Bug 1852312 - authentication pods goes panic after customizing oauth templates
Summary: authentication pods goes panic after customizing oauth templates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Standa Laznicka
QA Contact: pmali
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-30 06:17 UTC by Yadan Pei
Modified: 2020-10-27 16:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:10:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 296 0 None closed Bug 1852312: fix template mounting to the oauth-server pods 2021-02-21 17:19:45 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:10:55 UTC

Description Yadan Pei 2020-06-30 06:17:00 UTC
Description of problem:
after adding customized login, providers and error templates, authentication pods failed to start

Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-06-26-035408

How reproducible:
Always

Steps to Reproduce:
1. Create template files
# oc adm create-login-template > login.html
# oc adm create-provider-selection-template > providers.html
# oc adm create-error-template > errors.html

2. Create secret using template files
# oc create secret generic login-template --from-file=/root/yapei/oauth-files/login.html -n openshift-config
secret/login-template created
# oc create secret generic error-template --from-file=/root/yapei/oauth-files/errors.html -n openshift-config
secret/error-template created
# oc create secret generic providers-template --from-file=/root/yapei/oauth-files/providers.html -n openshift-config
secret/providers-template created

3. Edit oauth cluster, add templates
# oc get oauth cluster -o json | jq '.spec'
{
  "identityProviders": [
    {
      "htpasswd": {
        "fileData": {
          "name": "htpass-secret"
        }
      },
      "mappingMethod": "claim",
      "name": "flexy-htpasswd-provider",
      "type": "HTPasswd"
    },
    {
      "htpasswd": {
        "fileData": {
          "name": "htpasswd-rjbmr"
        }
      },
      "mappingMethod": "claim",
      "name": "qehtpasswd",
      "type": "HTPasswd"
    }
  ],
  "templates": {
    "error": {
      "name": "error-template"
    },
    "login": {
      "name": "login-template"
    },
    "providerSelection": {
      "name": "providers-template"
    }
  }
}

Actual results:
3. new authentication pods is in CrashLoopBackOff status, and there is runtime error
# oc get pods -n openshift-authentication
NAME                               READY   STATUS             RESTARTS   AGE
oauth-openshift-77f7975575-wlzfk   0/1     CrashLoopBackOff   2          52s
oauth-openshift-7f4cdc57cb-7qtvf   1/1     Running            0          7m41s
oauth-openshift-7f4cdc57cb-lcr54   1/1     Running            0          7m54s

# oc logs -f oauth-openshift-77f7975575-wlzfk -n openshift-authentication
Copying system trust bundle
I0630 05:50:13.521096       1 dynamic_serving_content.go:111] Loaded a new cert/key pair for "serving-cert::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.crt::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.key"
I0630 05:50:13.521435       1 dynamic_serving_content.go:111] Loaded a new cert/key pair for "sni-serving-cert::/var/config/system/secrets/v4-0-config-system-router-certs/apps.qe-ui46-0630.qe.devcluster.openshift.com::/var/config/system/secrets/v4-0-config-system-router-certs/apps.qe-ui46-0630.qe.devcluster.openshift.com"
panic: open /var/config/user/template/secret/v4-0-config-user-template-error/errors.html: no such file or directory

goroutine 1 [running]:
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).buildHandlerChainForOAuth(0xc000463c80, 0x1f67660, 0xc00040ca00, 0xc000445d40, 0x1977480, 0xc00095b4f8)
	github.com/openshift/oauth-server@/pkg/oauthserver/oauth_apiserver.go:307 +0xee
k8s.io/apiserver/pkg/server.completedConfig.New.func1(0x1f67660, 0xc00040ca00, 0x1f67660, 0xc00040ca00)
	k8s.io/apiserver.2/pkg/server/config.go:535 +0x45
k8s.io/apiserver/pkg/server.NewAPIServerHandler(0x1c1a852, 0xf, 0x1fab520, 0xc00067fc20, 0xc00095b710, 0x0, 0x0, 0xc00040c980)
	k8s.io/apiserver.2/pkg/server/handler.go:96 +0x2cc
k8s.io/apiserver/pkg/server.completedConfig.New(0xc000445d40, 0x0, 0x0, 0x1c1a852, 0xf, 0x1fc7d20, 0x2dd89a8, 0xc000445d40, 0x0, 0x0)
	k8s.io/apiserver.2/pkg/server/config.go:537 +0x124
github.com/openshift/oauth-server/pkg/oauthserver.completedOAuthConfig.New(0xc00040c980, 0xc000463c88, 0x1fc7d20, 0x2dd89a8, 0x4, 0x1fa9320, 0xc000580190)
	github.com/openshift/oauth-server@/pkg/oauthserver/oauth_apiserver.go:290 +0x70
github.com/openshift/oauth-server/pkg/cmd/oauth-server.RunOsinServer(0xc000496300, 0xc000236360, 0xc1c, 0xe1c)
	github.com/openshift/oauth-server@/pkg/cmd/oauth-server/server.go:41 +0x89
github.com/openshift/oauth-server/pkg/cmd/oauth-server.(*OsinServer).RunOsinServer(0xc0003aa890, 0xc000236360, 0xc0006cbaa0, 0x5eb040)
	github.com/openshift/oauth-server@/pkg/cmd/oauth-server/cmd.go:91 +0x286
github.com/openshift/oauth-server/pkg/cmd/oauth-server.NewOsinServer.func1(0xc0000cd900, 0xc0003049e0, 0x0, 0x2)
	github.com/openshift/oauth-server@/pkg/cmd/oauth-server/cmd.go:39 +0xf2
github.com/spf13/cobra.(*Command).execute(0xc0000cd900, 0xc000304980, 0x2, 0x2, 0xc0000cd900, 0xc000304980)
	github.com/spf13/cobra.5/command.go:830 +0x2aa
github.com/spf13/cobra.(*Command).ExecuteC(0xc0000cd680, 0xc0000cd680, 0x0, 0x0)
	github.com/spf13/cobra.5/command.go:914 +0x2fb
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/cobra.5/command.go:864
main.main()
	github.com/openshift/oauth-server@/cmd/oauth-server/main.go:41 +0x302

Expected results:
3. new authentication pods should be started successfully

Additional info:

Comment 1 Yadan Pei 2020-06-30 06:52:33 UTC
in operator pod authentication-operator-7f6fb6765c-fpqk7 logs, found:

                "oauthConfig": map[string]interface{}{
                        "templates": map[string]interface{}{
                                "error":             string("/var/config/system/secrets/v4-0-config-system-ocp-branding-template/errors.html"),
-                               "login":             string("/var/config/system/secrets/v4-0-config-system-ocp-branding-template/login.html"),
+                               "login":             string("/var/config/user/template/secret/v4-0-config-user-template-login/login.html"),
-                               "providerSelection": string("/var/config/system/secrets/v4-0-config-system-ocp-branding-template/providers.html"),
+                               "providerSelection": string("/var/config/user/template/secret/v4-0-config-user-template-provider-selection/providers.html"),
                        }
$ oc rsh -n openshift-authentication oauth-openshift-557f8fd675-jbn6z
sh-4.2# ls /var/config/system/secrets/v4-0-config-system-ocp-branding-template/
errors.html  login.html  providers.html


The path is /var/config/system/secrets/v4-0-config-system-ocp-branding-template/ but the pod tries to open /var/config/user/template/secret/v4-0-config-user-template-error/errors.html: no such file or directory

Comment 6 errata-xmlrpc 2020-10-27 16:10:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.