1733103 – When OpenID is configured with an empty CA in inventory, in master-config is wrong configured

Bug 1733103 - When OpenID is configured with an empty CA in inventory, in master-config is wrong configured

Summary: When OpenID is configured with an empty CA in inventory, in master-config is ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1812413
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Russell Teague
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-25 08:36 UTC by Alberto Gonzalez de Dios
Modified:	2020-05-12 19:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-12 19:29:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Alberto Gonzalez de Dios 2019-07-25 08:36:38 UTC

Description of problem:

When IdentityProvider for OpenID login is configured in the inventory with the key/value pair "'ca': ''", and run the openshift-master/config.yml playbook, in the master-config.yml appears a line defining the key "ca" with a filename /etc/origin/master/<providername>_openid_ca.crt.

The configuration with the playbook runs without errors. But the login with this IdentityProvider is not possible. After a "restart_master api/controllers" on every master, the startup doesn't work. There is an error in the "master-logs api api" saying "file not found /etc/origin/master/<providername>_openid_ca.crt".

Inventory:
openshift_master_identity_providers=[{"name": "OpenID", "login": "true", "challenge": "true", "mappingMethod": "add", "kind": "OpenIDIdentityProvider", "ca": "", ... }]

Master-config gets configured as:

  - name: OpenID
    provider:
      apiVersion: v1
      ca: /etc/origin/master/<providername>_openid_ca.crt

But it should be configured as:

  - name: OpenID
    provider:
      apiVersion: v1
      ca: ''

If define "openshift_master_openid_ca_file" variable with an empty value in the inventory, then there is an error while running the master/config.yml saying "File lookup error"

This issue is very similar to BZ 1627764, but that issue was fixed just for LDAP identity provider.


Version-Release number of the following components:
3.11.98


How reproducible:
Configure inventory with OpenIDIdentityProvider and empty ca and run master/config.yml


Steps to Reproduce:
1. Configure inventory with OpenIDIdentityProvider with an empty ca

openshift_master_identity_providers=[{"name": "OpenID", "login": "true", "challenge": "true", "mappingMethod": "add", "kind": "OpenIDIdentityProvider", "ca": "", ... }]

2. Run master/config.yml


Actual results:

master-config.yml:
  - name: OpenID
    provider:
      apiVersion: v1
      ca: /etc/origin/master/<providername>_openid_ca.crt


Expected results:

master-config.yml:
  - name: OpenID
    provider:
      apiVersion: v1
      ca: ''

Note You need to log in before you can comment on or make changes to this bug.