1755865 – [CPMA] Failed to transform OpenID connect auth configuration to OCP 4.2 due to missing issuer

Bug 1755865 - [CPMA] Failed to transform OpenID connect auth configuration to OCP 4.2 due to missing issuer

Summary: [CPMA] Failed to transform OpenID connect auth configuration to OCP 4.2 due t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Migration Tooling
Sub Component:
Version:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Gilles Dubreuil
QA Contact:	Xin jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-26 11:08 UTC by Xin jiang
Modified:	2019-10-30 04:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-30 04:44:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3151	0	None	None	None	2019-10-30 04:45:07 UTC

Description Xin jiang 2019-09-26 11:08:48 UTC

Description of problem:

OpenID connect auth configuration lack of 'issuer' in OCP 3.X, the value of 'issuer' is "" in the exported CR 100_CPMA-cluster-config-oauth.yaml, which caused that unable to apply the CR into OCP4.  

Version-Release number of selected component (if applicable):
CPMA version:
commit 006c5698376dda59438d6b25e78f00ad1dd630a4 (HEAD -> release-1.0, origin/release-1.0)

OCP3 version:
$ oc version
oc v3.11.146
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://mig-az-master-etcd-1:8443
openshift v3.11.146
kubernetes v1.11.0+d4cacc0

OCP4 version:
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.2.0-0.nightly-2019-09-22-222738   True        False         2d21h   Error while reconciling 4.2.0-0.nightly-2019-09-22-222738: the cluster operator machine-config is degraded

How reproducible:
always


Steps to Reproduce:
1. Added in /etc/origin/master/master-config.yaml in OCP 3
  - name: openid_connect
    challenge: false
    login: true
    mappingMethod: claim
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: 09c7d6d7a9e8666a14c4
      clientSecret: 2f9f485c319e59f6fb6eefd966774b1d9b5d3606
      extraScopes:
      - email
      - profile
      extraAuthorizeParameters:
        include_granted_scopes: "true"
      claims:
        id:
        - custom_id_claim
        - sub
        preferredUsername:
        - preferred_username
        - email
        name:
        - nickname
        - given_name
        - name
        email:
        - custom_email_claim
        - email
      urls:
        authorize: https://myidp.example.com/oauth2/authorize
        token: https://myidp.example.com/oauth2/token
        userInfo: https://myidp.example.com/oauth2/userinfo
2. Execute cpma utility to generate CRs
100_CPMA-cluster-config-oauth.yaml:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  creationTimestamp: null
  name: cluster
  namespace: openshift-config
spec:
  identityProviders:
  - mappingMethod: claim
    name: openid_connect
    openID:
      ca:
        name: ""
      claims:
        email:
        - custom_email_claim
        - email
        name:
        - nickname
        - given_name
        - name
        preferredUsername:
        - preferred_username
        - email
      clientID: 09c7d6d7a9e8666a14c4
      clientSecret:
        name: openid-secret
      issuer: ""
    type: OpenID
  templates:
    error:
      name: ""
    login:
      name: ""
    providerSelection:
      name: ""
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
status: {}
3. Apply auth CR to OCP 4
oc apply -f /Users/xinjiang/ocp/cpma/data0826/manifests/100_CPMA-cluster-config-oauth.yaml

Actual results:
It printed out error:
The OAuth "cluster" is invalid:
* spec.identityProviders[0].openID.issuer: Invalid value: "": must contain a scheme (e.g. https://)
* spec.identityProviders[0].openID.issuer: Invalid value: "": must contain a host

Expected results:
The OpenID auth configuration should apply to OCP 4 successfully.

Additional info:

Comment 1 Gilles Dubreuil 2019-10-01 09:53:31 UTC

This is a mandatory field which value can't be empty.
The user needs to complete the field before applying the file.

https://github.com/fusor/cpma/issues/413

Comment 2 Gilles Dubreuil 2019-10-04 10:03:07 UTC

Patch https://github.com/fusor/cpma/pull/415 has been merge to master and release-1.0 branches.

Comment 3 Xin jiang 2019-10-12 02:50:25 UTC

Verified.

Comment 5 errata-xmlrpc 2019-10-30 04:44:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3151

Note You need to log in before you can comment on or make changes to this bug.