Description of problem: accessTokenMaxAgeSeconds in oauth configuration could only be set to positive integer number, but it could be set any characters now Version-Release number of selected component (if applicable): $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.6 True False 44m Cluster version is 4.0.0-0.6 How reproducible: always Steps to Reproduce: 1.edit oauth object and set accessTokenMaxAgeSeconds to not positive integer number, oc edit oauth cluster spec: tokenConfig: accessTokenMaxAgeSeconds: dfadfadf 2. 3. Actual results: The edit successful, but the authenticaiton pod not restarted take effective. Expected results: Then edit oauth should failed, and prompt some hint, such as "could not be patched: unrecognized type" Additional info:
Resolved in https://github.com/openshift/cluster-config-operator/pull/17
Verified failed. The accessTokenMaxAgeSeconds could be configured with negative number, such as `accessTokenMaxAgeSeconds: -86400` $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.nightly-2019-03-18-223058 True False 9h Cluster version is 4.0.0-0.nightly-2019-03-18-223058
-86400 is a valid value: https://github.com/openshift/api/blob/master/config/v1/types_oauth.go#L55
Thanks for the clarification, it make sense, verified.
I overlooked the fact that this is accessTokenMaxAgeSeconds and not accessTokenInactivityTimeout. This needs fixing, will be done as a part of https://github.com/openshift/origin/pull/21922
Verified on 4.1.0-0.nightly-2019-05-04-210601
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758