Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45300

Console oidcClient with "OIDC provider CA version not up to date in current deployment" and "status: Unknown" can confuse users in both HCP and OCP BYO external OIDC env

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      In both HCP and OCP BYO external OIDC env using self-signed keycloak as the external OIDC provider, the console oidcClient's status shows "OIDC provider CA version not up to date in current deployment" and "status: Unknown". Though oc and console login to the external OIDC provider work well, such problem can indeed confuse end users, therefore reporting it for improvement.
      

      Version-Release number of selected component (if applicable):

      4.19, 4.18, 4.16.0-0.nightly-2024-12-02-183536

      How reproducible:

      Always

      Steps to Reproduce:

      1. Launch 4.19 or 4.18 HCP env or OCP env, or launch 4.16.0-0.nightly-2024-12-02-183536 HCP env, and ensure BYO external OIDC configuration using a self-signed keycloak server is configured.
      
      2. The configuration is really picked up by related components' pods and the configuration indeed takes effect: oc and console login can succeed. Then check `oc get authentication.config cluster -o yaml`.

      Actual results:

      Step 2 `oc get authentication.config cluster -o yaml` shows below as the bug subject, which can really confuse users:

      ...
      spec:
        oauthMetadata:
          name: ""
        oidcProviders:
        - claimMappings:
            groups:
              claim: groups
              prefix: 'oidc-groups-test:'
            username:
              claim: email
              prefix:
                prefixString: 'oidc-user-test:'
              prefixPolicy: Prefix
          issuer:
            audiences:
            - console-test
            - oc-cli-test
            issuerCertificateAuthority:
              name: keycloak-oidc-ca
            issuerURL: https://keycloak-keycloak.apps.xxxx/realms/master
          name: keycloak-oidc-server
          oidcClients:
          - clientID: console-test
            clientSecret:
              name: console-secret
            componentName: console
            componentNamespace: openshift-console
        serviceAccountIssuer: ...
        type: OIDC
      status:
        ...
        oidcClients:
        - componentName: cli
          ...
        - componentName: console
          componentNamespace: openshift-console
          conditions:
          - lastTransitionTime: "2024-12-03T07:37:49Z"
            message: OIDC provider CA version not up to date in current deployment
            reason: DeploymentOIDCConfig
            status: "False"
            type: Degraded
          - lastTransitionTime: "2024-12-03T07:37:49Z"
            message: OIDC provider CA version not up to date in current deployment
            reason: DeploymentOIDCConfig
            status: "True"
            type: Progressing
          - lastTransitionTime: "2024-12-03T07:27:12Z"
            message: ""
            reason: Unknown
            status: Unknown
            type: Available
          currentOIDCClients:
          - clientID: console-test
            issuerURL: https://keycloak-keycloak.apps.xxxx/realms/master
            oidcProviderName: keycloak-oidc-server
      

      Expected results:

      It can be improved to avoid the confusion to end users.

      Additional info:

              jhadvig@redhat.com Jakub Hadvig
              xxia-1 Xingxing Xia
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: