-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.15
-
No
-
Hypershift Sprint 244
-
1
-
False
-
-
Release Note Not Required
-
In Progress
Description: If tokenConfig.accessTokenInactivityTimeout set to less than 300s, the accessTokenInactivityTimeout doesn't work in hosted cluster whereas in Management cluster, we get below error while trying to set the timeout < 300s :
spec.tokenConfig.accessTokenInactivityTimeout: Invalid value: v1.Duration{Duration:100000000000}: the minimum acceptable token timeout value is 300 seconds*
Steps to reproduce the issue:
1. Install a fresh 4.15 hypershift cluster 2. Configure accessTokenInactivityTimeout as below: $ oc edit hc -n clusters ... spec: configuration: oauth: identityProviders: ... tokenConfig: accessTokenInactivityTimeout: 100s ... 3. Wait for the oauth pods to redeploy and check the oauth cm for updated accessTokenInactivityTimeout value: $ oc get cm oauth-openshift -oyaml -n clusters-hypershift-ci-xxxxx ... tokenConfig: accessTokenInactivityTimeout: 1m40s ... 4. Login to guest cluster with testuser-1 and get the token $ oc login https://a889<...>:6443 -u testuser-1 -p xxxxxxx $ TOKEN=`oc whoami -t`
Actual result:
Wait for 100s and try login with the TOKEN $ oc login --token="$TOKEN" WARNING: Using insecure TLS client config. Setting this option is not supported! Logged into "https://a889<...>:6443" as "testuser-1" using the token provided. You don't have any projects. You can try to create a new project, by running oc new-project <projectname>
Expected result:
1. Login fails if the user is not active within the accessTokenInactivityTimeout seconds.
2. In Management cluster, we get below error when trying to set the timeout to less than 300s :
spec.tokenConfig.accessTokenInactivityTimeout: Invalid value: v1.Duration{Duration:100000000000}: the minimum acceptable token timeout value is 300 seconds*
Implement the same in hosted cluster.
- blocks
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
-
RHEA-2023:7198
rpm
- mentioned on
(1 mentioned on)