Bug 1989055: logins to the web console fail with custom oauth cert

[florkbr]

The cluster-authentication-operator was recently updated to publish
custom certs to a managed config map oauth-serving-cert. The console
needs to trust this new cert before logins will work propertly with
custom certs.

See openshift/cluster-authentication-operator#464

https://bugzilla.redhat.com/show_bug.cgi?id=1989055

[florkbr]

/hold need to investigate if this breaks non-oauth logins and if there are any potential RBAC issues

[openshift-ci]

@florkbr: An error was encountered querying GitHub for users with public email (yapei@redhat.com) for bug 1989055 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

non-200 OK status code: 403 Forbidden body: "{\n \"documentation_url\": \"https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#abuse-rate-limits\",\n \"message\": \"You have triggered an abuse detection mechanism. Please wait a few minutes before you try again.\"\n}\n"

Please contact an administrator to resolve this issue, then request a bug refresh with /bugzilla refresh.

In response to this:

Bug 1989055: logins to the web console fail with custom oauth cert

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spadgett]

/cc @stlaz

[spadgett]

/lgtm

Thanks @florkbr

[spadgett]

/lgtm

[spadgett]

/lgtm

[florkbr]

Test image pushed to: docker pull quay.io/bflorkie/console-operator:08032021

[spadgett]

Upgrade test failed. I wonder if the console operator goes to unavailable if it rolls out before the new oauth-serving-cert config map is there, although there are other degraded operators, too.

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_console-operator/571/pull-ci-openshift-console-operator-master-e2e-agnostic-upgrade/1422604521401487360

We should check our handling of available status... I believe if any replicas are available the console should be considered available.

cc @jhadvig

[florkbr]

Confirmed this change works with the latest 4.9 build including the changes to the auth-operator:

[florkbr]

/retest-required

[florkbr]

/bugzilla refresh

[openshift-ci]

@florkbr: This pull request references Bugzilla bug 1989055, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.0) matches configured target release for branch (4.9.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @yapei

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[florkbr]

/retest-required

[florkbr]

Flakes around cluster deployment/availability. Retesting.

[florkbr]

/retest-required

[kdoberst]

/retest

[kdoberst]

/retest

[kdoberst]

/retest

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[jhadvig]

=== RUN   TestEditUnmanagedConfigMap
    unmanaged_test.go:12: waiting for setup to reach settled state...
    unmanaged_test.go:13: changing console operator state to 'Unmanaged'...
    util.go:28: patching Data on the console ConfigMap
    util.go:35: polling for patched Data on the console ConfigMap
    unmanaged_test.go:41: error: timed out waiting for the condition
    unmanaged_test.go:18: waiting for cleanup to reach settled state...
    console-operator.go:370: waited 10 seconds to reach settled state...
--- FAIL: TestEditUnmanagedConfigMap (63.07s)

/retest

[florkbr]

=== RUN   TestEditUnmanagedConfigMap
    unmanaged_test.go:12: waiting for setup to reach settled state...
    unmanaged_test.go:13: changing console operator state to 'Unmanaged'...
    util.go:28: patching Data on the console ConfigMap
    util.go:35: polling for patched Data on the console ConfigMap
    unmanaged_test.go:41: error: timed out waiting for the condition
    unmanaged_test.go:18: waiting for cleanup to reach settled state...
    console-operator.go:370: waited 10 seconds to reach settled state...
--- FAIL: TestEditUnmanagedConfigMap (35.08s)

/retest

[florkbr]

=== RUN   TestEditUnmanagedConfigMap
    unmanaged_test.go:12: waiting for setup to reach settled state...
    unmanaged_test.go:13: changing console operator state to 'Unmanaged'...
    util.go:28: patching Data on the console ConfigMap
    util.go:35: polling for patched Data on the console ConfigMap
    unmanaged_test.go:41: error: timed out waiting for the condition
    unmanaged_test.go:18: waiting for cleanup to reach settled state...
    console-operator.go:370: waited 10 seconds to reach settled state...
--- FAIL: TestEditUnmanagedConfigMap (33.83s)

/retest

[florkbr]

@jhadvig wondering if I should spend some time investigating these flakes or if we should disable the tests?

[florkbr]

/retest

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[spadgett]

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_console-operator/571/pull-ci-openshift-console-operator-master-e2e-aws-operator/1431161472309792768

nodes not ready: node "ip-10-0-129-57.us-east-2.compute.internal" not ready since 2021-08-27 08:36:25 +0000 UTC because NodeStatusUnknown (Kubelet stopped posting node status.)
	clusteroperator/machine-config is not available (Cluster not available for 4.9.0-0.ci.test-2021-08-27-075123-ci-op-jpr5h2ik-latest) because Failed to resync 4.9.0-0.ci.test-2021-08-27-075123-ci-op-jpr5h2ik-latest because: timed out waiting for the condition during waitForDaemonsetRollout: Daemonset machine-config-daemon is not ready. status: (desired: 6, updated: 6, ready: 4, unavailable: 2)
	clusteroperator/monitoring is not available (Rollout of the monitoring stack failed and is degraded. Please investigate the degraded status error.) because Failed to rollout the stack. Error: updating prometheus-k8s: waiting for Prometheus object changes failed: waiting for Prometheus openshift-monitoring/k8s: expected 2 replicas, got 1 updated replicas
	clusteroperator/network is degraded because DaemonSet "openshift-multus/multus" rollout is not making progress - last change 2021-08-27T08:36:26Z
DaemonSet "openshift-multus/multus-additional-cni-plugins" rollout is not making progress - last change 2021-08-27T08:36:26Z
DaemonSet "openshift-sdn/sdn" rollout is not making progress - last change 2021-08-27T08:36:26Z
	clusteroperator/openshift-apiserver is degraded because APIServerDeploymentDegraded: 1 of 3 requested instances are unavailable for apiserver.openshift-apiserver ()
	clusteroperator/storage is progressing: AWSEBSCSIDriverOperatorCRProgressing: AWSEBSDriverNodeServiceControllerProgressing: Waiting for DaemonSet to deploy node pods

Similar errors seem to be affecting a lot of jobs:

https://search.ci.openshift.org/?search=Kubelet+stopped+posting+node+status&maxAge=48h&context=1&type=junit&name=&excludeName=&maxMatches=5&maxBytes=20971520&groupBy=job

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@florkbr: All pull requests linked via external trackers have merged:

• openshift/console-operator#571

Bugzilla bug 1989055 has been moved to the MODIFIED state.

In response to this:

Bug 1989055: logins to the web console fail with custom oauth cert

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.