Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.20.0
Component/s: Management Console
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Critical
Regression:
None
Epic Link:
CNTRLPLANE-883

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

When configure cluster with  external oidc provider without issuerCertificateAuthority, will cause machine-config co degrade.

Version-Release number of selected component (if applicable):

     Version: 4.20.0-0.nightly-2025-09-19-231410

How reproducible:

     Always

Steps to Reproduce:

    1. Configure cluster with external oidc provider  without issuerCertificateAuthority
  spec:
    oauthMetadata:
      name: ""
    oidcProviders:
    - claimMappings:
        groups:
          claim: groups
          prefix: 'oidc-groups-test:'
        username:
          claim: email
          prefix:
            prefixString: 'oidc-user-test:'
          prefixPolicy: Prefix
      issuer:
        audiences:
        - <client_id>
        issuerCertificateAuthority:
          name: ""                 #no configmap with server certificate's CA file caCert.pem
        issuerURL: <issuer_url>
      name: windows-oidc
      oidcClients:
      - clientID: <client_id>
        clientSecret:
          name: adfs-secret
        componentName: console
        componentNamespace: openshift-console
        extraScopes:
        - email
        - profile
        - allatclaims
    serviceAccountIssuer: ""
    type: OIDC

2. Check console operator

# oc get co
NAME                                       VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             4.20.0-0.nightly-2025-09-19-231410   True        False         True       153m    APIServerDeploymentDegraded: 1 of 3 requested instances are unavailable for apiserver.openshift-oauth-apiserver ()...
baremetal                                  4.20.0-0.nightly-2025-09-19-231410   True        False         False      179m    
cloud-controller-manager                   4.20.0-0.nightly-2025-09-19-231410   True        False         False      3h1m    
cloud-credential                           4.20.0-0.nightly-2025-09-19-231410   True        False         False      3h2m    
cluster-api                                4.20.0-0.nightly-2025-09-19-231410   True        False         False      69m     
cluster-autoscaler                         4.20.0-0.nightly-2025-09-19-231410   True        False         False      179m    
config-operator                            4.20.0-0.nightly-2025-09-19-231410   True        False         False      179m    
console                                    4.20.0-0.nightly-2025-09-19-231410   True        True          False      161m    SyncLoopRefreshProgressing: working toward version 4.20.0-0.nightly-2025-09-19-231410, 1 replicas available
control-plane-machine-set                  4.20.0-0.nightly-2025-09-19-231410   True        False         False      176m    
csi-snapshot-controller                    4.20.0-0.nightly-2025-09-19-231410   True        False         False      178m    
dns                                        4.20.0-0.nightly-2025-09-19-231410   True        False         False      178m    
etcd                                       4.20.0-0.nightly-2025-09-19-231410   True        False         False      177m    
image-registry                             4.20.0-0.nightly-2025-09-19-231410   True        False         False      168m    
ingress                                    4.20.0-0.nightly-2025-09-19-231410   True        False         False      167m    
insights                                   4.20.0-0.nightly-2025-09-19-231410   True        False         False      173m    
kube-apiserver                             4.20.0-0.nightly-2025-09-19-231410   True        False         False      173m    
kube-controller-manager                    4.20.0-0.nightly-2025-09-19-231410   True        False         False      174m    
kube-scheduler                             4.20.0-0.nightly-2025-09-19-231410   True        False         False      176m    
kube-storage-version-migrator              4.20.0-0.nightly-2025-09-19-231410   True        False         False      58m     
machine-api                                4.20.0-0.nightly-2025-09-19-231410   True        False         False      168m    
machine-approver                           4.20.0-0.nightly-2025-09-19-231410   True        False         False      179m    
machine-config                             4.20.0-0.nightly-2025-09-19-231410   True        False         True       177m    Failed to resync 4.20.0-0.nightly-2025-09-19-231410 because: error during syncRequiredMachineConfigPools: [context deadline exceeded, error required MachineConfigPool master is not ready, retrying. Status: (total: 3, ready 2, updated: 2, unavailable: 1, degraded: 0)]
marketplace                                4.20.0-0.nightly-2025-09-19-231410   True        False         False      178m    
monitoring                                 4.20.0-0.nightly-2025-09-19-231410   True        False         False      166m    
network                                    4.20.0-0.nightly-2025-09-19-231410   True        False         False      3h1m    
node-tuning                                4.20.0-0.nightly-2025-09-19-231410   True        False         False      123m    
olm                                        4.20.0-0.nightly-2025-09-19-231410   True        False         False      178m    
openshift-apiserver                        4.20.0-0.nightly-2025-09-19-231410   True        True          True       168m    APIServerDeploymentDegraded: 1 of 3 requested instances are unavailable for apiserver.openshift-apiserver ()
openshift-controller-manager               4.20.0-0.nightly-2025-09-19-231410   True        False         False      172m    
openshift-samples                          4.20.0-0.nightly-2025-09-19-231410   True        False         False      167m    
operator-lifecycle-manager                 4.20.0-0.nightly-2025-09-19-231410   True        False         False      178m    
operator-lifecycle-manager-catalog         4.20.0-0.nightly-2025-09-19-231410   True        False         False      178m    
operator-lifecycle-manager-packageserver   4.20.0-0.nightly-2025-09-19-231410   True        False         False      168m    
service-ca                                 4.20.0-0.nightly-2025-09-19-231410   True        False         False      179m    
storage                                    4.20.0-0.nightly-2025-09-19-231410   True        False         False      177m

3. Console operator is degrade cause machine-config co degrade

$ oc get pod -n openshift-console -o wide 
NAME                        READY   STATUS    RESTARTS         AGE   IP            NODE                                        NOMINATED NODE   READINESS GATES
console-5cbd4b7844-bfjvb    1/1     Running   0                97m   10.128.0.43   ip-10-0-xx-xx.us-east-2.compute.internal   <none>           <none>
console-6b4d948b6b-28rsq    0/1     Running   18 (13s ago)     91m   10.130.0.30   ip-10-0-xx-xx.us-east-2.xx.internal    <none>           <none>
console-xx-zsp8k    0/1     Running   16 (4m38s ago)   91m   10.129.0.12   ip-10-0-xx-15.xxx-east-xx.compute.xx    <none>           <none>
downloads-55b85fb98-5djqw   1/1     Running   0                91m   10.130.0.24   ip-xx-0-xx-15.us-xx  Unhealthy       90m (x12 over 91m)    kubelet            Startup probe failed: Get "https://10.130.0.30:8443/health": dial tcp xxxx:8443: connect: connection refused
  Normal   Created         56m (x8 over 91m)     kubelet            Created container: console
  Normal   Started         56m (x8 over 91m)     kubelet            Started container console
  Normal   Pulled          51m (x9 over 92m)     kubelet            Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f6e57b3ac7ba1e806c194513ffbdba6a451b7ea4848672da90ab8fc3c98abaa5" already present on machine
  Normal   Killing         2m3s (x18 over 87m)   kubelet            Container console failed startup probe, will be restarted
  Warning  ProbeError      103s (x542 over 91m)  kubelet            Startup probe error: Get "https://xxx:8443/health": dial tcp xxx:8443: connect: connection refused

4. Check nodes
[root@wewang-thinkpadt14sgen2i ~]#  oc get nodes
NAME                                        STATUS                     ROLES                  AGE     VERSION
ip-xxx-0-xx-xxx.us-east-2.compute.internal    Ready                      worker                 174m    v1.33.4
ip-xxx-0-26-xxx.us-xx-2.compute.internal    Ready                      control-plane,master   3h52m   v1.33.4
ip-xx-0-41-xx.us-east-2.compute.internal    Ready,SchedulingDisabled   worker                 8m13s   v1.33.4
ip-xx-0-42-xxx.us-east-2.compute.internal   Ready,SchedulingDisabled   control-plane,master   3h52m   v1.33.4
ip-xx-0-xx-xxx.us-east-2.compute.internal    Ready                      worker                 3h39m   v1.33.4
ip-xx-xx-xxx-xx.us-east-2.compute.internal    Ready                      control-plane,master   3h52m   v1.33.4

Actual results:

    Machine-config co is degrade, one master node is not ready

Expected results:

   Console co should check the configmap first, do not cause machine-config co degrade.

Additional info:

Must gather log: https://drive.google.com/drive/folders/119m4IKoqt-UA1fm1kHtyv48ehHnp8bam?usp=drive_link

Assignee:: Jon Jackson

Reporter:: Wen Wang

Need Info From:: None

Contributors:: None

QA Contact:: Wen Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/09/22 2:59 AM

Updated:: 2025/10/16 1:36 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates