Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41371

[release-4.17] OpenID IDP endpoint verification fails when hostname can only be resolved by data plane

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • None
    • 4.14.z, 4.15.z, 4.17.0, 4.16.z
    • HyperShift
    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, when a hosted cluster proxy was configured and it used an identity provider (IDP) that had an http or https endpoint, the hostname of the IDP was unresolved before sending it through the proxy. Consequently, hostnames that could only be resolved by the data plane failed to resolve for IDPs. With this update, a DNS lookup is performed before sending IPD traffic through the `konnectivity` tunnel. As a result, IDPs with hostnames that can only be resolved by the data plane can be verified by the Control Plane Operator. (link:https://issues.redhat.com/browse/OCPBUGS-41371[*OCPBUGS-41371*])
      Show
      * Previously, when a hosted cluster proxy was configured and it used an identity provider (IDP) that had an http or https endpoint, the hostname of the IDP was unresolved before sending it through the proxy. Consequently, hostnames that could only be resolved by the data plane failed to resolve for IDPs. With this update, a DNS lookup is performed before sending IPD traffic through the `konnectivity` tunnel. As a result, IDPs with hostnames that can only be resolved by the data plane can be verified by the Control Plane Operator. (link: https://issues.redhat.com/browse/OCPBUGS-41371 [* OCPBUGS-41371 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-38349. The following is the description of the original issue:

      Description of problem:

      When using configuring an OpenID idp that can only be accessed via the data plane, if the hostname of the provider can only be resolved by the data plane, reconciliation of the idp fails.

      Version-Release number of selected component (if applicable):

          4.16

      How reproducible:

          always

      Steps to Reproduce:

          1. Configure an OpenID idp on a HostedCluster with a URL that points to a service in the dataplane (like https://keycloak.keycloak.svc)

      Actual results:

          The oauth server fails to be reconciled

      Expected results:

          The oauth server reconciles and functions properly

      Additional info:

          Follow up to OCPBUGS-37753

            cewong@redhat.com Cesar Wong
            openshift-crt-jira-prow OpenShift Prow Bot
            Jie Zhao Jie Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: