Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61432

No oidcClient conditions are set when OIDC client secret is missing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.21.0
    • 4.18, 4.19, 4.20.0, 4.21
    • Management Console
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • Proposed
    • Bug Fix
    • Hide
      Previously, the OIDCClientSecretGet condition was not being set when the OIDC client secret was missing, because the controller was incorrectly checking for the wrong secret in the wrong namespace; the status appeared successful when it should have indicated a missing secret. With this fix, the controller now checks the correct secret name and namespace, so the OIDCClientSecretGet condition is properly set to reflect the actual state of OIDC client secret retrieval as expected.
      Show
      Previously, the OIDCClientSecretGet condition was not being set when the OIDC client secret was missing, because the controller was incorrectly checking for the wrong secret in the wrong namespace; the status appeared successful when it should have indicated a missing secret. With this fix, the controller now checks the correct secret name and namespace, so the OIDCClientSecretGet condition is properly set to reflect the actual state of OIDC client secret retrieval as expected.
    • None
    • None
    • None
    • None

      Description of problem:

      In the Authentication resource with type set to OIDC, the oidcProviders reference ConfigMaps and Secrets that are expected to exist in the `openshift-config` namespace.
      
      Yet when setting a client secret in the console OIDCClient that references a Secret that doesn't exist, none of the conditions set under status.oidcClients reflect that.
      
      Looking into the code shows that there is a OIDCClientSecretGet condition that should be set, yet the code verifying it looks for the console oauth client secret under `openshift-console`. 

      Version-Release number of selected component (if applicable):

          

      How reproducible:

      Always    

      Steps to Reproduce:

      1.Set the Authentication resource "cluster" with type OIDC and an OIDC client with componentName: console & componentNamespace: openshift-console.
      2.Set clientSecret.name pointing to a secret that doesn't exist
      3.Check the Authentication "cluster" status
      

      Example resource:

      apiVersion: config.openshift.io/v1
      kind: Authentication
      metadata:
        name: cluster
      spec:
        type: OIDC
        oauthMetadata:
          name: ""
        oidcProviders:
        - claimMappings:
            groups:
              claim: groups
              prefix: ""
            username:
              claim: email
              prefixPolicy: ""
          issuer:
            audiences:
            - console
            - cli
            issuerCertificateAuthority:
              name: ""
            issuerURL: https://ec2-34-200-245-8.compute-1.amazonaws.com
          name: dex
          oidcClients:
          - clientID: console
            clientSecret:
              name: console-client-secret
            componentName: console
            componentNamespace: openshift-console
          - clientID: oc-cli-test
            clientSecret:
              name: ""
            componentName: cli
            componentNamespace: openshift-console
        serviceAccountIssuer: https://aabdelre-dev.s3.us-east-1.amazonaws.com/aabdelre-devenv-gf55d
      

      Actual results:

      No conditions reflecting that the secret doesn't exist

      Expected results:

        - componentName: console
          componentNamespace: openshift-console
          conditions:
          - lastTransitionTime: "2025-09-09T13:14:37Z"
            message: secret "console-client-secret" not found
            reason: OIDCClientSecretGet
            status: "True"
            type: Degraded
      

      Additional info:

          

              rh-ee-aabdelre Ahmed Abdalla Abdelrehim
              rh-ee-aabdelre Ahmed Abdalla Abdelrehim
              None
              None
              Yanping Zhang Yanping Zhang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: