Description of problem: Starting 4.9, it is possible to configure the OpenShift oauth-server to use a user-custom certificate. During user login, the web console needs to communicate directly with the oauth-server in order to be able to retrieve an access token for the user. Version-Release number of selected component (if applicable): 4.9 How reproducible: 100% Steps to Reproduce: 1. create a wildcard or an oauth-server's hostname specific certificate and store it in a secret 2. configure the ingress.config such that it contains this custom route settings: componentRoutes: - hostname: <the original oauth-server's hostname> name: oauth-openshift namespace: openshift-authentication servingCertKeyPairSecret: name: <custom-oauth-cert> 3. wait for the authentication operator to pick up the changes and start all the oauth-servers with the new certificate 4. attempt to log in to OpenShift with an IdP of your choice Actual results: The login fails. Expected results: I'm able to login to OpenShift and use the web console. Additional info: The authentication operator now publishes the cert chain used in the oauth-server in the openshift-config-managed/oauth-serving-cert config map. The console should trust the certificate in its .data["ca-bundle.crt"] field.
*** Bug 1991603 has been marked as a duplicate of this bug. ***
*** Bug 1991346 has been marked as a duplicate of this bug. ***
Fix open however blocked by test flakes. Investigating
Hi @yapei! Thanks for testing this. The console route health condition you are seeing is expected when using a self signed certificate that OCP is not aware of (hence the "x509: certificate signed by unknown authority" error) The console will continue to function as expected even with these failed checks. The condition is calling out a potential problem with the certificate configuration and that the console-operator may face issues. If we remove these checks, it will not be clear that a self signed certificate is being used. Let me know if you have any additional questions!
Li Yao, could you double test / check (maybe with Dev)? Should it be normal to see any (here, 'console') operator with Available=False no matter what reason? Sounds very strange. Thx
> The console route health condition you are seeing is expected when using a self signed certificate that OCP is not aware of (hence the "x509: certificate signed by unknown authority" error) That's wrong, the status of a healthy operator with a healthy deployment can never be False;False;False. Besides, the configuration Yadan Pei changes only involves the certificate of the oauth-server, the route check for the console should still be passing. Devs must investigate, this looks like a bug in the console-operator.
with new fixes in console-operator#582, now console operator is reporting correct Available status when customized certs is being used for oauth route, console-operator is not reporting x509 : certificate signed by unknown authority error $ all steps are same with comment 7 $ oc get co | grep -e authentication -e console authentication 4.9.0-0.nightly-2021-09-05-192114 True False False 112m console 4.9.0-0.nightly-2021-09-05-192114 True False False 117m Moving to VERIFIED
*** Bug 2003718 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days