Hide Forgot
Description of problem: We upgraded our cluster to 4.10.0-rc.1, this morning. Post-upgrade, folks have complained about getting stuck in an infinite redirect loop and unable to log into the cluster. Version-Release number of selected component (if applicable): 4.10.0-rc.1 How reproducible: Unknown Steps to Reproduce: 1. Cluster was initially running 4.9.19 2. Login to web console and leave connection open 3. Initiate an upgrade to 4.10.0-rc.1 4. Post-upgrade, return to web console, log out 5. Attempt to login Actual results: User keeps getting redirected back to the IDP Provider login screen Expected results: User should be able to login to the web console
Could reproduce this issue. Steps to reproduce: 1. Launch 4.9.19 cluster. Login web console, keep console page open. 2. Upgrade to 4.10.0-rc.1. [root@MiWiFi-R1CM ~]# oc get clusterversions.config.openshift.io version NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-rc.1 True False 2m16s Cluster version is 4.10.0-rc.1 3. Go back on console page, logout, and try login again, could not login successfully, the page always redirect in auth loop(url is <console>/error?error=invalid_state&error_type=auth). Check console pod logs: [root@MiWiFi-R1CM ~]# oc logs console-6dcc484766-llklk -n openshift-console W0209 07:47:29.207445 1 main.go:212] Flag inactivity-timeout is set to less then 300 seconds and will be ignored! I0209 07:47:29.207860 1 main.go:342] cookies are secure! E0209 07:47:34.452054 1 auth.go:232] error contacting auth provider (retrying in 10s): Get "https://kubernetes.default.svc/.well-known/oauth-authorization-server": context deadline exceeded (Client.Timeout exceeded while awaiting headers) I0209 07:47:44.479196 1 main.go:766] Binding to [::]:8443... I0209 07:47:44.479226 1 main.go:768] using TLS E0209 08:06:38.639592 1 auth.go:377] state in url does not match State cookie E0209 08:08:29.246487 1 auth.go:377] state in url does not match State cookie E0209 08:09:33.499223 1 auth.go:377] state in url does not match State cookie E0209 08:11:09.797095 1 auth.go:377] state in url does not match State cookie E0209 08:11:21.765905 1 auth.go:377] state in url does not match State cookie E0209 08:11:32.214733 1 auth.go:377] state in url does not match State cookie E0209 08:11:42.850703 1 auth.go:377] state in url does not match State cookie E0209 08:11:53.525761 1 auth.go:377] state in url does not match State cookie E0209 08:12:05.074924 1 auth.go:377] state in url does not match State cookie E0209 08:12:17.508334 1 auth.go:377] state in url does not match State cookie E0209 08:12:28.424593 1 auth.go:377] state in url does not match State cookie E0209 08:12:40.598219 1 auth.go:377] state in url does not match State cookie E0209 08:12:51.919708 1 auth.go:377] state in url does not match State cookie E0209 08:13:03.526585 1 auth.go:377] state in url does not match State cookie E0209 08:13:15.056684 1 auth.go:377] state in url does not match State cookie E0209 08:13:26.318823 1 auth.go:377] state in url does not match State cookie E0209 08:13:45.582149 1 auth.go:377] state in url does not match State cookie 4. Clear browser cookies, try to login console, could login now.
Steps to verify: 1. Launch on 4.10 cluster with payload 4.10.0-0.nightly-2022-02-09-111355. 2. Login web console, keep console page open. 2. Upgrade the cluster to 4.11.0-0.nightly-2022-02-10-031822 3. Go back on console page, logout, and try login again, could login successfully now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069