Uploaded image for project: 'Distributed Tracing'
  1. Distributed Tracing
  2. TRACING-5652

[RHOSDT 3.7] Oauth proxy in tempo build fails with error flag provided but not defined: -upstream-timeout

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • rhosdt-3.7
    • None
    • None
    • None
    • Quality / Stability / Reliability
    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Tracing Sprint # 277 - 3.7

      Version of components:

      RHOSDT 3.7 Tempo Operator version 0.18.0

      Description of the problem:

      The oauth proxy container in Tempo instances is failing with following error:

      % oc logs tempo-simplest-query-frontend-6464df7b7f-pplzd -c oauth-proxy
flag provided but not defined: -upstream-timeout
Usage of oauth2_proxy:
  -approval-prompt string
    OAuth approval_prompt (default "force")
  -authenticated-emails-file string
    authenticate against emails via file (one per line)
  -authentication-kubeconfig string
    kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenaccessreviews.authentication.k8s.io.
  -authentication-token-webhook-cache-ttl duration
    The duration to cache responses from the webhook token authenticator. (default 2m0s)
  -authorization-kubeconfig string
    kubeconfig file pointing at the 'core' kubernetes server with enough rights to create  subjectaccessreviews.authorization.k8s.io.
  -authorization-webhook-cache-authorized-ttl duration
    The duration to cache 'authorized' responses from the webhook authorizer. (default 2m0s)
  -authorization-webhook-cache-unauthorized-ttl duration
    The duration to cache 'unauthorized' responses from the webhook authorizer. (default 5s)
  -basic-auth-password string
    the password to set when passing the HTTP Basic Auth header
  -bypass-auth-except-for value
    provide authentication ONLY for request paths under proxy-prefix and those that match the given regex (may be given multiple times). Cannot be set with -skip-auth-regex/-bypass-auth-for
  -bypass-auth-for value
    alias for skip-auth-regex
  -client-id string
    the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
  -client-secret string
    the OAuth Client Secret
  -client-secret-file string
    a file containing the client-secret
  -config string
    path to config file
  -cookie-domain string
    an optional cookie domain to force cookies to (ie: .yourcompany.com)*
  -cookie-expire duration
    expire timeframe for cookie (default 168h0m0s)
  -cookie-httponly
    set HttpOnly cookie flag (default true)
  -cookie-name string
    the name of the cookie that the oauth_proxy creates (default "_oauth_proxy")
  -cookie-refresh duration
    refresh the cookie after this duration; 0 to disable
  -cookie-samesite string
    set SameSite cookie attribute (ie: "lax", "strict", "none", or ""). 
  -cookie-secret string
    the seed string for secure cookies (optionally base64 encoded)
  -cookie-secret-file string
    a file containing a cookie-secret
  -cookie-secure
    set secure (HTTPS) cookie flag (default true)
  -custom-templates-dir string
    path to custom html templates
  -debug-address string
    [http://]<addr>:<port> or unix://<path> to listen on for debug and requests
  -display-htpasswd-form
    display username / password login form if an htpasswd file is provided (default true)
  -email-domain value
    authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
  -footer string
    custom footer string. Use "-" to disable default footer.
  -htpasswd-file string
    additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA password hashes or "htpasswd -B" for bcrypt hashes
  -http-address string
    [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients (default "127.0.0.1:4180")
  -https-address string
    <addr>:<port> to listen on for HTTPS clients (default ":8443")
  -kubeconfig string
    kubeconfig file pointing at the 'core' OpenShift server that has the oauth-server running on it
  -login-url string
    Authentication endpoint
  -logout-url string
    absolute URL to redirect web browsers to after logging out of openshift oauth server
  -openshift-ca value
    paths to CA roots for the OpenShift API (may be given multiple times, defaults to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt).
  -openshift-delegate-urls string
    If set, perform delegated authorization against the OpenShift API server. Value is a JSON map of path prefixes to v1beta1.ResourceAttribute records that must be granted to the user to continue. E.g. {"/":{"resource":"pods","namespace":"default","name":"test"}} only allows users who can see the pod test in namespace default.
