1906880 – oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install

Bug 1906880 - oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install

Summary: oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens duri...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cloud Credential Operator
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Seth Jennings
QA Contact:	wang lin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1907613 1911812
TreeView+	depends on / blocked

Reported:	2020-12-11 16:18 UTC by Seth Jennings
Modified:	2021-02-24 15:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	When installing on AWS in 4.6, the cloud-credential-operator automatically created an OpenID discovery endpoint that could be used to externally authenticate service account tokens obtained with the TokenRequest API. This proved to be problematic as it involved changing the serviceAccountIssuer on the kube-apiserver, which invalidated any previously minted tokens. This functionality has been removed in 4.7. Creation and configuration of the OpenID discovery endpoint and serviceAccountIssuer must be done by the cluster admin at cluster installation time. The serviceAccountIssuer may not be changed after installation begins.
Clone Of:
Clones:	1907613 (view as bug list)
Environment:
Last Closed:	2021-02-24 15:42:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cloud-credential-operator pull 276	0	None	closed	Bug 1906880: operator: remove odicdiscoveryendpoint controller	2021-02-20 09:57:06 UTC
Red Hat Product Errata	RHSA-2020:5633	0	None	None	None	2021-02-24 15:42:59 UTC

Description Seth Jennings 2020-12-11 16:18:20 UTC

Description of problem:

oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install by setting the serviceIssuerURL on the Authentication cluster CR.

This was thought to be safe when we did it in 4.6, but it turns out it is not and changing this value requires a full cluster restart, which there is not mechanism for today.

We should remove this controller and leave configuration of the endpoint as a pre-install exercise for the user.

Comment 2 wang lin 2020-12-15 09:44:30 UTC

Verified on payload: 4.7.0-0.nightly-2020-12-14-165231

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2020-12-14-165231   True        False         6h25m   Cluster version is 4.7.0-0.nightly-2020-12-14-165231

1. controller oidcdiscoveryendpoint has been removed.
[lwan@lwan Downloads]$ oc logs cloud-credential-operator-65cd57bfff-lqp8f -c cloud-credential-operator | grep controller=o
[lwan@lwan Downloads]$ 
2. there is no serviceAccountIssuer field in authentication CR
$ oc get authentication cluster -o json | jq -r ".spec"
{}
3.there is no related OpenID discovery documents push to s3 bucket.

Comment 5 errata-xmlrpc 2021-02-24 15:42:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Note You need to log in before you can comment on or make changes to this bug.