Bug 1907613 - oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install
Summary: oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens duri...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.z
Assignee: Seth Jennings
QA Contact: wang lin
URL:
Whiteboard:
Depends On: 1906880
Blocks: 1911812
TreeView+ depends on / blocked
 
Reported: 2020-12-14 20:19 UTC by Seth Jennings
Modified: 2021-02-01 15:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When installing on AWS, the cloud-credential-operator automatically created an OpenID discovery endpoint that could be used to externally authenticate service account tokens obtained with the TokenRequest API. This proved to be problematic as it involved changing the serviceAccountIssuer on the kube-apiserver, which invalidated any previously minted tokens. This functionality has been removed as a result. Creation and configuration of the OpenID discovery endpoint and serviceAccountIssuer must be done by the cluster admin at cluster installation time. The serviceAccountIssuer may not be changed after installation begins.
Clone Of: 1906880
: 1911812 (view as bug list)
Environment:
Last Closed: 2021-02-01 15:24:32 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 277 0 None closed Bug 1907613: operator: remove odicdiscoveryendpoint controller 2021-02-16 10:46:17 UTC
Red Hat Product Errata RHBA-2021:0235 0 None None None 2021-02-01 15:24:55 UTC

Comment 1 Seth Jennings 2020-12-14 20:22:27 UTC
pick PR
https://github.com/openshift/cloud-credential-operator/pull/277

Comment 3 wang lin 2021-01-25 03:53:44 UTC
Verified on 4.6.0-0.nightly-2021-01-22-123731

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-01-22-123731   True        False         104m    Cluster version is 4.6.0-0.nightly-2021-01-22-123731


1. controller oidcdiscoveryendpoint has been removed.
[lwan@lwan Downloads]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-01-22-123731   True        False         104m    Cluster version is 4.6.0-0.nightly-2021-01-22-123731
[lwan@lwan Downloads]$ oc get deployment/cloud-credential-operator -n openshift-cloud-credential-operator | grep controller=o

2. there is no serviceAccountIssuer field in authentication CR
$ oc get authentication cluster -o json | jq -r ".spec"
{}

3.there is no related OpenID discovery documents push to s3 bucket.

4.manifest CredentialsRequest cloud-credential-operator-s3 is removed.
$ oc -n openshift-cloud-credential-operator get CredentialsRequest -o json | jq -r '.items[] | select (.spec[].kind=="AWSProviderSpec") | .spec.secretRef'
{
  "name": "ebs-cloud-credentials",
  "namespace": "openshift-cluster-csi-drivers"
}
{
  "name": "cloud-credential-operator-iam-ro-creds",
  "namespace": "openshift-cloud-credential-operator"
}
{
  "name": "installer-cloud-credentials",
  "namespace": "openshift-image-registry"
}
{
  "name": "cloud-credentials",
  "namespace": "openshift-ingress-operator"
}
{
  "name": "aws-cloud-credentials",
  "namespace": "openshift-machine-api"
}
$ oc get credentialsrequest -n openshift-cloud-credential-operator cloud-credential-operator-s3 
Error from server (NotFound): credentialsrequests.cloudcredential.openshift.io "cloud-credential-operator-s3" not found

Comment 6 errata-xmlrpc 2021-02-01 15:24:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.15 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0235


Note You need to log in before you can comment on or make changes to this bug.