Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.14.z, 4.15.z, 4.17.0, 4.16.z
Component/s: HyperShift
Labels:

Severity:
Moderate
Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
*Cause*: When a hosted cluster proxy is configured and it uses an idp that has a http/https endpoint, the hostname of the idp is not resolved before sending it through the proxy.
*Consequence*: Host names that can only be resolved by the data plane fail to resolve for idps.
*Fix*: Perform dns lookup before sending idp traffic through konnectivity tunnel.
*Result*: IDPs with hostnames that can only be resolved by the data plane can be verified by the control plane operator.

Show
*Cause*: When a hosted cluster proxy is configured and it uses an idp that has a http/https endpoint, the hostname of the idp is not resolved before sending it through the proxy. *Consequence*: Host names that can only be resolved by the data plane fail to resolve for idps. *Fix*: Perform dns lookup before sending idp traffic through konnectivity tunnel. *Result*: IDPs with hostnames that can only be resolved by the data plane can be verified by the control plane operator.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
Target Version:

4.18.0
Target Backport Versions:

4.14.z, 4.15.z, 4.17.z, 4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

When using configuring an OpenID idp that can only be accessed via the data plane, if the hostname of the provider can only be resolved by the data plane, reconciliation of the idp fails.

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

    always

Steps to Reproduce:

    1. Configure an OpenID idp on a HostedCluster with a URL that points to a service in the dataplane (like https://keycloak.keycloak.svc)

Actual results:

    The oauth server fails to be reconciled

Expected results:

    The oauth server reconciles and functions properly

Additional info:

    Follow up to OCPBUGS-37753

blocks

OCPBUGS-41371 [release-4.17] OpenID IDP endpoint verification fails when hostname can only be resolved by data plane

Closed

is cloned by

OCPBUGS-41371 [release-4.17] OpenID IDP endpoint verification fails when hostname can only be resolved by data plane

Closed

links to

openshift/hypershift#4516: OCPBUGS-38349: CPO oauth idp converter: resolve names before dialing

RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update

Assignee:: Cesar Wong

Reporter:: Cesar Wong

QA Contact:: Jie Zhao

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/08/12 1:35 PM

Updated:: 2024/10/14 10:00 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates