-
Bug
-
Resolution: Done
-
Critical
-
4.19.z, 4.20
-
Quality / Stability / Reliability
-
False
-
-
None
-
Critical
-
Yes
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
HCP couldn't be ready if enable external oidc with extra field after 4.19.0-rc.4.
The console degraded with error "spec.oidcProviders[name="microsoft-entra-id"].claimMappings.extra: field not declared in schema".
Don't meet this issue on 4.19.0-rc.4 version and when pre-merge test https://github.com/openshift/hypershift/pull/6121
Here is the code changelog between 4.19.0 and 4.19.0-rc.4
https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/releasestream/4-stable/release/4.19.0?from=4.19.0-rc.4
Version-Release number of selected component (if applicable):
4.19.z , 4.20
How reproducible:
always
Steps to Reproduce:
1.Enable external oidc with extra in hcp
2.Check hcp
3.
Actual results:
console was degraded that blocked hcp going to ready.
% omc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.19.0-0.nightly-2025-06-16-004822 True False 40m Error while reconciling 4.19.0-0.nightly-2025-06-16-004822: the cluster operator console is degraded
xiuwang@Xiuwangs-MacBook-Pro dump-419 % omc get co console -o yaml
apiVersion: config.openshift.io/v1
kind: ClusterOperator
metadata:
annotations:
capability.openshift.io/name: Console
include.release.openshift.io/hypershift: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
creationTimestamp: "2025-06-16T13:59:04Z"
generation: 1
name: console
ownerReferences:
- apiVersion: config.openshift.io/v1
controller: true
kind: ClusterVersion
name: version
uid: 46e07bbc-3b51-42e2-b928-629f76a4f09e
resourceVersion: "11660"
uid: 6c0c3c19-19c5-452a-8c9f-039e78ce2f28
spec: {}
status:
conditions:
- lastTransitionTime: "2025-06-16T14:06:37Z"
message: |-
AuthStatusHandlerDegraded: error converting obj to typed: .spec.oidcProviders[name="microsoft-entra-id"].claimMappings.extra: field not declared in schema
CLIAuthStatusHandlerDegraded: error converting obj to typed: .spec.oidcProviders[name="microsoft-entra-id"].claimMappings.extra: field not declared in schema
reason: AuthStatusHandler_FailedApply::CLIAuthStatusHandler_FailedApply
status: "True"
type: Degraded
- lastTransitionTime: "2025-06-16T14:13:05Z"
message: All is well
reason: AsExpected
status: "False"
type: Progressing
- lastTransitionTime: "2025-06-16T14:04:59Z"
message: All is well
reason: AsExpected
status: "True"
type: Available
- lastTransitionTime: "2025-06-16T14:04:44Z"
message: All is well
reason: AsExpected
status: "True"
type: Upgradeable
- lastTransitionTime: "2025-06-16T14:04:36Z"
reason: NoData
status: Unknown
type: EvaluationConditionsDetected
extension: null
relatedObjects:
- group: console.openshift.io
name: monitoring-plugin
resource: consoleplugins
- group: console.openshift.io
name: networking-console-plugin
resource: consoleplugins
- group: operator.openshift.io
name: cluster
resource: consoles
- group: config.openshift.io
name: cluster
resource: consoles
- group: config.openshift.io
name: cluster
resource: infrastructures
- group: config.openshift.io
name: cluster
resource: proxies
- group: config.openshift.io
name: cluster
resource: oauths
- group: oauth.openshift.io
name: console
resource: oauthclients
- group: ""
name: openshift-console-operator
resource: namespaces
- group: ""
name: openshift-console
resource: namespaces
- group: ""
name: console-public
namespace: openshift-config-managed
resource: configmaps
versions:
- name: operator
version: 4.19.0-0.nightly-2025-06-16-004822
Expected results:
Should create hcp successfully with set external oidc with extra and uid
Additional info:
