Description of problem: In the source cluster ocp3.7, one of organizations or teams were not specified. That caused failure that cannot apply Github auth provider into target cluster ocp4.2. Version-Release number of selected component (if applicable): OCP 3.7 cpma commit id:commit bbf1f97aaf646f94691c46ee520c823520bb73c1 How reproducible: always Steps to Reproduce: 1.configure GitHubIdentityProvider as ID provider in opc3.7 identityProviders: - name: github challenge: false login: true mappingMethod: claim provider: apiVersion: v1 kind: GitHubIdentityProvider clientID: 09c7d6d7a9e8666a14c4 clientSecret: 2f9f485c319e59f6fb6eefd966774b1d9b5d3606 2. Execute cpma utility to generate CRs 100_CPMA-cluster-config-oauth.yaml: ... - github: ca: name: "" clientID: 09c7d6d7a9e8666a14c4 clientSecret: name: github-secret hostname: "" mappingMethod: claim name: github type: GitHub 3. oc oc create -f data/manifests/100_CPMA-cluster-config-oauth.yaml Actual results: Get following error: The OAuth "" is invalid: spec.identityProviders[1].github: Invalid value: "null": one of organizations or teams must be specified unless hostname is set or lookup is used Expected results: It should be applied to ocp4.2 successfully Additional info:
This is actually an Openshift issue with latest OCP4.2 (kubernetes v1.13.4+a8c5f5b). Organizations and teams fields are expected to be optional (and exclusive): https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-github-identity-provider.html Effectively applying a CR without or empty of either Organizations or Teams fields is rejected. Meanwhile when adding either field with a value gets the CR to be applied: --------oauth-github.yaml---------- apiVersion: config.openshift.io/v1 kind: OAuth metadata: creationTimestamp: null name: cluster namespace: openshift-config spec: identityProviders: - github: ca: name: "" clientID: 3c76ea3f45d6777bffd7 clientSecret: name: github-secret hostname: "" organizations: - blah teams: [] mappingMethod: claim name: github123456789 type: GitHub status: {} ----------------------------------- $ oc apply -f oauth-github.yaml oauth.config.openshift.io/cluster configured
> Organizations and teams fields are expected to be optional They are only optional for GitHub Enterprise, read description of (6) at https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-github-identity-provider.html#identity-provider-github-CR_configuring-github-identity-provider and fill a BZ against the docs component if you think the description of (7) and (8) is lacking. Other configurations are considered insecure as they would allow any GH user to access your cluster and there is no clean migration path.
I converted https://bugzilla.redhat.com/show_bug.cgi?id=1748368 to a Doc bug so I don't think this BZ needs to be blocked by it anymore, but I'll leave that blocking decision on Gilles.
Hi Standa, I marked BZ#1748368 as a dependency because until that one is clearly defined as a doc bug or not. Because in the negative then would remind a blocker.
The behaviour has changed and either the Organizations or the teams field is now necessary. OCP documentation will be updated accordingly in BZ#1748368. CPMA is going to be patched accordingly.
There was an issue with aforementioned patch. The patch has been reverted from release-1.0 branch. A new patch is need to address the issue.
The patch taking care of this issue is https://github.com/fusor/cpma/pull/404 The latter PR has been merged to master branch and back ported to release-1.0 branch.
verified with version: commit 006c5698376dda59438d6b25e78f00ad1dd630a4 (HEAD -> release-1.0, origin/release-1.0).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922