-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.15.0, 4.16.0
-
None
-
Moderate
-
No
-
Rejected
-
False
-
Description of problem:
kube-apiserver should wire authentication/cluster's .spec.oidcProviders configuration instead of still need setting apiServerArguments oidc flags via unofficial unsupportedConfigOverrides.
Version-Release number of selected component (if applicable):
$ oc version Client Version: 4.16.0-0.nightly-2024-01-24-031529 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: 4.16.0-0.nightly-2024-01-23-185225 Kubernetes Version: v1.29.1+0e0d15b
How reproducible:
Always
Steps to Reproduce:
1. Enable BYO auth feature in the OCP env: $ oc patch featuregate cluster --type=merge -p='{"spec":{"featureSet":"TechPreviewNoUpgrade"}}' 2. Create BYO OIDC with Keycloak: $ oc new-project keycloak $ oc process -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/openshift/keycloak.yaml \ -p KEYCLOAK_ADMIN=admin \ -p KEYCLOAK_ADMIN_PASSWORD=admin \ -p NAMESPACE=keycloak \ | oc create -f - $ KEYCLOAK_HOST=https://$(oc get route keycloak --template='{{ .spec.host }}') $ echo $KEYCLOAK_HOST https://keycloak-keycloak.apps.... 3. Visit $KEYCLOAK_HOST/admin page, create client "openshift-test-aud", set its "Valid redirect URIs" to be http://localhost:8080/ and create a user xxia and set password. 4. $ curl -sSk "$KEYCLOAK_HOST/realms/master/.well-known/openid-configuration" > oauthMetadata $ oc create configmap oauth-meta --from-file ./oauthMetadata -n openshift-config configmap/oauth-meta created $ mkdir -p router-ca $ oc extract secret/router-ca -n openshift-ingress-operator --to router-ca --confirm $ oc create configmap keycloak-oidc-ca --from-file=ca.crt=router-ca/tls.crt -n openshift-config 5. Configure BYO auth: $ oc patch authentication.config cluster --type=merge -p=" spec: oauthMetadata: name: oauth-meta oidcProviders: - claimMappings: groups: claim: groups prefix: '' username: claim: email prefixPolicy: '' issuer: audiences: - openshift-test-aud issuerCertificateAuthority: name: keycloak-oidc-ca issuerURL: $KEYCLOAK_HOST/realms/master name: keycloak-oidc-test type: OIDC webhookTokenAuthenticator: null " authentication.config.openshift.io/cluster patched 6. Wait about 15 mins for KAS pods to restart and get Running. 7. Then run: $ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080 --insecure-skip-tls-verify It outputs: Please visit the following URL in your browser: http://localhost:8080 8. Open http://localhost:8080 in browser, it directs to Keycloak page. Input user and password successfully.
Actual results:
After step 8, sometimes it shows "Authorized" and "You can close the window", but sometimes the successful login page closes automatically. And then step 7 outputs: [xxia@2024-01-24 21:56:11 CST external-oidc-test]$ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080 --insecure-skip-tls-verify Please visit the following URL in your browser: http://localhost:8080 Login failed (401 Unauthorized) Verify you have provided the correct credentials. [xxia@2024-01-24 21:56:55 CST external-oidc-test]$ After checked KAS pod logs, found below, not sure if it is related: 2024-01-24T13:56:50.597541541Z E0124 13:56:50.597447 16 authentication.go:73] "Unable to authenticate the request" err="invalid bearer token" But checked id_token, seems id_token is good: $ cat ~/.kube/cache/oc/dae0561683bc... | jq -r '.id_token' | jq -R 'split(".") | .[] | @base64d | fromjson' { "alg": "RS256", "typ": "JWT", "kid": "..." } { "exp": 1706104669, "iat": 1706104609, "auth_time": 1706104609, "jti": "f3656618-7a2d-4658-9116-02db65c8fd43", "iss": "https://keycloak-keycloak.apps..../realms/master", "aud": "openshift-test-aud", "sub": "2f2ba6a8-e73f-4e31-babe-fb46c5b609ea", "typ": "ID", "azp": "openshift-test-aud", "nonce": "Wqdhigi6PSbJyCEHLqlP7p3l62IdOnS93EAw95AxP4M", "session_state": "0e3a1f6a-4363-4a75-a037-286f03c009ff", "at_hash": "WJTuBmdeTDLW-QS_5FJHyQ", "acr": "1", "sid": "0e3a1f6a-4363-4a75-a037-286f03c009ff", "email_verified": false, "name": "Xingxing Xia", "preferred_username": "xxia", "given_name": "Xingxing", "family_name": "Xia", "email": "xxia@redhat.com" } Only after manually set apiServerArguments oidc flags via unofficial unsupportedConfigOverrides, step 7 then could succeed without error, as below detailed steps: $ oc patch cm -n openshift-config-managed default-ingress-cert -p '{"metadata":{"namespace":"openshift-config"}}' --dry-run=client -o yaml | oc apply -f - $ oc patch proxy cluster -p '{"spec":{"trustedCA":{"name":"default-ingress-cert"}}}' --type=merge $ oc patch kubeapiserver/cluster --type=merge -p=" spec: unsupportedConfigOverrides: apiServerArguments: oidc-ca-file: - /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt oidc-client-id: - openshift-test-aud oidc-issuer-url: - $KEYCLOAK_HOST/realms/master " Wait 15 mins for KAS restart, then repeat step 7: $ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080 --insecure-skip-tls-verify Please visit the following URL in your browser: http://localhost:8080 Logged into "https://api....:6443" as "https://keycloak-keycloak.apps..../realms/master#2f2ba6a8-e73f-4e31-babe-fb46c5b609ea" from an external oidc issuer. You don't have any projects. Contact your system administrator to request a project. But given authentication/cluster .spec.oidcProviders already sets oidc flags, why kube-apiserver not pick up the setting?
Expected results:
After step 8, it should always show "Authorized" and "You can close the window", should not encounter that the successful login page closes automatically sometimes. And kube-apiserver should automatically pick up authentication/cluster .spec.oidcProviders to let step 7 login successfully, without the need of manually setting oidc flags again via inofficial unsupportedConfigOverrides.
Additional info: