-
Bug
-
Resolution: Unresolved
-
Undefined
-
4.17.z, 4.16.z, 4.18.0, 4.19.0, 4.20
-
Quality / Stability / Reliability
-
False
-
-
None
-
Critical
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In both HCP and OCP BYO external OIDC env using self-signed keycloak as the external OIDC provider, the console oidcClient's status shows "OIDC provider CA version not up to date in current deployment" and "status: Unknown". Though oc and console login to the external OIDC provider work well, such problem can indeed confuse end users, therefore reporting it for improvement.
Version-Release number of selected component (if applicable):
4.19, 4.18, 4.16.0-0.nightly-2024-12-02-183536
How reproducible:
Always
Steps to Reproduce:
1. Launch 4.19 or 4.18 HCP env or OCP env, or launch 4.16.0-0.nightly-2024-12-02-183536 HCP env, and ensure BYO external OIDC configuration using a self-signed keycloak server is configured. 2. The configuration is really picked up by related components' pods and the configuration indeed takes effect: oc and console login can succeed. Then check `oc get authentication.config cluster -o yaml`.
Actual results:
Step 2 `oc get authentication.config cluster -o yaml` shows below as the bug subject, which can really confuse users:
... spec: oauthMetadata: name: "" oidcProviders: - claimMappings: groups: claim: groups prefix: 'oidc-groups-test:' username: claim: email prefix: prefixString: 'oidc-user-test:' prefixPolicy: Prefix issuer: audiences: - console-test - oc-cli-test issuerCertificateAuthority: name: keycloak-oidc-ca issuerURL: https://keycloak-keycloak.apps.xxxx/realms/master name: keycloak-oidc-server oidcClients: - clientID: console-test clientSecret: name: console-secret componentName: console componentNamespace: openshift-console serviceAccountIssuer: ... type: OIDC status: ... oidcClients: - componentName: cli ... - componentName: console componentNamespace: openshift-console conditions: - lastTransitionTime: "2024-12-03T07:37:49Z" message: OIDC provider CA version not up to date in current deployment reason: DeploymentOIDCConfig status: "False" type: Degraded - lastTransitionTime: "2024-12-03T07:37:49Z" message: OIDC provider CA version not up to date in current deployment reason: DeploymentOIDCConfig status: "True" type: Progressing - lastTransitionTime: "2024-12-03T07:27:12Z" message: "" reason: Unknown status: Unknown type: Available currentOIDCClients: - clientID: console-test issuerURL: https://keycloak-keycloak.apps.xxxx/realms/master oidcProviderName: keycloak-oidc-server
Expected results:
It can be improved to avoid the confusion to end users.
Additional info:
- blocks
-
OCPBUGS-59618 Console oidcClient with "OIDC provider CA version not up to date in current deployment" and "status: Unknown" can confuse users in both HCP and OCP BYO external OIDC env
-
- Closed
-
- is cloned by
-
OCPBUGS-59618 Console oidcClient with "OIDC provider CA version not up to date in current deployment" and "status: Unknown" can confuse users in both HCP and OCP BYO external OIDC env
-
- Closed
-
- links to