Description of problem: Users can now configure their custom certificates for the oauth-server's route. Since the oauth-proxy needs to communicate with the oauth-server directly, it would not trust such a certificate and the OAuth token request flow would fail, resulting in failed login. Make the oauth-proxy trust the oauth-server's certificate that's to be found in the 'openshift-config-managed/oauth-serving-cert' ConfigMap. Version-Release number of selected component (if applicable): 4.9 How reproducible: 100% Steps to Reproduce: 1. configure a custom certificate for the oauth-openshift route by setting the ingress.config/cluster's `componentRoutes` field appropriately 2. wait for the authentication operator to rollout the changes 3. attempt to login as a valid openshift user to one of the openshift-monitoring services wrapped by the oauth-proxy Actual results: the login fails with 500 Expected results: the login succeeds Additional info:
Tested in fresh env 4.9.0-0.nightly-2021-08-04-131508 Follow OCP-43036 test steps, oc login fails in the step4 $ oc login -u testuser-0 -p xxxx error: x509: certificate signed by unknown authority
Please READ bug's description part, this bug does NOT talk about oc login. Rather, it TALKS about login to https://<route_host> consoles under openshift-monitoring (e.g. Prometheus UI checkpoint of your case): $ oc get route -n openshift-monitoring ...snipped... For comment 2, you need append the custom CA cert (not server cert) to original admin kubeconfig certificate authority field then try oc login, please HAVE a test. Then OPEN a new Documentation bug to document this way for user when using this custom feature.
*** Bug 1991604 has been marked as a duplicate of this bug. ***
Tested in fresh cluster 4.9.0-0.nightly-2021-08-14-065522 1. generate custom CA cert and signed server cert 2. create secret in openshift-config using the generated server cert 3. append the custom CA cert to original admin kubeconfig certificate authority field 4. configure the ingress.config to contain custom route settings $ oc edit ingresses.config.openshift.io cluster spec: domain: <cluster domain name> componentRoutes: - name: oauth-openshift namespace: openshift-authentication hostname: <custom-oauth-server-hostname> servingCertKeyPairSecret: name: <custom-oauth-secret> 5. wait for the authentication operator to pick up the changes 6. check login to the openshift-monitoring services, actual result is expected and login succeeds $ oc get route -n openshift-monitoring
Hello Does OCP 4.8 can support customized oauth url with certificate?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759