Bug 1907613
| Summary: | oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Seth Jennings <sjenning> | |
| Component: | Cloud Credential Operator | Assignee: | Seth Jennings <sjenning> | |
| Status: | CLOSED ERRATA | QA Contact: | wang lin <lwan> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.7 | CC: | jdiaz, lwan | |
| Target Milestone: | --- | Keywords: | UpcomingSprint | |
| Target Release: | 4.6.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
When installing on AWS, the cloud-credential-operator automatically created an OpenID discovery endpoint that could be used to externally authenticate service account tokens obtained with the TokenRequest API. This proved to be problematic as it involved changing the serviceAccountIssuer on the kube-apiserver, which invalidated any previously minted tokens. This functionality has been removed as a result. Creation and configuration of the OpenID discovery endpoint and serviceAccountIssuer must be done by the cluster admin at cluster installation time. The serviceAccountIssuer may not be changed after installation begins.
|
Story Points: | --- | |
| Clone Of: | 1906880 | |||
| : | 1911812 (view as bug list) | Environment: | ||
| Last Closed: | 2021-02-01 15:24:32 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1906880 | |||
| Bug Blocks: | 1911812 | |||
|
Comment 1
Seth Jennings
2020-12-14 20:22:27 UTC
Verified on 4.6.0-0.nightly-2021-01-22-123731
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.6.0-0.nightly-2021-01-22-123731 True False 104m Cluster version is 4.6.0-0.nightly-2021-01-22-123731
1. controller oidcdiscoveryendpoint has been removed.
[lwan@lwan Downloads]$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.6.0-0.nightly-2021-01-22-123731 True False 104m Cluster version is 4.6.0-0.nightly-2021-01-22-123731
[lwan@lwan Downloads]$ oc get deployment/cloud-credential-operator -n openshift-cloud-credential-operator | grep controller=o
2. there is no serviceAccountIssuer field in authentication CR
$ oc get authentication cluster -o json | jq -r ".spec"
{}
3.there is no related OpenID discovery documents push to s3 bucket.
4.manifest CredentialsRequest cloud-credential-operator-s3 is removed.
$ oc -n openshift-cloud-credential-operator get CredentialsRequest -o json | jq -r '.items[] | select (.spec[].kind=="AWSProviderSpec") | .spec.secretRef'
{
"name": "ebs-cloud-credentials",
"namespace": "openshift-cluster-csi-drivers"
}
{
"name": "cloud-credential-operator-iam-ro-creds",
"namespace": "openshift-cloud-credential-operator"
}
{
"name": "installer-cloud-credentials",
"namespace": "openshift-image-registry"
}
{
"name": "cloud-credentials",
"namespace": "openshift-ingress-operator"
}
{
"name": "aws-cloud-credentials",
"namespace": "openshift-machine-api"
}
$ oc get credentialsrequest -n openshift-cloud-credential-operator cloud-credential-operator-s3
Error from server (NotFound): credentialsrequests.cloudcredential.openshift.io "cloud-credential-operator-s3" not found
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6.15 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0235 |