Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16
Component/s: apiserver-auth
Labels:
- OAuth
- azure
- cee.neXT
- certificate
- ocp

Severity:
Important
Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.16
Target Backport Versions:

4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Description of problem:

{code } In a hosted control plane (HCP) environment in OpenShift 4.16, globally trusted CA certificates for Microsoft Azure OAuth are not automatically recognized. This results in failed upgrades or authentication errors when using Azure as an OAuth identity provider, despite the CA being globally trusted. Manual intervention is required to configure the CA, which was not necessary in OpenShift 4.15, leading to unexpected operational overhead.

{code }

OpenShift Container Platform 4.16 (Hosted Control Plane)


*How reproducible:*

{code
} Always reproducible in a hosted control plane environment during an upgrade or when configuring Azure as an OAuth provider without explicitly providing the CA certificate.

Steps to Reproduce:

{code }

Configure a hosted control plane (HCP) in OpenShift 4.16.
Set up Azure as an OAuth identity provider in the hosted control plane without specifying a CA certificate.
Attempt to upgrade the cluster from OpenShift 4.15 to 4.16.
Observe the failure during the upgrade or OAuth authentication.

Actual results:
{code }

Upgrade fails and gets stuck in the hosted control plane environment.
Authentication using Azure as an OAuth identity provider fails.
Errors are only visible in control-plane-operator logs indicating certificate validation issues (e.g., "x509: certificate signed by unknown authority").


*Expected results:
*
{code
}

    Globally trusted CAs such as Microsoft Azure should be automatically recognized by OpenShift without requiring manual configuration.
    The upgrade process in the hosted control plane environment should complete without manual intervention.
    OAuth authentication should work seamlessly with the global CA in the hosted control plane setup.

Additional info:

{code }

The Azure CA is globally trusted and valid until 2030, making manual CA management redundant and operationally challenging.
This behavior was not required in OpenShift 4.15, indicating a regression in 4.16 hosted control plane.
Logs from the control-plane-operator contain the error message: "x509: certificate signed by unknown authority".

Supporting KCS: https://access.redhat.com/solutions/7088177

Assignee:: Unassigned

Reporter:: Vivek Yoganand A

QA Contact:: Xingxing Xia

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/10/07 10:16 AM

Updated:: 2024/10/07 10:42 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates