Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44236

Hypershift OAuth failing to connect to IdentityProvider when using a proxy with additionalTrustBundle and IdentityProvider URL can be publicly verified

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.16.z
    • HyperShift / ROSA
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Initially, the clusters at version 4.16.9 were having issues with reconciling the IDP. The error which was found in Dynatrace was

       

        "error": "failed to update control plane: failed to reconcile openshift oauth apiserver: failed to reconcile oauth server config: failed to generate oauth config: failed to apply IDP AAD config: Service Unavailable",

       

      Initially it was assumed that the IDP service was unavialble but the CU confirmed that they also had the GroupSync operator running inside all clusters, which can successfully connect to the customer IDP and sync User + Group information from the IDP into the cluster.

      The CU was advised to upgrade to 4.16.18 keeping in mind few of the other OCPBUGS which were related to proxy and would be resolved by upgrading to 4.16.15+

      However, after upgrade the IDP is still failing to apply it seems. It looks like  IDP reconciler isn't considering the Additional Trust Bundle for the customer proxy 

      Checking DT Logs, it seems to fail to verify the certificate

      "error": "failed to update control plane: failed to reconcile openshift oauth apiserver: failed to reconcile oauth server config: failed to generate oauth config: failed to apply IDP AAD config: tls: failed to verify certificate: x509: certificate signed by unknown authority",

  "error": "failed to update control plane: [failed to reconcile openshift oauth apiserver: failed to reconcile oauth server config: failed to generate oauth config: failed to apply IDP AAD config: tls: failed to verify certificate: x509: certificate signed by unknown authority, failed to update status: Operation cannot be fulfilled on hostedcontrolplanes.hypershift.openshift.io \"rosa-staging\": the object has been modified; please apply your changes to the latest version and try again]",

      Version-Release number of selected component (if applicable):

      4.16.18

      How reproducible:

      Customer has a few clusters deployed and each of them has the same issue.

      Steps to Reproduce:

          1. Create a HostedCluster with a proxy configuration that specifies an additionalTrustBundle, and an OpenID idp that can be publicly verified (ie. EntraID or Keycloak with LetsEncrypt certs)
    2. Wait for the cluster to come up and try to use the IDP
    3.

      Actual results:

      IDP is failing to work for HCP

      Expected results:

      IDP should be working for the clusters

      Additional info:

          The issue will happen only if the IDP does not require a custom trust bundle to be verified.

              cewong@redhat.com Cesar Wong
              ppanda.openshift Pratik Panda
              Jie Zhao Jie Zhao
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: