-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
premerge
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
No
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Launched HCP clusters with image containing code in prs: https://github.com/openshift/console/pull/13530
https://github.com/openshift/console-operator/pull/840
Configure external oidc with azure entra id, after patch oidc configuration to hosted cluster, the oidc configuration is not copy to hosted cluster's authentication.
Version-Release number of selected component (if applicable):
https://github.com/openshift/console/pull/13530
https://github.com/openshift/console-operator/pull/840
How reproducible:
Always
Steps to Reproduce:
1.Launched HCP clusters with image containing code in prs: https://github.com/openshift/console/pull/13530
https://github.com/openshift/console-operator/pull/840
2.Configure external oidc with azure entra id(refer to case[OCP-71561|https://polarion.engineering.redhat.com/polarion/redirect/project/OSE/workitem?id=OCP-71561]), after patch oidc configure to hosted cluster with command:
{code:java}
$ oc patch hc $HC_NAME -n clusters --kubeconfig $MGMT_KUBECONFIG --type=merge -p="
spec:
configuration:
authentication:
oidcProviders:
- claimMappings:
groups:
claim: groups
prefix: 'oidc-groups-test:'
username:
claim: email
prefixPolicy: Prefix
prefix:
prefixString: 'oidc-user-test:'
issuer:
audiences:
- $AUDIENCE_1
- $AUDIENCE_2
issuerURL: $ISSUER_URL
name: microsoft-entra-id
oidcClients:
- clientID: $CONSOLE_CLIENT_ID
clientSecret:
name: $CONSOLE_CLIENT_SECRET_NAME
componentName: console
componentNamespace: openshift-console
type: OIDC
"
Check hosted cluster's authentication:
$ oc get authentication cluster -o yaml
3.
Actual results:{code:none}
2. The configuration in hc cluster is not copied to hosted cluster's authentication:
oc get hc $HC_NAME -n clusters --kubeconfig mgmt_kubeconfig -ojsonpath={.spec.configuration.authentication}
{"oidcProviders":[{"claimMappings":{"groups":{"claim":"groups","prefix":"oidc-groups-test:"},"username":{"claim":"email","prefix":{"prefixString":"oidc-user-test:"},"prefixPolicy":"Prefix"}},"issuer":{"audiences":["d1abb76d-bf4d-4c22-8f0d-c1a6db1eab13","2586d4b4-e81f-4bc0-9166-7f76e7a9cf53"],"issuerURL":"https://login.microsoftonline.com/64dc69e4-d083-49fc-9569-ebece1dd1408/v2.0"},"name":"microsoft-entra-id","oidcClients":[{"clientID":"d1abb76d-bf4d-4c22-8f0d-c1a6db1eab13","clientSecret":{"name":"console-secret"},"componentName":"console","componentNamespace":"openshift-console"}]}],"type":"OIDC"}
$ oc get authentication cluster --kubeconfig hosted_kubeconfig -oyaml
apiVersion: config.openshift.io/v1
kind: Authentication
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/create-only: "true"
creationTimestamp: "2024-04-15T13:04:54Z"
generation: 2
name: cluster
ownerReferences:
- apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: d580eb2f-7bfd-4382-9bc6-bb1f0d6f4c68
resourceVersion: "1478"
uid: c83b2447-a780-417f-a4bf-32d11ad98568
spec:
oauthMetadata:
name: ""
serviceAccountIssuer: https://aos-hypershift-ci-oidc-276725.s3.us-east-2.amazonaws.com/hypershift-ci-276725
type: ""
Expected results:
2. There should be external oidc configuration in hosted cluster authentication.
$ oc get authentication cluster --kubeconfig hosted_kubeconfig -oyaml
Additional info:
- account is impacted by
-
CONSOLE-3902 Provide login command for console users
-
- Closed
-
