Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-33210

[4.15.z] ServiceAccounts can no longer be used as OAuth2 clients

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • 4.16.0
    • 4.15.0
    • apiserver-auth
    • None
    • Important
    • Yes
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, ServiceAccounts (SAs) could not be used as OAuth2 clients because there were no tokens associated with the SAs. With this release, the OAuth registry client has been modified to anticipate this case and the issue has been resolved. (link:https://issues.redhat.com/browse/OCPBUGS-33210[*OCPBUGS-33210*])
      Show
      * Previously, ServiceAccounts (SAs) could not be used as OAuth2 clients because there were no tokens associated with the SAs. With this release, the OAuth registry client has been modified to anticipate this case and the issue has been resolved. (link: https://issues.redhat.com/browse/OCPBUGS-33210 [* OCPBUGS-33210 *])
    • Bug Fix
    • Done

      Description of problem:

          OAuth-Proxy breaks when it's using Service Account as an oauth-client as documented in https://docs.openshift.com/container-platform/4.15/authentication/using-service-accounts-as-oauth-client.html

      Version-Release number of selected component (if applicable):

          4.15

      How reproducible:

          100%

      Steps to Reproduce:

          1. install an OCP cluster without the ImageRegistry capability
          2. deploy an oauth-proxy that uses an SA as its OAuth2 client
          3. try to login to the oauth-proxy using valid credentials
          

      Actual results:

          The login fails, the oauth-server logs:
      
      2024-02-05T13:30:56.059910994Z E0205 13:30:56.059873       1 osinserver.go:91] internal error: system:serviceaccount:my-namespace:my-sa has no tokens

      Expected results:

          The login succeeds

      Additional info:

          

              rh-ee-irinis Ilias Rinis
              slaznick@redhat.com Stanislav Láznička (Inactive)
              Deepak Punia Deepak Punia (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: