Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2761

'Log In Via Openshift' does not work after upgrading to 1.8.0

XMLWordPrintable

    • 5
    • False
    • None
    • False
    • Hide
      Before this update, when you configured Dex using the `.spec.dex` parameter and tried to log in to the Argo CD UI by using Log In Via Openshift, you were not able to log in. This update fixes the issue.

      IMPORTANT: In Red Hat Openshift GitOps v1.9, configuring Dex using the `spec.dex` parameter in the ArgoCD CR is planned to be deprecated. Consider using the `.spec.sso` parameter instead. See "Enabling or disabling Dex using .spec.sso".
      Show
      Before this update, when you configured Dex using the `.spec.dex` parameter and tried to log in to the Argo CD UI by using Log In Via Openshift, you were not able to log in. This update fixes the issue. IMPORTANT: In Red Hat Openshift GitOps v1.9, configuring Dex using the `spec.dex` parameter in the ArgoCD CR is planned to be deprecated. Consider using the `.spec.sso` parameter instead. See "Enabling or disabling Dex using .spec.sso".
    • GITOPS Sprint 234

      Description of problem:

      After upgrading to 1.8.0, 'Log In Via Openshift' does not work for users coming from older version of GitOps 

      This is happening because of the incorrect configuration for dex in ArgoCD CR (.spec.dex instead of .spec.sso). Customers coming from lower version of operator who have not switched to new configuration for dex  seem to have faced this issue

      With v1.8, we added a fix for https://issues.redhat.com/browse/GITOPS-2570  which is looking for new dex configuration. As we are supporting the old configuration until 1.9 is out, we need to fix this in upcoming releases.

       

      Workaround: 

      Customers who are facing this issue can update their dex configuration from .spec.dex to .spec.sso

       

      spec:
        sso:
          provider: dex
          dex:
            ...

      Prerequisites (if any, like setup, operators/versions):

      The operator installed should be upgraded from operator version < 1.6.0

      Steps to Reproduce

      1. Get the URL for ArgoCD Ui by either navigating to Networking > Routes in the namespace of your ArgoCD instance or using the console application launcher 
      2. Try to Log in Via Openshift 

      Actual results:

      openshift-gitops-server pod logs:

       

      time="2023-03-17T17:27:11Z" level=info msg="Initializing OIDC provider (issuer: https://openshift-gitops-server-openshift-gitops.apps.testpsi411c.ocp-gitops-qe.com/api/dex)"123time="2023-03-17T17:27:11Z" level=info msg="OIDC supported scopes: [openid email groups profile offline_access]"124time="2023-03-17T17:27:11Z" level=warning msg="Failed to verify token: failed to verify token: oidc: expected audience \"argo-cd-cli\" got [\"argo-cd\"]"125time="2023-03-17T17:27:11Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.content= grpc.service=version.VersionService grpc.start_time="2023-03-17T17:27:11Z" span.kind=server system=grpc126time="2023-03-17T17:27:11Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2023-03-17T17:27:11Z" grpc.time_ms=14.654 span.kind=server system=grpc 

       

      openshift-gitops-dex-server pod logs:

      time="2023-03-17T17:28:10Z" level=error msg="Failed to authenticate: oidc: failed to get token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"unauthorized_client\",\"error_description\":\"The client is not authorized to request a token using this method.\"}\n 

       

      Screenshot attached

      Expected results:

      Log In Via Openshift should let you log into the ArgoCD UI

      Reproducibility (Always/Intermittent/Only Once):

      With old dex configuration, Always

      Acceptance Criteria

      1. Bring the PR from upstream to Midstream.
      2. Validate this is working fine, so the customer below 1.6 should be able to login without issues.{}
      3. Manual testing is required to verify this.
      4. Check if we already plan for automating a test for this or if it's even possible to automate such as test, and create a new Jira story for that in the future.
      5. Send to release notes as they are required.

      DoD

      1. Make sure the final build that reaches the customer includes the fix
      2. Verify the documentation for the customer is in place.
      3. Release Notes required.

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

              rhn-support-vab Varsha B
              rhn-support-vab Varsha B
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: