Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-1697

ArgoCD client mangles serviceaccount name field when sending credentials to oauth

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Normal
    • 4.8.z
    • 4.8.z
    • Documentation / GitOps
    • None
    • Moderate
    • devex docs #227 Nov 3-Nov 24, devex docs #228 Nov 24-Dec 15, devex docs #229 Dec 15-Jan 5
    • 3
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      After upgrading 4.7 to 4.8.48, the argoCD client mangles the serviceaccount name field when sending credentials to oauth. This leads to oauth errors and argocd pod errors. The mangling is changing ':' to '%3A' very similar to how a URI generator converts a string to conform to a URL/URI. 

When logging in, the customer developers get the error below:
~~~
While logging in the Customer team was facing an issue again which prompts 'failed to get token: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Invalid client credentials."}'
~~~

In the oauth pods, this is the error that we see:
~~~
2022-09-25T15:06:57.988997895Z E0925 15:06:57.988942       1 access.go:177] osin: error=server_error, internal_error=&errors.errorString{s:"invalid resource name \"system%3Aserviceaccount%3Aopenshift-gitops%3Aargocd-cluster-argocd-dex-server\": [may not contain '%']"} get_client=error finding client
2022-09-25T15:06:57.989076346Z E0925 15:06:57.989058       1 osinserver.go:108] internal error: invalid resource name "system%3Aserviceaccount%3Aopenshift-gitops%3Aargocd-cluster-argocd-dex-server": [may not contain '%']
~~~

      Version-Release number of selected component (if applicable):

      4.8.48

      How reproducible:

      n/a

      Steps to Reproduce:

      1. Unable to reproduce in-house. 
2.
3.

      Actual results:

      ArgoCD pods fail with errors.

      Expected results:

       

      Additional info:

      The customer originally opened the case with support for the errors below:
~~~
Failed to query provider "https://openshift-gitops-server-openshift-gitops.apps.example.com/api/dex": oidc: issuer did not match the issuer returned by provider, expected "https://openshift-gitops-server-openshift-gitops.apps.example.com/api/dex" got "https://argocd-cluster-server-openshift-gitops.apps.example.com/api/dex"
~~~
There were two instances in the openshift-gitops namepsace for argocd namely 'openshift-gitops' and 'argocd-cluster'

According to KCS 'https://access.redhat.com/solutions/6790471' there should be only one instance in the namespace and we have tried deleting the 'argocd-cluster' after taking the backup. As the argo URL's being used was the argo-cd cluster we have restored the instance for argo-cd cluster and deleted the 'openshift-gitops' instance. We have restarted the controller pods and all the necesssary configmaps and secrets has been recreated.The argocd URL was able to access now and the Customer team was prompting now with a User login. That is where we end up at the mangling of the name field.

      Attachments

        Activity

          People

            rhn-ecs-pkovar Petr Kovar (Inactive)
            rhn-support-emahoney Evan Mahoney
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: