Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45300

Console oidcClient with "OIDC provider CA version not up to date in current deployment" and "status: Unknown" can confuse users in both HCP and OCP BYO external OIDC env

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      In both HCP and OCP BYO external OIDC env using self-signed keycloak as the external OIDC provider, the console oidcClient's status shows "OIDC provider CA version not up to date in current deployment" and "status: Unknown". Though oc and console login to the external OIDC provider work well, such problem can indeed confuse end users, therefore reporting it for improvement.

      Version-Release number of selected component (if applicable):

      4.19, 4.18, 4.16.0-0.nightly-2024-12-02-183536

      How reproducible:

      Always

      Steps to Reproduce:

      1. Launch 4.19 or 4.18 HCP env or OCP env, or launch 4.16.0-0.nightly-2024-12-02-183536 HCP env, and ensure BYO external OIDC configuration using a self-signed keycloak server is configured.

2. The configuration is really picked up by related components' pods and the configuration indeed takes effect: oc and console login can succeed. Then check `oc get authentication.config cluster -o yaml`.

      Actual results:

      Step 2 `oc get authentication.config cluster -o yaml` shows below as the bug subject, which can really confuse users:

      ...
spec:
  oauthMetadata:
    name: ""
  oidcProviders:
  - claimMappings:
      groups:
        claim: groups
        prefix: 'oidc-groups-test:'
      username:
        claim: email
        prefix:
          prefixString: 'oidc-user-test:'
        prefixPolicy: Prefix
    issuer:
      audiences:
      - console-test
      - oc-cli-test
      issuerCertificateAuthority:
        name: keycloak-oidc-ca
      issuerURL: https://keycloak-keycloak.apps.xxxx/realms/master
    name: keycloak-oidc-server
    oidcClients:
    - clientID: console-test
      clientSecret:
        name: console-secret
      componentName: console
      componentNamespace: openshift-console
  serviceAccountIssuer: ...
  type: OIDC
status:
  ...
  oidcClients:
  - componentName: cli
    ...
  - componentName: console
    componentNamespace: openshift-console
    conditions:
    - lastTransitionTime: "2024-12-03T07:37:49Z"
      message: OIDC provider CA version not up to date in current deployment
      reason: DeploymentOIDCConfig
      status: "False"
      type: Degraded
    - lastTransitionTime: "2024-12-03T07:37:49Z"
      message: OIDC provider CA version not up to date in current deployment
      reason: DeploymentOIDCConfig
      status: "True"
      type: Progressing
    - lastTransitionTime: "2024-12-03T07:27:12Z"
      message: ""
      reason: Unknown
      status: Unknown
      type: Available
    currentOIDCClients:
    - clientID: console-test
      issuerURL: https://keycloak-keycloak.apps.xxxx/realms/master
      oidcProviderName: keycloak-oidc-server

      Expected results:

      It can be improved to avoid the confusion to end users.

      Additional info:

              jhadvig@redhat.com Jakub Hadvig
              xxia-1 Xingxing Xia
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: