca file would be copied to master as /etc/origin/master/LDAP_auth_ldap_ca.crt, oauthConfig.identityProviders of master-config.yaml also got updated correspondingly. 


  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: LDAP_auth
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - uid
        preferredUsername:
        - uid
      bindDN: ''
      bindPassword: ''
      ca: /etc/origin/master/LDAP_auth_ldap_ca.crt
      insecure: false
      kind: LDAPPasswordIdentityProvider
      url: ldap://test.com:389/ou=People,dc=my-domain,dc=com?uid

Comment 13 Victor Hernando 2018-11-07 10:57:21 UTC

Hi,

Do we know when this will be released, which errata or .z release will include that and the estimated date of that release?

Thanks in advance!

Comment 15 errata-xmlrpc 2019-01-10 09:27:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0026

Note You need to log in before you can comment on or make changes to this bug.