1753152 – [CPMA] Oauth is skipped if Mapping field is missing

Bug 1753152 - [CPMA] Oauth is skipped if Mapping field is missing

Summary: [CPMA] Oauth is skipped if Mapping field is missing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Migration Tooling
Sub Component:
Version:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Gilles Dubreuil
QA Contact:	Sergio
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-18 08:59 UTC by Sergio
Modified:	2019-10-16 06:41 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-16 06:41:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2922	0	None	None	None	2019-10-16 06:41:45 UTC

Description Sergio 2019-09-18 08:59:48 UTC

Comment 1 Sergio 2019-09-18 09:01:10 UTC

Description of problem:
CPMA skips oauth if Mapping field is missing, but the field is not mandatory and should be considered as "claim" by default.

Version-Release number of selected component (if applicable):

branch: release-1.0
commit 835495a137dab2d77520f1b4717bcdc6c2f40cb3

    Revert "OAuth GitHub Provider: Organizations or Teams field is mandatory (#3
    
    This reverts commit 89d24c4e4710f1c65e11d34b69bda675a6e92d94.

OCP3:
# oc version
oc v3.9.99
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://
openshift v3.9.99
kubernetes v1.9.1+a0ce1bc657



How reproducible:
Always

Steps to Reproduce:
1. Add github authentication method to master-config.yaml file, like this (secret and user ID have been modified).

   Be aware that field "mappingMethod" is not defined in the github identity provider.

oauthConfig:
  assetPublicURL: https://139.178.76.60:8443/console/
  grantConfig:
    method: auto
  identityProviders:
  - name: github52451623
    challenge: false
    login: true
    provider:
      apiVersion: v1
      kind: GitHubIdentityProvider
      clientID: 98b162167ce22204483e
      clientSecret: 54d2757f8f5ce7a0dffa9e30debfcda61d359513


2. Execute cpma on this cluster


Actual results:
No secret is created in the manifest directory

[root@dhcp-139-178-76-60 data3]# tree manifests/
manifests/
├── 100_CPMA-cluster-config-image.yaml
├── 100_CPMA-cluster-config-project.yaml
├── 100_CPMA-cluster-config-sdn.yaml
└── 100_CPMA-default-resource-quota-object-counts.yaml


This is the actual log. OAuth is skipped with this message: Skipping OAuth: Not valid mapping method

../cpma
? Do you wish to save configuration for future use? true
? What will be the source for OCP3 config files? Remote host
? Path to crio config file /etc/crio/crio.conf
? Path to etcd config file /etc/etcd/etcd.conf
? Path to master config file /etc/origin/master/master-config.yaml
? Path to node config file /etc/origin/node/node-config.yaml
? Path to registries config file /etc/containers/registries.conf
? Do wish to find source cluster using KUBECONFIG or prompt it? KUBECONFIG
? Select cluster obtained from KUBECONFIG contexts dhcp-139-178-76-60-internal-example-com:8443
? Select master node dhcp-139-178-76-60.internal.example.com
? SSH login test
? SSH Port 22
? Path to private SSH key /tmp/workdir/libra.pem
? Path to application data, skip to use current directory .
INFO[18 Sep 19 03:56 EDT] Starting manifest and report generation      
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - API                
INFO[18 Sep 19 03:56 EDT] APITransform::Extract                        
INFO[18 Sep 19 03:56 EDT] APITransform::Transform:Manifests            
INFO[18 Sep 19 03:56 EDT] APITransform: API certificate is OpenShift signed, not ported
INFO[18 Sep 19 03:56 EDT] APITransform::Transform:Reports              
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - Cluster            
INFO[18 Sep 19 03:56 EDT] ClusterTransform::Transform:Manifests        
INFO[18 Sep 19 03:56 EDT] ClusterTransform::Transform:Reports          
INFO[18 Sep 19 03:56 EDT] ClusterReport::ReportQuotas                  
INFO[18 Sep 19 03:56 EDT] ClusterReport::ReportPVs                    
INFO[18 Sep 19 03:56 EDT] ClusterReport::ReportNamespaces              
INFO[18 Sep 19 03:56 EDT] ClusterReport::ReportNodes                  
INFO[18 Sep 19 03:56 EDT] ClusterReport::ReportRBAC                    
INFO[18 Sep 19 03:56 EDT] ClusterReport::ReportStorageClasses          
INFO[18 Sep 19 03:56 EDT] Flushing manifests to disk                  
INFO[18 Sep 19 03:56 EDT] CRD:Added: manifests/100_CPMA-default-resource-quota-object-counts.yaml
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - Crio                
INFO[18 Sep 19 03:56 EDT] CrioTransform::Extract                      
WARN[18 Sep 19 03:56 EDT] Skipping Crio: No configuration file available
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - Docker              
INFO[18 Sep 19 03:56 EDT] DockerTransform::Extract                    
INFO[18 Sep 19 03:56 EDT] DockerTransform::Transform:Reports          
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - ETCD                
INFO[18 Sep 19 03:56 EDT] ETCDTransform::Extract                      
INFO[18 Sep 19 03:56 EDT] ETCDTransform::Transform:Reports            
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - OAuth              
INFO[18 Sep 19 03:56 EDT] OAuthTransform::Extract                      
WARN[18 Sep 19 03:56 EDT] Skipping OAuth: Not valid mapping method    
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - SDN                
INFO[18 Sep 19 03:56 EDT] SDNTransform::Extract                        
INFO[18 Sep 19 03:56 EDT] SDNTransform::Transform:Manifests            
INFO[18 Sep 19 03:56 EDT] SDNTransform::Transform:Reports              
INFO[18 Sep 19 03:56 EDT] Flushing manifests to disk                  
INFO[18 Sep 19 03:56 EDT] CRD:Added: manifests/100_CPMA-cluster-config-sdn.yaml
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - Image              
INFO[18 Sep 19 03:56 EDT] ImageTransform::Extract                      
INFO[18 Sep 19 03:56 EDT] ImageTransform::Transform:Manifests          
INFO[18 Sep 19 03:56 EDT] ImageTransform::Transform:Reports            
INFO[18 Sep 19 03:56 EDT] Flushing manifests to disk                  
INFO[18 Sep 19 03:56 EDT] CRD:Added: manifests/100_CPMA-cluster-config-image.yaml
INFO[18 Sep 19 03:56 EDT] Transform:Starting for - Project            
INFO[18 Sep 19 03:56 EDT] ProjectTransform::Extract                    
INFO[18 Sep 19 03:57 EDT] ProjectTransform::Transform:Manifests        
INFO[18 Sep 19 03:57 EDT] ProjectConfig.DefaultNodeSelector is handled by scheduler
INFO[18 Sep 19 03:57 EDT] ProjectTransform::Transform:Reports          
INFO[18 Sep 19 03:57 EDT] Flushing manifests to disk                  
INFO[18 Sep 19 03:57 EDT] CRD:Added: manifests/100_CPMA-cluster-config-project.yaml
INFO[18 Sep 19 03:57 EDT] Flushing reports to disk                    
INFO[18 Sep 19 03:57 EDT] Report:Added: report.json                    
INFO[18 Sep 19 03:57 EDT] Report:Added: report.html                    
INFO[18 Sep 19 03:57 EDT] Succesfully finished transformations       

Expected results:

OAuth should not be skipped and a github secret should be created in the manifest directory

├── manifests
│   ├── 100_CPMA-cluster-config-image.yaml
│   ├── 100_CPMA-cluster-config-oauth.yaml
│   ├── 100_CPMA-cluster-config-project.yaml
│   └── 100_CPMA-cluster-config-sdn.yaml
│   ├── 100_CPMA-cluster-config-secret-github-secret.yaml


Additional info:

Comment 2 Gilles Dubreuil 2019-09-18 12:55:25 UTC

I confirm the issue, MappingMethod is optional, it's considered as present with default "claim" value.

Comment 3 Gilles Dubreuil 2019-09-18 15:30:58 UTC

Just to clarify my previous message, please read:
if it's missing then the parameter is set to "claim" by default.

Upstream patch is https://github.com/fusor/cpma/pull/405
which has been merged to master branch.

Comment 4 Gilles Dubreuil 2019-09-19 09:37:01 UTC

Back ported to release-1.0

Comment 6 Sergio 2019-09-23 07:55:49 UTC

Verified in:

commit 006c5698376dda59438d6b25e78f00ad1dd630a4
Date:   Wed Sep 18 23:11:42 2019 +0200

    Fix double encoding for oauth secrets (#406) (#410)
    
    (cherry picked from commit a89d3cdf3518e6fca2a2e68ef35466ed1356cae1)



(user data is modified, auth-data values are fake)
# cat /etc/origin/master/master-config.yaml | grep -A 15 oauth
oauthConfig:
  assetPublicURL: https://
  grantConfig:
    method: auto
  identityProviders:
  - name: github52451623
    challenge: false
    login: true
    provider:
      apiVersion: v1
      kind: GitHubIdentityProvider
      clientID: 98b162167ce22204483e
      clientSecret: 54d2757f8f5ce7a0dffa9e30debfcda61d359513
      organizations: [myorganization]
      teams: []
  masterCA: ca-bundle.crt


# In log:
 CRD:Added: manifests/100_CPMA-cluster-config-oauth.yaml 
 CRD:Added: manifests/100_CPMA-cluster-config-secret-github-secret.yaml 
 Transform:Starting for - SDN  


# tree manifests/
manifests/
├── 100_CPMA-cluster-config-image.yaml
├── 100_CPMA-cluster-config-oauth.yaml
├── 100_CPMA-cluster-config-project.yaml
├── 100_CPMA-cluster-config-sdn.yaml
└── 100_CPMA-cluster-config-secret-github-secret.yaml

Comment 7 errata-xmlrpc 2019-10-16 06:41:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922

Note You need to log in before you can comment on or make changes to this bug.