Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.16.0
Affects Version/s: 4.15.0
Component/s: apiserver-auth
Labels:
- UpdateRecommendationsBlocked
- UpgradeBlocker

Severity:
Important
Regression:
Yes
Release Blocker:
Approved
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the `ServiceAccounts` resource could not be used with OAuth clients for a cluster with the `ImageRegistry` capability enabled . With this release, this issue is fixed. (link:https://issues.redhat.com/browse/OCPBUGS-30319[*~~OCPBUGS-30319~~*])

Show
* Previously, the `ServiceAccounts` resource could not be used with OAuth clients for a cluster with the `ImageRegistry` capability enabled . With this release, this issue is fixed. (link: https://issues.redhat.com/browse/OCPBUGS-30319 [* OCPBUGS-30319 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.16.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

    OAuth-Proxy breaks when it's using Service Account as an oauth-client as documented in https://docs.openshift.com/container-platform/4.15/authentication/using-service-accounts-as-oauth-client.html

Version-Release number of selected component (if applicable):

    4.15

How reproducible:

    100%

Steps to Reproduce:

    1. install an OCP cluster without the ImageRegistry capability
    2. deploy an oauth-proxy that uses an SA as its OAuth2 client
    3. try to login to the oauth-proxy using valid credentials

Actual results:

    The login fails, the oauth-server logs:

2024-02-05T13:30:56.059910994Z E0205 13:30:56.059873       1 osinserver.go:91] internal error: system:serviceaccount:my-namespace:my-sa has no tokens

Expected results:

    The login succeeds

Additional info:

is blocked by

AUTH-517 Impact statement request for OCPBUGS-30319 ServiceAccounts can no longer be used as OAuth2 clients

Closed

is cloned by

OCPBUGS-33210 [4.15.z] ServiceAccounts can no longer be used as OAuth2 clients

Closed

is depended on by

OCPBUGS-33210 [4.15.z] ServiceAccounts can no longer be used as OAuth2 clients

Closed

links to

openshift/library-go#1686: OCPBUGS-30319: oauthserviceaccountclient: expect that there might be no tokens associated with SA

openshift/oauth-apiserver#108: OCPBUGS-30319: Bump openshift/kubernetes-apiserver to openshift-apiserver-4.16-kubernetes-1.29.2

openshift/oauth-server#142: OCPBUGS-30319: Bump openshift/kubernetes-apiserver to openshift-apiserver-4.16-kubernetes-1.29.2

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

(2 links to)

Assignee:: Ilias Rinis

Reporter:: Stanislav Láznička (Inactive)

QA Contact:: Deepak Punia (Inactive)

Votes:: 2 Vote for this issue

Watchers:: 17 Start watching this issue

Created:: 2024/03/06 1:55 PM

Updated:: 2024/06/27 11:42 AM

Resolved:: 2024/06/27 11:42 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates