-
Bug
-
Resolution: Won't Do
-
Normal
-
None
-
4.14, 4.15, 4.16, 4.17, 4.18, 4.19, 4.20
Description of problem:
The "Copy login command" does not work in Openshift Console in certain cases. In IBM Cloud, when the cluster is using private-only connectivity, it also means that DNS is a private DNS and only resolvable in the customer VPC. The oauth-openshift is running in a different networking layer (split control plane), and it cannot resolve it and the "Copy login command" fails.
The root cause is the following: oauth-openshift is using konnectivity-proxy and this proxy is configured the "--connect-directly-to-cloud-apis".
That's why the IsCloudAPI() function assumes that the URL should be resolved in place as in our case it ends with cloud.ibm.com.
This is not a proper decision as the URL also have a "private" subdomain and as it is a Private DNS, it can't be resolved locally, directly.
Example error log in konnectivity-proxy pod:
➜ kubectl logs -n master-XXXXX oauth-openshift-59fcc6b475-p494z -c http-proxy
{"level":"info","ts":"2025-06-12T14:15:59Z","logger":"konnectivity-https-proxy","msg":"Starting proxy","version":"openshift/hypershift: a7e83e35b0b00f9160af6cf88f39365eb84e3271. Latest supported OCP: 4.16.0"}
2025/06/12 14:17:50 [001] INFO: Running 0 CONNECT handlers
2025/06/12 14:17:50 [001] WARN: Error dialing to d14kel150t38bgtd4hv0.private.stage-us-south.containers.test.cloud.ibm.com:31908: dial tcp: lookup d14kel150t38bgtd4hv0.private.stage-us-south.containers.test.cloud.ibm.com on 172.21.0.10:53: no such host
Error on console:
Error getting token: Post "https://clusterIDXXX.private.ca-mon.containers.cloud.ibm.com:31980/oauth/token": Bad Gateway
What we also find strange that the oauth-openshift tries to itself using its "published" address.
The configuration is the following of the oauth-openshift:
oauthConfig:
alwaysShowProviderSelection: false
assetPublicURL: ""
grantConfig:
method: deny
serviceAccountMethod: prompt
identityProviders:
- challenge: true
login: true
mappingMethod: lookup
name: IAM
provider:
apiVersion: osin.config.openshift.io/v1
ca: ""
claims:
email:
- email
groups: null
id:
- iam_id
name:
- name
preferredUsername:
- preferred_username
clientID: kubernetes-openshift
clientSecret:
env: ""
file: /etc/oauth/idp/idp_secret_0_client-secret/clientSecret
keyFile: ""
value: ""
extraAuthorizeParameters: null
extraScopes: null
kind: OpenIDIdentityProvider
urls:
authorize: https://iam.test.cloud.ibm.com/identity/authorize
token: https://iam.test.cloud.ibm.com/identity/2705a8c405ac41e0a822ec559d56e5ad/token
userInfo: https://iam.test.cloud.ibm.com/identity/userinfo
loginURL: https://clusterIDXXX.private.stage-us-south.containers.test.cloud.ibm.com:31943
masterCA: /etc/kubernetes/certs/master-ca/ca.crt
masterPublicURL: https://clusterIDXXX.private.stage-us-south.containers.test.cloud.ibm.com:31980
masterURL: https://d1e3djt508p0og7kqs8g.private.stage-us-south.containers.test.cloud.ibm.com:31980
We made a tactical solution and now it is working (using some DNS hacks), but we would like to have a more generic solution.
Version-Release number of selected component (if applicable):
How reproducible:
Please see above.
Steps to Reproduce:
1. Please see above.
2.
3.
Actual results:
Error getting token: Post "https://clusterIDXXX.private.ca-mon.containers.cloud.ibm.com:31980/oauth/token": Bad Gateway
Expected results:
Your API token is ... - Copy Login command is successful
Additional info:
