Bug 1906808 - [test-disabled] ServiceAccounts should support OIDC discovery of service account issuer
Summary: [test-disabled] ServiceAccounts should support OIDC discovery of service acco...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.0
Assignee: Standa Laznicka
QA Contact: scheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-11 13:23 UTC by Standa Laznicka
Modified: 2021-02-24 15:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 15:42:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1020 0 None closed Bug 1906808: configobservation: override service-account-jwks-uri to use LB address 2021-01-20 05:48:27 UTC
Github openshift cluster-kube-apiserver-operator pull 1025 0 None closed Bug 1906808: follow-up fixes to SA-issuer observer 2021-01-20 05:48:27 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:42:46 UTC

Description Standa Laznicka 2020-12-11 13:23:28 UTC
Description of problem:
During rebase, we identified a test that was failing due to the defaulting logic for the jwks endpoint in kube-apiserver which tries to reach the IP of the KAS, yet this IP is not included in the default KAS serving certificate.

Wire the address of the LB instead to make this test work.

Version-Release number of selected component (if applicable):
4.7

How reproducible:
100%

Steps to Reproduce:
1. run the `[sig-auth] ServiceAccounts should support OIDC discovery of service account issuer [Feature:ServiceAccountIssuerDiscovery] [Suite:openshift/conformance/parallel] [Suite:k8s]` test

Actual results:
the test fails

Expected results:
the test succeeds

Comment 1 Tomáš Nožička 2020-12-11 13:27:14 UTC
we are disabling the test and it needs to be re-enabled when this BZ is fixed

Comment 8 errata-xmlrpc 2021-02-24 15:42:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.