Description of problem: Azure e2e (See: https://testgrid.k8s.io/redhat-openshift-release-informing#redhat-canary-openshift-ocp-installer-e2e-azure-4.2) is failing on OAuth tests (see below for example) Version-Release number of selected component (if applicable): Openshift 4.2 How reproducible: Always Steps to Reproduce: See CI Logs Actual results: Notable test failures: [Feature:OAuthServer] [Token Expiration] Using a OAuth client with a non-default token max age to generate tokens that expire shortly works as expected when using a token authorization flow [Suite:openshift/conformance/parallel]The bootstrap user should successfully login with password decoded from kubeadmin secret [Suite:openshift/conformance/parallel][Feature:OAuthServer] OAuth server should use http1.1 only to prevent http2 connection reuse [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the grant URL [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the login URL for the allow all IDP [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the root URL [Suite:openshift/conformance/parallel][Feature:OAuthServer] well-known endpoint should be reachable [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the token request URL [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the logout URL [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Token Expiration] Using a OAuth client with a non-default token max age to generate tokens that do not expire works as expected when using a code authorization flow [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the authorize URL [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the login URL for when there is only one IDP [Suite:openshift/conformance/parallel][Feature:OAuthServer] [Headers] expected headers returned from the login URL for the bootstrap IDP [Suite:openshift/conformance/parallel] Expected results: Additional info:
This looks like DNS problem: dial tcp: lookup oauth-openshift.apps.ci-op-btyv29s0-282fe.ci.azure.devcluster.openshift.com on 10.142.15.218:53: no such host
From the ingress-operator pod logs. ``` [{"type":"Failed","status":"True","lastTransitionTime":"2019-08-19T19:58:47Z","reason":"ProviderError","message":"The DNS provider failed to ensure the record: failed to update dns a record: *.apps.ci-op-5idr0d56-282fe.ci.azure.devcluster.openshift.com: dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"AuthorizationFailed\" Message=\"The client '9988be96-f7f4-4cc1-9d0c-a4f477e51ca1' with object id '9988be96-f7f4-4cc1-9d0c-a4f477e51ca1' does not have authorization to perform action 'Microsoft.Network/dnsZones/A/write' over scope '/subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourceGroups/os4-common/providers/Microsoft.Network/dnsZones/ci.azure.devcluster.openshift.com/A/*.apps.ci-op-5idr0d56-282fe' or the scope is invalid. If access was recently granted, please refresh your credentials.\""}]}]}}} ```
As this looks like a DNS issue (which breaks oauth), reassigning.
*** This bug has been marked as a duplicate of bug 1743728 ***