Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1972898

Summary: Cannot log in to prometheus UI (via delegated on-cluster oauth) on 4.8.0-fc.9
Product: OpenShift Container Platform Reporter: Clayton Coleman <ccoleman>
Component: oauth-apiserverAssignee: Standa Laznicka <slaznick>
Status: CLOSED DUPLICATE QA Contact: liyao
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.9CC: aos-bugs, mfojtik, surbania, wking
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-16 20:50:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Clayton Coleman 2021-06-16 20:20:44 UTC 
Tried to log into prometheus UI on build02.  Get a 500 internal server error.  Logs for the prometheus-proxy have:

2021/06/16 20:03:12 provider.go:587: Performing OAuth discovery against https://172.30.0.1/.well-known/oauth-authorization-server
2021/06/16 20:03:12 provider.go:627: 200 GET https://172.30.0.1/.well-known/oauth-authorization-server {
  "issuer": "https://oauth-openshift.apps.build02.gcp.ci.openshift.org",
  "authorization_endpoint": "https://oauth-openshift.apps.build02.gcp.ci.openshift.org/oauth/authorize",
  "token_endpoint": "https://oauth-openshift.apps.build02.gcp.ci.openshift.org/oauth/token",
  "scopes_supported": [
    "user:check-access",
    "user:full",
    "user:info",
    "user:list-projects",
    "user:list-scoped-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}
2021/06/16 20:03:12 oauthproxy.go:656: error redeeming code (client:10.129.40.5:43122): got 400 from "https://oauth-openshift.apps.build02.gcp.ci.openshift.org/oauth/token" {"error":"unauthorized_client","error_description":"The client is not authorized to request a token using this method."}
2021/06/16 20:03:12 oauthproxy.go:445: ErrorPage 500 Internal Error Internal Error


Looks like the client for on cluster oauth is broken.  Not being able to log into things on cluster with delegated auth is urgent blocker+ to me.
Comment 1 Clayton Coleman 2021-06-16 20:21:15 UTC 
https://prometheus-k8s-openshift-monitoring.apps.build02.gcp.ci.openshift.org/graph is what is failing
Comment 2 W. Trevor King 2021-06-16 20:25:24 UTC 
setting blocker+ to match "is urgent blocker+" from comment 0.
Comment 3 W. Trevor King 2021-06-16 20:50:14 UTC 

*** This bug has been marked as a duplicate of bug 1970828 ***