Bug 1654070 - Director deployed OCP 3.11: changing openshift_master_identity_providers from allow_all to htpasswd_auth doesn't work
Summary: Director deployed OCP 3.11: changing openshift_master_identity_providers from...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 14.0 (Rocky)
Assignee: Martin André
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-28 01:19 UTC by Marius Cornea
Modified: 2019-01-11 11:55 UTC (History)
9 users (show)

Fixed In Version: openstack-tripleo-heat-templates-9.0.1-0.20181013060904.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-11 11:55:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 624011 0 None None None 2018-12-10 08:00:41 UTC
Red Hat Product Errata RHEA-2019:0045 0 None None None 2019-01-11 11:55:15 UTC

Description Marius Cornea 2018-11-28 01:19:01 UTC 
Description of problem:
Director deployed OCP 3.11: changing openshift_master_identity_providers from allow_all to htpasswd_auth doesn't work:

Initial deployment is done with:

  OpenShiftGlobalVariables:
    openshift_master_identity_providers:
    - name: allow_all
      login: 'true'
      challenge: true
      kind: AllowAllPasswordIdentityProvider

In a subsequent stack update we set it to htpasswd_auth:

  OpenShiftGlobalVariables:
    openshift_master_identity_providers:
    - name: 'htpasswd_auth'
      login: 'true'
      challenge: 'true'
      kind: 'HTPasswdPasswordIdentityProvider'
    openshift_master_htpasswd_users:
      marius: '$apr1$jpBOUqeU$X4jUsMyCHOOp8TFYtPq0v1'

But after the stack update succeeds we're still able to log in with any user/pass which points to the new configuration not being applied.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-9.0.1-0.20181013060891.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy openshift overcloud with allow_all openshift_master_identity_providers
2. Set openshift_master_identity_providers to htpasswd_auth
3. Re-run overcloud deploy

Actual results:
Log in still works with any user/pass which means the new configuration was not applied.

Expected results:
Log in only works with u: marius p: password. 

Additional info:
Comment 1 Martin André 2018-12-04 13:25:58 UTC 
I've tried re-running the same deploy command after updating the OpenShiftGlobalVariables heat param the same you did, and effectively I could still log in with any user/password.

*However* the new configuration was in /etc/origin/master/master-config.yaml

After restarting the services with "sudo master-restart api && sudo master-restart controllers" it successfully picked up the new config.
Comment 2 Martin André 2018-12-05 09:24:51 UTC 
I noticed a openshift-node/restart.yml [1] playbook. Maybe we could call this from tripleo after applying the new settings.

[1] https://github.com/openshift/openshift-ansible/blob/master/playbooks/openshift-node/restart.yml
Comment 22 Martin André 2019-01-10 10:15:50 UTC 
No doc text required.
Comment 23 errata-xmlrpc 2019-01-11 11:55:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045
Note You need to log in before you can comment on or make changes to this bug.