Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30284

If not required to set the oauthMetadata, oc login can fail with: oidc discovery error: Get "https://:0/.well-known/openid-configuration": dial tcp :0: connect: connection refused

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.15.z
    • 4.15.z, 4.16.0
    • HyperShift
    • Critical
    • No
    • Hypershift Sprint 250
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None

      This is a clone of issue OCPBUGS-30124. The following is the description of the original issue:

      Description of problem:
      In https://issues.redhat.com/browse/OCPBUGS-28625?focusedId=24056681&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-24056681 , sjenning states "It is not required to set the oauthMetadata to enable external OIDC".

      Today having a chance to try without setting oauthMetadata, hit oc login fails with the error:

      $ oc login --exec-plugin=oc-oidc --client-id=$CLIENT_ID --client-secret=$CLIENT_SECRET_VALUE --extra-scopes=email --callback-port=8080
      error: oidc authenticator error: oidc discovery error: Get "https://:0/.well-known/openid-configuration": dial tcp :0: connect: connection refused
      error: oidc authenticator error: oidc discovery error: Get "https://:0/.well-known/openid-configuration": dial tcp :0: connect: connection refused
      Unable to connect to the server: getting credentials: exec: executable oc failed with exit code 1

      Console login can succeed, though.

      Note, OCM QE also encounters this when using ocm cli to test ROSA HCP external OIDC. Either oc or HCP, or anywhere (as a tester I'm not sure TBH ), worthy to have a fix, otherwise oc login is affected.

      Version-Release number of selected component (if applicable):

      [xxia@2024-03-01 21:03:30 CST my]$ oc version --client
      Client Version: 4.16.0-0.ci-2024-03-01-033249
      Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
      [xxia@2024-03-01 21:03:50 CST my]$ oc get clusterversion
      NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.16.0-0.ci-2024-02-29-213249   True        False         8h      Cluster version is 4.16.0-0.ci-2024-02-29-213249

      How reproducible:

      Always

      Steps to Reproduce:

      1. Launch fresh HCP cluster.
      
      2. Login to https://entra.microsoft.com. Register application and set properly.
      
      3. Prepare variables.
      HC_NAME=hypershift-ci-267920
      MGMT_KUBECONFIG=/home/xxia/my/env/xxia-hs416-2-267920-4.16/kubeconfig
      HOSTED_KUBECONFIG=/home/xxia/my/env/xxia-hs416-2-267920-4.16/hypershift-ci-267920.kubeconfig
      AUDIENCE=7686xxxxxx
      ISSUER_URL=https://login.microsoftonline.com/64dcxxxxxxxx/v2.0
      CLIENT_ID=7686xxxxxx
      CLIENT_SECRET_VALUE="xxxxxxxx"
      CLIENT_SECRET_NAME=console-secret
      
      4. Configure HC without oauthMetadata.
      [xxia@2024-03-01 20:29:21 CST my]$ oc create secret generic console-secret -n clusters --from-literal=clientSecret=$CLIENT_SECRET_VALUE --kubeconfig $MGMT_KUBECONFIG
      
      [xxia@2024-03-01 20:34:05 CST my]$ oc patch hc $HC_NAME -n clusters --kubeconfig $MGMT_KUBECONFIG --type=merge -p="
      spec:
        configuration: 
          authentication: 
            oauthMetadata:
              name: ''
            oidcProviders:
            - claimMappings:
                groups:
                  claim: groups
                  prefix: 'oidc-groups-test:'
                username:
                  claim: email
                  prefixPolicy: Prefix
                  prefix:
                    prefixString: 'oidc-user-test:'
              issuer:
                audiences:
                - $AUDIENCE
                issuerURL: $ISSUER_URL
              name: microsoft-entra-id
              oidcClients:
              - clientID: $CLIENT_ID
                clientSecret:
                  name: $CLIENT_SECRET_NAME
                componentName: console
                componentNamespace: openshift-console
            type: OIDC
      "
      
      Wait pods to renew:
      [xxia@2024-03-01 20:52:41 CST my]$ oc get po -n clusters-$HC_NAME --kubeconfig $MGMT_KUBECONFIG --sort-by metadata.creationTimestamp
      ...
      certified-operators-catalog-7ff9cffc8f-z5dlg          1/1     Running   0          5h44m
      kube-apiserver-6bd9f7ccbd-kqzm7                       5/5     Running   0          17m
      kube-apiserver-6bd9f7ccbd-p2fw7                       5/5     Running   0          15m
      kube-apiserver-6bd9f7ccbd-fmsgl                       5/5     Running   0          13m
      openshift-apiserver-7ffc9fd764-qgd4z                  3/3     Running   0          11m
      openshift-apiserver-7ffc9fd764-vh6x9                  3/3     Running   0          10m
      openshift-apiserver-7ffc9fd764-b7znk                  3/3     Running   0          10m
      konnectivity-agent-577944765c-qxq75                   1/1     Running   0          9m42s
      hosted-cluster-config-operator-695c5854c-dlzwh        1/1     Running   0          9m42s
      cluster-version-operator-7c99cf68cd-22k84             1/1     Running   0          9m42s
      konnectivity-agent-577944765c-kqfpq                   1/1     Running   0          9m40s
      konnectivity-agent-577944765c-7t5ds                   1/1     Running   0          9m37s
      
      5. Check console login and oc login.
      $ export KUBECONFIG=$HOSTED_KUBECONFIG
      $ curl -ksS $(oc whoami --show-server)/.well-known/oauth-authorization-server
      {
      "issuer": "https://:0",
      "authorization_endpoint": "https://:0/oauth/authorize",
      "token_endpoint": "https://:0/oauth/token",
      ...
      }
      Check console login, it succeeds, console upper right shows correctly user name oidc-user-test:xxia@redhat.com.
      
      Check oc login:
      $ rm -rf ~/.kube/cache/oc/
      $ oc login --exec-plugin=oc-oidc --client-id=$CLIENT_ID --client-secret=$CLIENT_SECRET_VALUE --extra-scopes=email --callback-port=8080
      error: oidc authenticator error: oidc discovery error: Get "https://:0/.well-known/openid-configuration": dial tcp :0: connect: connection refused
      error: oidc authenticator error: oidc discovery error: Get "https://:0/.well-known/openid-configuration": dial tcp :0: connect: connection refused
      Unable to connect to the server: getting credentials: exec: executable oc failed with exit code 1
      

      Actual results:

      Console login succeeds. oc login fails.

      Expected results:

      oc login should also succeed.

      Additional info:{}

            sjenning Seth Jennings
            openshift-crt-jira-prow OpenShift Prow Bot
            Xingxing Xia Xingxing Xia
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: