Bug 1845441 - Fix flipping of service-account-issuer in kube apiserver operator
Summary: Fix flipping of service-account-issuer in kube apiserver operator
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: Stefan Schimanski
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On: 1845440
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-09 09:07 UTC by Michal Fojtik
Modified: 2020-07-13 17:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1845440
Environment:
Last Closed: 2020-07-13 17:43:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 882 0 None open Bug 1845441: [release-4.5] auth-config-observation: fix unstructured issuer slice type 2020-06-24 03:35:20 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:44:06 UTC

Description Michal Fojtik 2020-06-09 09:07:25 UTC
+++ This bug was initially created as a clone of Bug #1845440 +++

Description of problem:

Jun 04 22:41:42.095 I ns/openshift-kube-apiserver-operator deployment/kube-apiserver-operator reason/ObservedConfigChanged Writing updated observed config:   map[string]interface{}{\n  	"admission": map[string]interface{}{"pluginConfig": map[string]interface{}{"network.openshift.io/ExternalIPRanger": map[string]interface{}{"configuration": map[string]interface{}{"allowIngressIP": bool(false), "apiVersion": string("network.openshift.io/v1"), "kind": string("ExternalIPRangerAdmissionConfig")}}, "network.openshift.io/RestrictedEndpointsAdmission": map[string]interface{}{"configuration": map[string]interface{}{"apiVersion": string("network.openshift.io/v1"), "kind": string("RestrictedEndpointsAdmissionConfig"), "restrictedCIDRs": []interface{}{string("10.128.0.0/14"), string("172.30.0.0/16")}}}}},\n  	"apiServerArguments": map[string]interface{}{\n  		"cloud-provider":         []interface{}{string("aws")},\n  		"feature-gates":          []interface{}{string("APIPriorityAndFairness=true"), string("RotateKubeletServerCertificate=true"), string("SupportPodPidsLimit=true"), string("NodeDisruptionExclusion=true"), string("ServiceNodeExclusion=true"), string("SCTPSupport=true"), string("LegacyNodeRoleBehavior=false")},\n- 		"service-account-issuer": []interface{}{string("https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com")},\n+ 		"service-account-issuer": []string{"https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com"},\n  	},\n  	"authConfig":         map[string]interface{}{"oauthMetadataFile": string("/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata")},\n  	"corsAllowedOrigins": []interface{}{string(`//127\.0\.0\.1(:|$)`), string("//localhost(:|$)")},\n  	... // 4 identical entries\n  }\n (785 times)

The issue is the service-account-issuer is flipping because of unstructured issuer slice type:

- "service-account-issuer": []interface{}{string("https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com")},
+ "service-account-issuer": []string{"https://ci-op-dgz95p2d-067ff-pxnzv-oidc.s3.amazonaws.com"}

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Ke Wang 2020-06-11 05:43:18 UTC
Did a searching: https://search.apps.build01.ci.devcluster.openshift.com/?search=%22service-account-issuer%22%3A+%5C%5B%5C%5Dstring&maxAge=48h&context=1&type=bug%2Bjunit&name=&maxMatches=5&maxBytes=20971520&groupBy=job

Still found one error in this job https://prow.svc.ci.openshift.org/job-history/origin-ci-test/logs/release-openshift-origin-installer-e2e-aws-upgrade-rollback-4.5-to-4.6, this job did a rollback from 4.6 to 4.5.0-rc.1, the bug's PR https://github.com/openshift/cluster-kube-apiserver-operator/pull/882 was merged on June 9, but 4.5.0-rc.1 was created from registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-06-05-163714, 
so the fix is not in this release, the error occurred as expected.

Checking the latest OCP 4.5 release, 
$ oc adm release info registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-06-10-201008 --commits | grep -i kube-apiserver
  cluster-kube-apiserver-operator                https://github.com/openshift/cluster-kube-apiserver-operator                997124bee1fd55a95fd71aadbfc52add0aef0a04
 
$ git log --date local --pretty="%h %an %cd - %s" 997124b | grep '#882'
1af29fb3 OpenShift Merge Robot Tue Jun 9 18:55:35 2020 - Merge pull request #882 from openshift-cherrypick-robot/cherry-pick-880-to-release-4.5

We can see the PR is already in, move the bug verified.

Comment 4 errata-xmlrpc 2020-07-13 17:43:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.