Uploaded image for project: 'Distributed Tracing'
  1. Distributed Tracing
  2. TRACING-5652

[RHOSDT 3.7] Oauth proxy in tempo build fails with error flag provided but not defined: -upstream-timeout

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • rhosdt-3.7
    • None
    • None
    • None
    • Quality / Stability / Reliability
    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Tracing Sprint # 277 - 3.7

      Version of components:

      RHOSDT 3.7 Tempo Operator version 0.18.0

      Description of the problem:

      The oauth proxy container in Tempo instances is failing with following error:

      % oc logs tempo-simplest-query-frontend-6464df7b7f-pplzd -c oauth-proxy
      flag provided but not defined: -upstream-timeout
      Usage of oauth2_proxy:
        -approval-prompt string
          OAuth approval_prompt (default "force")
        -authenticated-emails-file string
          authenticate against emails via file (one per line)
        -authentication-kubeconfig string
          kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenaccessreviews.authentication.k8s.io.
        -authentication-token-webhook-cache-ttl duration
          The duration to cache responses from the webhook token authenticator. (default 2m0s)
        -authorization-kubeconfig string
          kubeconfig file pointing at the 'core' kubernetes server with enough rights to create  subjectaccessreviews.authorization.k8s.io.
        -authorization-webhook-cache-authorized-ttl duration
          The duration to cache 'authorized' responses from the webhook authorizer. (default 2m0s)
        -authorization-webhook-cache-unauthorized-ttl duration
          The duration to cache 'unauthorized' responses from the webhook authorizer. (default 5s)
        -basic-auth-password string
          the password to set when passing the HTTP Basic Auth header
        -bypass-auth-except-for value
          provide authentication ONLY for request paths under proxy-prefix and those that match the given regex (may be given multiple times). Cannot be set with -skip-auth-regex/-bypass-auth-for
        -bypass-auth-for value
          alias for skip-auth-regex
        -client-id string
          the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
        -client-secret string
          the OAuth Client Secret
        -client-secret-file string
          a file containing the client-secret
        -config string
          path to config file
        -cookie-domain string
          an optional cookie domain to force cookies to (ie: .yourcompany.com)*
        -cookie-expire duration
          expire timeframe for cookie (default 168h0m0s)
        -cookie-httponly
          set HttpOnly cookie flag (default true)
        -cookie-name string
          the name of the cookie that the oauth_proxy creates (default "_oauth_proxy")
        -cookie-refresh duration
          refresh the cookie after this duration; 0 to disable
        -cookie-samesite string
          set SameSite cookie attribute (ie: "lax", "strict", "none", or ""). 
        -cookie-secret string
          the seed string for secure cookies (optionally base64 encoded)
        -cookie-secret-file string
          a file containing a cookie-secret
        -cookie-secure
          set secure (HTTPS) cookie flag (default true)
        -custom-templates-dir string
          path to custom html templates
        -debug-address string
          [http://]<addr>:<port> or unix://<path> to listen on for debug and requests
        -display-htpasswd-form
          display username / password login form if an htpasswd file is provided (default true)
        -email-domain value
          authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
        -footer string
          custom footer string. Use "-" to disable default footer.
        -htpasswd-file string
          additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA password hashes or "htpasswd -B" for bcrypt hashes
        -http-address string
          [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients (default "127.0.0.1:4180")
        -https-address string
          <addr>:<port> to listen on for HTTPS clients (default ":8443")
        -kubeconfig string
          kubeconfig file pointing at the 'core' OpenShift server that has the oauth-server running on it
        -login-url string
          Authentication endpoint
        -logout-url string
          absolute URL to redirect web browsers to after logging out of openshift oauth server
        -openshift-ca value
          paths to CA roots for the OpenShift API (may be given multiple times, defaults to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt).
        -openshift-delegate-urls string
          If set, perform delegated authorization against the OpenShift API server. Value is a JSON map of path prefixes to v1beta1.ResourceAttribute records that must be granted to the user to continue. E.g. {"/":{"resource":"pods","namespace":"default","name":"test"}} only allows users who can see the pod test in namespace default.
        -openshift-group string
          restrict logins to members of this group (or groups, if encoded as a JSON array).
        -openshift-review-url string
          Permission check endpoint (defaults to the subject access review endpoint)
        -openshift-sar string
          require this encoded subject access review to authorize (may be a JSON list).
        -openshift-sar-by-host string
          require this encoded subject access review to authorize (must be a JSON array).
        -openshift-service-account string
          An optional name of an OpenShift service account to act as. If set, the injected service account info will be used to determine the client ID and client secret.
        -pass-access-token
          pass OAuth access_token to upstream via X-Forwarded-Access-Token header
        -pass-basic-auth
          pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
        -pass-host-header
          pass the request Host Header to upstream (default true)
        -pass-user-bearer-token
          pass OAuth access token received from the client to upstream via X-Forwarded-Access-Token header
        -pass-user-headers
          pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
        -profile-url string
          Profile access endpoint
        -provider string
          OAuth provider (default "openshift")
        -proxy-prefix string
          the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth")
        -proxy-websockets
          enables WebSocket proxying (default true)
        -redeem-url string
          Token redemption endpoint
        -redirect-url string
          the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth/callback"
        -request-logging
          Log requests to stdout
        -requestheader-allowed-names value
          List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
        -requestheader-client-ca-file string
          Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers
        -requestheader-extra-headers-prefix value
          List of request header prefixes to inspect. X-Remote-Extra- is suggested.
        -requestheader-group-headers value
          List of request headers to inspect for groups. X-Remote-Group is suggested.
        -requestheader-username-headers value
          List of request headers to inspect for usernames. X-Remote-User is common.
        -scope string
          OAuth scope specification
        -set-xauthrequest
          set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
        -signature-key string
          GAP-Signature request signature key (algorithm:secretkey)
        -skip-auth-preflight
          will skip authentication for OPTIONS requests
        -skip-auth-regex value
          bypass authentication for request paths that match (may be given multiple times). Cannot be set with -bypass-auth-except-for. Alias for -bypass-auth-for
        -skip-provider-button
          will skip sign-in-page to directly reach the next step: oauth/start
        -ssl-insecure-skip-verify
          skip validation of certificates presented when using HTTPS
        -tls-cert string
          path to certificate file
        -tls-client-ca string
          path to a CA file for admitting client certificates.
        -tls-key string
          path to private key file
        -upstream value
          the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
        -upstream-ca value
          paths to CA roots for the Upstream (target) Server (may be given multiple times, defaults to system trust store).
        -upstream-flush duration
          force flush upstream responses after this duration(useful for streaming responses). 0 to never force flush. Defaults to 5ms (default 5ms)
        -validate-url string
          Access token validation endpoint
        -version
          print version string
      

      Steps to reproduce the issue:

      • Install the Tempo and OpenTelemetry operator from RHOSDT 3.7 build.
      • Run any of the following failing tests and check the oauth-proxy container logs.
      --- FAIL: chainsaw (2078.42s)
          --- FAIL: chainsaw/otel-tempo-serverless (347.02s)
          --- FAIL: chainsaw/tempo-serverless (345.44s)
          --- FAIL: chainsaw/monitoring (415.05s)
          --- FAIL: chainsaw/monolithic-monitoring (306.14s)
          --- FAIL: chainsaw/red-metrics (397.09s)
          --- FAIL: chainsaw/monolithic-route (305.92s)
          --- FAIL: chainsaw/tempo-single-tenant-auth (353.25s)
          --- FAIL: chainsaw/monolithic-single-tenant-auth (305.85s)
          --- FAIL: chainsaw/tls-singletenant-monolithic (319.87s)
          --- FAIL: chainsaw/route (411.91s)
          --- FAIL: chainsaw/tls-singletenant (416.63s)
      FAIL
      

       

       

              agerstma@redhat.com Andreas Gerstmayr
              rhn-support-ikanse Ishwar Kanse
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: