Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.16.z, 4.20.0
Component/s: oauth-apiserver
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None
Architecture:

x86_64

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    A customer discovered that when they update their custom ingress certificate, they are no longer able to login to their cluster. Using the kubeconfig file, they discovered that the v4-0-config-system-router-certs secret in the openshift-authentication namespace had a corrupted certificate. Specifically, the tls.crt and tls.key ended up on the same line:

...
hX0461AR1eKD6thzHXO2D8DUzSP4JdWiC6n3yyJvNCLJ3z7fSqe8Y8UvyxBoa1rI
EwB10Cd7DAGBUXQOfpv0JpbKb4GuSVxNv2bHl5op5I3N6C3vJBSZA/jzsHYVX8jF
T3GASQnmVEGgqeC8lpawMw==
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
MIIDfzCCAmegAwIBAgIIHNpb3HsmtbwwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
AwwbaW5ncmVzcy1vcGVyYXRvckAxNzYxNTc0ODY0MB4XDTI1MTAyNzE0MjEwNVoX
...

They determined this is a result of the tls.crt in the custom ingress cert did not end in a newline character. Adding a newline to the tls.crt key in the custom ingress secret caused the v4-0-config-system-router-certs to be updated correctly.

Version-Release number of selected component (if applicable):

    Customer is running 4.16, but I was able to recreate the issue in a 4.20.0 lab environment.

How reproducible:

It is easiest to reproduce in the Console. Just update the tls.crt in the custom ingress secret (or the router-certs-default secret if there is no custom cert) and remove the newline character from the end of the secret. This will roll out a new router cert secret that will prevent authentication from working.

Steps to Reproduce:

    1. Remove the newline character from the tls.crt key in the custom (or default) ingress certificate secret
    2. Wait a few moments for the updated secret to be rolled into the openshift-authentication router secret called v4-0-config-system-router-certs.
    3. Note that the v4-0-config-system-router-certs has the "END CERTIFICATE" and "BEGIN CERTIFICATE" on the same line and that the authentication ClusterOperator has an error:

"OAuthServerDeploymentAvailable: no oauth-openshift.openshift-authentication pods available on any node...."

Actual results:

    The openshift-authentication CO has an error.

Expected results:

    The newline character should be added so that the openshift-authentication router cert secret is not corrupted.

Additional info:

    The customer did not open a case since they know the workaround and I was able to recreate the issue very easily in a lab cluster.

Assignee:: Unassigned

Reporter:: Matthew Secaur

Need Info From:: None

Contributors:: None

QA Contact:: Xingxing Xia

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/10/29 7:01 PM

Updated:: 2025/10/30 2:28 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates