Bug 1997906 - htpasswd provider for auth is not working as expected and give 401 error when user try to login
Summary: htpasswd provider for auth is not working as expected and give 401 error when...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.8.z
Assignee: Standa Laznicka
QA Contact: liyao
URL:
Whiteboard:
: 2010502 (view as bug list)
Depends On: 1978193
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-26 03:13 UTC by OpenShift BugZilla Robot
Modified: 2021-10-27 08:15 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 08:15:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 494 0 None open [release-4.8] Bug 1997906: csr request: use generate names to prevent getting stuck waiting for a cert 2021-10-05 08:14:19 UTC
Github openshift library-go pull 1190 0 None None None 2021-08-26 03:13:33 UTC
Red Hat Product Errata RHBA-2021:3927 0 None None None 2021-10-27 08:15:53 UTC

Comment 2 Standa Laznicka 2021-10-05 07:36:07 UTC
*** Bug 2010502 has been marked as a duplicate of this bug. ***

Comment 3 Standa Laznicka 2021-10-05 08:24:00 UTC
Raising priority since this seems to be causing trouble in a CI/CD pipepline as noted in https://bugzilla.redhat.com/show_bug.cgi?id=2010502

Comment 4 Gurney Buchanan 2021-10-15 15:43:08 UTC
Any news on this issue?  It appears we may have a customer hitting this issue (I can provide details if you'd like)!

Comment 7 liyao 2021-10-19 09:30:23 UTC
Follow the steps in Comment 0 and use 4.8.0-0.nightly-2021-10-18-115810 to do the verification
1. delete secret openshift-authenticator-certs
$ oc delete secret -n openshift-oauth-apiserver openshift-authenticator-certs
secret "openshift-authenticator-certs" deleted

2. check whether new created csr is using generateName with random suffix rather than previous fixed name 'system:openshift:openshift-authenticator'  
$ oc get csr
NAME                                             AGE   SIGNERNAME                            REQUESTOR                                                                         REQUESTEDDURATION   CONDITION
...
system:openshift:openshift-authenticator-s8mgr   8s    kubernetes.io/kube-apiserver-client           system:serviceaccount:openshift-authentication-operator:authentication-operator   Approved,Issued


3. check labels 'authentication.openshift.io/csr: openshift-authenticator' is added to the new csr
$ oc get csr system:openshift:openshift-authenticator-s8mgr -o yaml | grep -A5 -B5 'labels'
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2021-10-19T08:49:21Z"
  generateName: system:openshift:openshift-authenticator-
  labels:
    authentication.openshift.io/csr: openshift-authenticator
  name: system:openshift:openshift-authenticator-s8mgr
  resourceVersion: "39133"
  uid: 619c5a1f-b389-4fba-bad6-e81ce19f6f2a
spec:


4. delete secret openshift-authenticator-certs again
$ oc delete secret -n openshift-oauth-apiserver openshift-authenticator-certs
secret "openshift-authenticator-certs" deleted

5. check whether new created csr is using different random suffix from the previous one
$ oc get csr
NAME                                             AGE   SIGNERNAME                            REQUESTOR                                                                         REQUESTEDDURATION   CONDITION
...
system:openshift:openshift-authenticator-s8mgr   2m21s   kubernetes.io/kube-apiserver-client           system:serviceaccount:openshift-authentication-operator:authentication-operator   Approved,Issued
system:openshift:openshift-authenticator-sm9kq   14s     kubernetes.io/kube-apiserver-client           system:serviceaccount:openshift-authentication-operator:authentication-operator   Approved,Issued


6. check whether there are errors in authentication-operator pod logs, no error like in Comment 0 appears, which is expected with the fix
$ oc logs <pod-name> -n openshift-authentication-operator

Comment 10 errata-xmlrpc 2021-10-27 08:15:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3927


Note You need to log in before you can comment on or make changes to this bug.