Can't reproduce this issue in 4.19.0-rc.4
oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.19.0-rc.4 True False 22m Cluster version is 4.19.0-rc.4
xiuwang@Xiuwangs-MacBook-Pro dump-419 % oc get co console
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
console 4.19.0-rc.4 True False False 24m
xiuwang@Xiuwangs-MacBook-Pro dump-419 % oc get node
NAME STATUS ROLES AGE VERSION
ip-10-0-136-165.us-east-2.compute.internal Ready worker 27m v1.32.4
ip-10-0-138-144.us-east-2.compute.internal Ready worker 27m v1.32.4
ip-10-0-141-66.us-east-2.compute.internal Ready worker 27m v1.32.4
oc get authentications.config.openshift.io -o yaml
apiVersion: v1
items:
- apiVersion: config.openshift.io/v1
kind: Authentication
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/create-only: "true"
creationTimestamp: "2025-06-19T05:21:10Z"
generation: 2
name: cluster
ownerReferences:
- apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: cb31b828-9f44-47a6-abe3-b0b486ae44d6
resourceVersion: "13195"
uid: 55c551f0-22b4-4e6b-a9b1-95dc50f14bc0
spec:
oauthMetadata:
name: ""
oidcProviders:
- claimMappings:
extra:
- key: qe.devcluster.openshift.com/email
valueExpression: claims.email
groups:
claim: groups
prefix: 'oidc-groups-test:'
uid:
claim: email
username:
claim: email
prefix:
prefixString: 'oidc-user-test:'
prefixPolicy: Prefix
issuer:
audiences:
- 3d08d40e-c5eb-489b-bdd3-256628806aee
- 8f2b5026-d93f-4100-ab58-2d64f3d8c729
issuerCertificateAuthority:
name: ""
issuerURL: https://login.microsoftonline.com/6047c7e9-b2ad-488d-a54e-dc3f6be6a7ee/v2.0
name: microsoft-entra-id
oidcClients:
- clientID: 3d08d40e-c5eb-489b-bdd3-256628806aee
clientSecret:
name: console-secret
componentName: console
componentNamespace: openshift-console
serviceAccountIssuer: https://wxj-420.s3.us-east-2.amazonaws.com/wxj-419-hc-kdl7k
type: OIDC
status:
oidcClients:
- componentName: cli
componentNamespace: openshift-console
conditions:
- lastTransitionTime: "2025-06-19T06:04:30Z"
message: no CLI OIDC client spec found
reason: CLIOIDCClientStatus
status: "False"
type: Degraded
- lastTransitionTime: "2025-06-19T06:04:30Z"
message: no CLI OIDC client spec found
reason: CLIOIDCClientStatus
status: "False"
type: Progressing
- lastTransitionTime: "2025-06-19T06:04:30Z"
message: no CLI OIDC client spec found
reason: CLIOIDCClientStatus
status: "False"
type: Available
- componentName: console
componentNamespace: openshift-console
conditions:
- lastTransitionTime: "2025-06-19T06:04:30Z"
message: ""
reason: OIDCConfigAvailable
status: "False"
type: Degraded
- lastTransitionTime: "2025-06-19T06:04:30Z"
message: ""
reason: OIDCConfigAvailable
status: "False"
type: Progressing
- lastTransitionTime: "2025-06-19T06:04:30Z"
message: ""
reason: OIDCConfigAvailable
status: "True"
type: Available
currentOIDCClients:
- clientID: 3d08d40e-c5eb-489b-bdd3-256628806aee
issuerURL: https://login.microsoftonline.com/6047c7e9-b2ad-488d-a54e-dc3f6be6a7ee/v2.0
oidcProviderName: microsoft-entra-id
kind: List
metadata:
resourceVersion: ""
But meet this error in 4.19.0
oc get co
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
console 4.19.0 True False True 19m AuthStatusHandlerDegraded: error converting obj to typed: .spec.oidcProviders[name="microsoft-entra-id"].claimMappings.extra: field not declared in schema...
Here is the hypershift dump log https://gcsweb-qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/qe-private-deck/logs/periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-ovn-hypershift-guest-ext-oidc-tp-f14/1934596006440079360/artifacts/aws-ipi-ovn-hypershift-guest-ext-oidc-tp-f14/dump/
- duplicates
-
-
- Closed
-
- links to
