commit f6a29166ec00bd1a94459d838fa3f9f7117bf6f0
Author: Andy Ning <email address hidden>
Date: Thu Jun 16 15:52:49 2022 -0400
Fix WAD user cannot access k8s API by oidc
Currently when oidc-auth-apps is applied and oidc service
parameters are applied, kube-apiserver's oidc_issuer_url points
to cluster host floating IP instead of the OAM floating IP. This
causes mis-match of oidc issuer that kube-apiserver is configured
and the actual oidc issuer's IP address. User can no longer access
k8s API even with a valid token.
The issue is introduced by a sed substitution in
kube-apiserver-change-params.erb where it replaces all the OAM IPs
with kube-apisever's advertise address, including oidc-issuer-url.
This fixed it by excluding oidc-issuer-url from the substitution.
Test Plan for CentOS and Debian:
PASS: oidc service parameters apply, helm overrides update and oidc-auth-apps apply
PASS: run oidc-auth cli to get a token
PASS: use the token to access k8s API by kubectl
Closes-Bug: 1971500
Closes-Bug: 1979006
Signed-off-by: Andy Ning <email address hidden>
Change-Id: I19d434c6322b4423d2e5b1732ff8af3f486b73f2
Reviewed: https:/ /review. opendev. org/c/starlingx /stx-puppet/ +/846237 /opendev. org/starlingx/ stx-puppet/ commit/ f6a29166ec00bd1 a94459d838fa3f9 f7117bf6f0
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit f6a29166ec00bd1 a94459d838fa3f9 f7117bf6f0
Author: Andy Ning <email address hidden>
Date: Thu Jun 16 15:52:49 2022 -0400
Fix WAD user cannot access k8s API by oidc
Currently when oidc-auth-apps is applied and oidc service
parameters are applied, kube-apiserver's oidc_issuer_url points
to cluster host floating IP instead of the OAM floating IP. This
causes mis-match of oidc issuer that kube-apiserver is configured
and the actual oidc issuer's IP address. User can no longer access
k8s API even with a valid token.
The issue is introduced by a sed substitution in apiserver- change- params. erb where it replaces all the OAM IPs
kube-
with kube-apisever's advertise address, including oidc-issuer-url.
This fixed it by excluding oidc-issuer-url from the substitution.
Test Plan for CentOS and Debian:
oidc- auth-apps apply
PASS: oidc service parameters apply, helm overrides update and
PASS: run oidc-auth cli to get a token
PASS: use the token to access k8s API by kubectl
Closes-Bug: 1971500 23d2e5b1732ff8a f3f486b73f2
Closes-Bug: 1979006
Signed-off-by: Andy Ning <email address hidden>
Change-Id: I19d434c6322b44