kube-apiserver service parameter oidc_issuer_url value is overwritten
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Andy |
Bug Description
Brief Description
-----------------
The OAM IP address value of kubernetes service parameter oidc_issuer_url is replaced with the platform cluster_host address.
Severity
--------
Major: System/Feature is usable but degraded
Steps to Reproduce
------------------
OAM_IP=10.10.105.2 # per the cluster configuration
system service-
oidc_
system service-
# watch a minute or two until kube-apiserver process is restarted
ps -ef | grep "kube-api" | sed "s; --;\n --;g" | grep "kube-apiserver
Note how the URL is change from what was specified on the command-line
Expected Behavior
------------------
The value specified for oidc_issuer_url will be presented on the command line for kube-apiserver
Actual Behavior
----------------
The text of OAM IP is replaced with the value of hieradata platform:
Reproducibility
---------------
100%
The following examples were tested, demonstrating that it is the OAM IP address being replaced, with dots interpreted as wildcard:
https:/
https:/
https:/
https:/
https:/
The last example highlights the loose replacement, affecting port as well.
Where 10.10.105.2 is the OAM address of my cluster and 192.168.206.2 is the cluster_host address.
System Configuration
-------
Nothing special, but consider also the OIDC configuration described in Starlingx docs:
https:/
Branch/Pull Time/Commit
-------
starlingx/master
2022-04-20 03:37:44
starlingx build 20220420T033744Z
Last Pass
---------
Unknown
Timestamp/Logs
--------------
Command line examples in Steps to Reproduce is sufficient to observe the result. But logs for kubernetes oidc authentication failure could be made available. (the replacement URL does not match the dex/oidc server "issuer" url and so authentication fails).
Test Activity
-------------
Developer Testing
Workaround
----------
Under test use the value of platform:
In the field, use a FQDN for the issuer url
tags: | added: stx.7.0 stx.apps stx.security |
Changed in starlingx: | |
importance: | Undecided → Medium |
Changed in starlingx: | |
assignee: | nobody → Andy (andy.wrs) |
Fix proposed to branch: master /review. opendev. org/c/starlingx /stx-puppet/ +/846237
Review: https:/