-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
Version of components:
RHOSDT 3.7 Tempo Operator version 0.18.0
Description of the problem:
The oauth proxy container in Tempo instances is failing with following error:
% oc logs tempo-simplest-query-frontend-6464df7b7f-pplzd -c oauth-proxy flag provided but not defined: -upstream-timeout Usage of oauth2_proxy: -approval-prompt string OAuth approval_prompt (default "force") -authenticated-emails-file string authenticate against emails via file (one per line) -authentication-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenaccessreviews.authentication.k8s.io. -authentication-token-webhook-cache-ttl duration The duration to cache responses from the webhook token authenticator. (default 2m0s) -authorization-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. -authorization-webhook-cache-authorized-ttl duration The duration to cache 'authorized' responses from the webhook authorizer. (default 2m0s) -authorization-webhook-cache-unauthorized-ttl duration The duration to cache 'unauthorized' responses from the webhook authorizer. (default 5s) -basic-auth-password string the password to set when passing the HTTP Basic Auth header -bypass-auth-except-for value provide authentication ONLY for request paths under proxy-prefix and those that match the given regex (may be given multiple times). Cannot be set with -skip-auth-regex/-bypass-auth-for -bypass-auth-for value alias for skip-auth-regex -client-id string the OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-secret string the OAuth Client Secret -client-secret-file string a file containing the client-secret -config string path to config file -cookie-domain string an optional cookie domain to force cookies to (ie: .yourcompany.com)* -cookie-expire duration expire timeframe for cookie (default 168h0m0s) -cookie-httponly set HttpOnly cookie flag (default true) -cookie-name string the name of the cookie that the oauth_proxy creates (default "_oauth_proxy") -cookie-refresh duration refresh the cookie after this duration; 0 to disable -cookie-samesite string set SameSite cookie attribute (ie: "lax", "strict", "none", or ""). -cookie-secret string the seed string for secure cookies (optionally base64 encoded) -cookie-secret-file string a file containing a cookie-secret -cookie-secure set secure (HTTPS) cookie flag (default true) -custom-templates-dir string path to custom html templates -debug-address string [http://]<addr>:<port> or unix://<path> to listen on for debug and requests -display-htpasswd-form display username / password login form if an htpasswd file is provided (default true) -email-domain value authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email -footer string custom footer string. Use "-" to disable default footer. -htpasswd-file string additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA password hashes or "htpasswd -B" for bcrypt hashes -http-address string [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients (default "127.0.0.1:4180") -https-address string <addr>:<port> to listen on for HTTPS clients (default ":8443") -kubeconfig string kubeconfig file pointing at the 'core' OpenShift server that has the oauth-server running on it -login-url string Authentication endpoint -logout-url string absolute URL to redirect web browsers to after logging out of openshift oauth server -openshift-ca value paths to CA roots for the OpenShift API (may be given multiple times, defaults to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt). -openshift-delegate-urls string If set, perform delegated authorization against the OpenShift API server. Value is a JSON map of path prefixes to v1beta1.ResourceAttribute records that must be granted to the user to continue. E.g. {"/":{"resource":"pods","namespace":"default","name":"test"}} only allows users who can see the pod test in namespace default. -openshift-group string restrict logins to members of this group (or groups, if encoded as a JSON array). -openshift-review-url string Permission check endpoint (defaults to the subject access review endpoint) -openshift-sar string require this encoded subject access review to authorize (may be a JSON list). -openshift-sar-by-host string require this encoded subject access review to authorize (must be a JSON array). -openshift-service-account string An optional name of an OpenShift service account to act as. If set, the injected service account info will be used to determine the client ID and client secret. -pass-access-token pass OAuth access_token to upstream via X-Forwarded-Access-Token header -pass-basic-auth pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true) -pass-host-header pass the request Host Header to upstream (default true) -pass-user-bearer-token pass OAuth access token received from the client to upstream via X-Forwarded-Access-Token header -pass-user-headers pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true) -profile-url string Profile access endpoint -provider string OAuth provider (default "openshift") -proxy-prefix string the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth") -proxy-websockets enables WebSocket proxying (default true) -redeem-url string Token redemption endpoint -redirect-url string the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth/callback" -request-logging Log requests to stdout -requestheader-allowed-names value List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. -requestheader-client-ca-file string Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers -requestheader-extra-headers-prefix value List of request header prefixes to inspect. X-Remote-Extra- is suggested. -requestheader-group-headers value List of request headers to inspect for groups. X-Remote-Group is suggested. -requestheader-username-headers value List of request headers to inspect for usernames. X-Remote-User is common. -scope string OAuth scope specification -set-xauthrequest set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) -signature-key string GAP-Signature request signature key (algorithm:secretkey) -skip-auth-preflight will skip authentication for OPTIONS requests -skip-auth-regex value bypass authentication for request paths that match (may be given multiple times). Cannot be set with -bypass-auth-except-for. Alias for -bypass-auth-for -skip-provider-button will skip sign-in-page to directly reach the next step: oauth/start -ssl-insecure-skip-verify skip validation of certificates presented when using HTTPS -tls-cert string path to certificate file -tls-client-ca string path to a CA file for admitting client certificates. -tls-key string path to private key file -upstream value the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path -upstream-ca value paths to CA roots for the Upstream (target) Server (may be given multiple times, defaults to system trust store). -upstream-flush duration force flush upstream responses after this duration(useful for streaming responses). 0 to never force flush. Defaults to 5ms (default 5ms) -validate-url string Access token validation endpoint -version print version string
Steps to reproduce the issue:
- Install the Tempo and OpenTelemetry operator from RHOSDT 3.7 build.
- Run any of the following failing tests and check the oauth-proxy container logs.
--- FAIL: chainsaw (2078.42s) --- FAIL: chainsaw/otel-tempo-serverless (347.02s) --- FAIL: chainsaw/tempo-serverless (345.44s) --- FAIL: chainsaw/monitoring (415.05s) --- FAIL: chainsaw/monolithic-monitoring (306.14s) --- FAIL: chainsaw/red-metrics (397.09s) --- FAIL: chainsaw/monolithic-route (305.92s) --- FAIL: chainsaw/tempo-single-tenant-auth (353.25s) --- FAIL: chainsaw/monolithic-single-tenant-auth (305.85s) --- FAIL: chainsaw/tls-singletenant-monolithic (319.87s) --- FAIL: chainsaw/route (411.91s) --- FAIL: chainsaw/tls-singletenant (416.63s) FAIL