  -openshift-group string
    restrict logins to members of this group (or groups, if encoded as a JSON array).
  -openshift-review-url string
    Permission check endpoint (defaults to the subject access review endpoint)
  -openshift-sar string
    require this encoded subject access review to authorize (may be a JSON list).
  -openshift-sar-by-host string
    require this encoded subject access review to authorize (must be a JSON array).
  -openshift-service-account string
    An optional name of an OpenShift service account to act as. If set, the injected service account info will be used to determine the client ID and client secret.
  -pass-access-token
    pass OAuth access_token to upstream via X-Forwarded-Access-Token header
  -pass-basic-auth
    pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
  -pass-host-header
    pass the request Host Header to upstream (default true)
  -pass-user-bearer-token
    pass OAuth access token received from the client to upstream via X-Forwarded-Access-Token header
  -pass-user-headers
    pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
  -profile-url string
    Profile access endpoint
  -provider string
    OAuth provider (default "openshift")
  -proxy-prefix string
    the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth")
  -proxy-websockets
    enables WebSocket proxying (default true)
  -redeem-url string
    Token redemption endpoint
  -redirect-url string
    the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth/callback"
  -request-logging
    Log requests to stdout
  -requestheader-allowed-names value
    List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
  -requestheader-client-ca-file string
    Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers
  -requestheader-extra-headers-prefix value
    List of request header prefixes to inspect. X-Remote-Extra- is suggested.
  -requestheader-group-headers value
    List of request headers to inspect for groups. X-Remote-Group is suggested.
  -requestheader-username-headers value
    List of request headers to inspect for usernames. X-Remote-User is common.
  -scope string
    OAuth scope specification
  -set-xauthrequest
    set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
  -signature-key string
    GAP-Signature request signature key (algorithm:secretkey)
  -skip-auth-preflight
    will skip authentication for OPTIONS requests
  -skip-auth-regex value
    bypass authentication for request paths that match (may be given multiple times). Cannot be set with -bypass-auth-except-for. Alias for -bypass-auth-for
  -skip-provider-button
    will skip sign-in-page to directly reach the next step: oauth/start
  -ssl-insecure-skip-verify
    skip validation of certificates presented when using HTTPS
  -tls-cert string
    path to certificate file
  -tls-client-ca string
    path to a CA file for admitting client certificates.
  -tls-key string
    path to private key file
  -upstream value
    the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
  -upstream-ca value
    paths to CA roots for the Upstream (target) Server (may be given multiple times, defaults to system trust store).
  -upstream-flush duration
    force flush upstream responses after this duration(useful for streaming responses). 0 to never force flush. Defaults to 5ms (default 5ms)
  -validate-url string
    Access token validation endpoint
  -version
    print version string

      Steps to reproduce the issue:

      • Install the Tempo and OpenTelemetry operator from RHOSDT 3.7 build.
      • Run any of the following failing tests and check the oauth-proxy container logs.
      --- FAIL: chainsaw (2078.42s)
    --- FAIL: chainsaw/otel-tempo-serverless (347.02s)
    --- FAIL: chainsaw/tempo-serverless (345.44s)
    --- FAIL: chainsaw/monitoring (415.05s)
    --- FAIL: chainsaw/monolithic-monitoring (306.14s)
    --- FAIL: chainsaw/red-metrics (397.09s)
    --- FAIL: chainsaw/monolithic-route (305.92s)
    --- FAIL: chainsaw/tempo-single-tenant-auth (353.25s)
    --- FAIL: chainsaw/monolithic-single-tenant-auth (305.85s)
    --- FAIL: chainsaw/tls-singletenant-monolithic (319.87s)
    --- FAIL: chainsaw/route (411.91s)
    --- FAIL: chainsaw/tls-singletenant (416.63s)
FAIL

       

       

              agerstma@redhat.com Andreas Gerstmayr
              rhn-support-ikanse Ishwar Kanse
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: