StarlingX

Fix k8s 1.27 runtime configuration issue

Bug #2054807 reported by Saba Touheed Mujawar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Saba Touheed Mujawar

Bug Description

Brief Description
-----------------
OIDC service parameters are not configured in kube-apiserver manifest. Because of this, Kubernetes authentication through OIDC tokens will not work.

Severity
--------
Critical.

Steps to Reproduce
------------------
Apply the commands below and wait 5 minutes for the puppet apply to be completed.

OAM_IP="1.2.3.4"
ISSUER_URL="https://${OAM_IP}:30556/dex"
source /etc/platform/openrc
system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=$ISSUER_URL
system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app
system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email
system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups
system service-parameter-apply kubernetes

Expected Behavior
------------------
The following lines should be present in "/etc/kubernetes/manifests/kube-apiserver.yaml":

    - --oidc-client-id=stx-oidc-client-app
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://1.2.3.4:30556/dex
    - --oidc-username-claim=email

Actual Behavior
----------------
The file "/etc/kubernetes/manifests/kube-apiserver.yaml" does not have the OIDC parameters present.

Reproducibility
---------------
100% reproducible.

System Configuration
--------------------
Any. Tested on AIO-SX.

Saba Touheed Mujawar (smujawar)
Changed in starlingx:
assignee: nobody → Saba Touheed Mujawar (smujawar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/909997

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/909997
Committed: https://opendev.org/starlingx/stx-puppet/commit/835a7ae76ac2e8a16a97cd95d130fd255cc9dea4
Submitter: "Zuul (22348)"
Branch: master

commit 835a7ae76ac2e8a16a97cd95d130fd255cc9dea4
Author: Saba Touheed Mujawar <email address hidden>
Date: Fri Feb 23 08:03:00 2024 -0500

    Correct kubeadm config file format to v1beta3 for k8s 1.27

    kubeadm 1.27 and newer no longer supports v1beta2 file format.
    Existing code that updates the control plane params still uses
    this api which causes an issue in updating the k8s service
    parameters during runtime configuration.

    This change updates the file format to kubeadm.k8s.io/v1beta3
    which resolves the issue and also works for k8s versions greater
    than 1.21

    TEST PLAN:
    PASS: Install iso with k8s 1.27 default, configure service
          parameters to control plane components during runtime
          and verify that it reflects in respective manifests files.
    PASS: Install iso with k8s 1.24, perform runtime kubernetes
          configuration successfully .
    PASS: Perform k8s upgrade from 1.24 to all available versions,
          For each version perform runtime kubernetes
          configuration successfully.

    Closes-Bug: 2054807

    Change-Id: Ibaf5b26e731127c6951f2275db0d5e930ee5d5c9
    Signed-off-by: Saba Touheed Mujawar <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.9.0 stx.containers
Changed in starlingx:
importance: Medium → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.