-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.16, 4.17, 4.18, 4.19
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The documentation currently describes how to update the manual mode short-term token credentials using ccoctl as part of the upgrade process. However, it assumes the user still has the original output directory. When these steps are followed without this directory, a new keypair is created by the ccoctl tool. This updates the key in the oidc issuer such that it no longer matches the keypair in the actual cluster. To resolve this, the documentation needs to be updated to add steps to obtain the bound service account signing key and place it into the output dir prior to running the ccoctl command.
Version-Release number of selected component (if applicable):
4.19, 4.18, and prior
How reproducible:
always when the output dir is empty
Steps to Reproduce:
1. Create an OIDC cluster (gcp, azure, or aws)
2. Follow the manual mode oidc documention with a clean output dir
3. The core operators will start failing to authenticate.
Actual results:
Core operators will fail to authenticate
Expected results:
Core operators should not fail to authenticate
Additional info: