Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-64627

Need add note if Console is not enabled, `oidcClients` should not be set when setting external oidc

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 1
    • None
    • None
    • None
    • None
    • None
    • OSDOCS Sprint 279, OSDOCS sprint 280
    • 2
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      If Console is not enabled, `oidcClients` should not be set when setting external oidc as auth provider, there is no such note or message in the authtication doc

set oidcClients when console is not enable, will prompt errors:

The Authentication "cluster" is invalid: <nil>: Invalid value: "object": no such key: oidcClients evaluating rule: all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients

      Version-Release number of selected component (if applicable):

      4.19+

      How reproducible:

      always

      Steps to Reproduce:

          1. oc get co console
Error from server (NotFound): clusteroperators.config.openshift.io "console" not found
oc patch authentication.config/cluster --type=merge -p="
spec:
  oidcProviders:
  - claimMappings:
      groups:
        claim: groups
        prefix: 'oidc-groups-test:'
      username:
        claim: email
        prefixPolicy: Prefix
        prefix:
          prefixString: 'oidc-user-test:'
    issuer:
      audiences:
      - $CONSOLE_CLIENT_ID
      - $CLI_CLIENT_ID
      issuerURL: $ISSUER_URL
    name: microsoft-entra-id
    oidcClients:
    - clientID: $CONSOLE_CLIENT_ID
      clientSecret:
        name: $CONSOLE_CLIENT_SECRET_NAME
      componentName: console
      componentNamespace: openshift-console
  type: OIDC
  webhookTokenAuthenticator: null
"
The Authentication "cluster" is invalid: <nil>: Invalid value: "object": no such key: oidcClients evaluating rule: all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients
    2.Could set external oidc without oidcClients when console is not enabled
oc patch authentication.config/cluster --type=merge -p="
spec:
  oidcProviders:
  - claimMappings:
      groups:
        claim: groups
        prefix: 'oidc-groups-test:'
      username:
        claim: email
        prefixPolicy: Prefix
        prefix:
          prefixString: 'oidc-user-test:'
    issuer:
      audiences:
      - $CLI_CLIENT_ID
      issuerURL: $ISSUER_URL
    name: microsoft-entra-id
  type: OIDC
  webhookTokenAuthenticator: null
"
authentication.config.openshift.io/cluster patched

 oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email --callback-port=8080
Please visit the following URL in your browser: http://localhost:8080/
Logged into "https://api.wxj-no-console.qe.devcluster.openshift.com:6443" as "oidc-user-test:xiuwang@redhat.com" from an external oidc issuer.

You don't have any projects. Contact your system administrator to request a project.
❯ oc auth whoami
ATTRIBUTE   VALUE
Username    oidc-user-test:xiuwang@redhat.com
UID         *****
Groups      **** system:authenticated]

    3.

      Actual results:

      Expected results:

      Need update authtication doc to add such note

      Additional info:

              rhn-support-ahoffer Andrea Hoffer
              rh-ee-xiuwang XiuJuan Wang
              None
              None
              XiuJuan Wang XiuJuan Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: