enabel external oidc in capi private rosa hcp cluster #51689
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
| - chain: openshift-e2e-test-hypershift-qe | ||
| - ref: cucushift-hypershift-extended-health-check | ||
| - ref: openshift-extended-test | ||
| - ref: openshift-extended-web-tests |
There was a problem hiding this comment.
ref: openshift-extended-web-tests is currently unsupported for this type of configuration.
heliubj18
force-pushed
the
capi-azure-external-oidc
branch
from
e79275f
to
0905e09
Compare
|
You might find the following debug job useful: - as: hypershift-ext-oidc-debug
cron: '@yearly'
steps:
cluster_profile: aws-qe
env:
TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive&
post:
- as: dummy-post
commands: sleep 3600
from: tools
resources:
limits:
memory: 1Gi
requests:
cpu: "1"
memory: 1Gi
timeout: 2h0m0s
pre:
- as: dummy-pre
commands: sleep 1
from: tools
resources:
limits:
memory: 1Gi
requests:
cpu: "1"
memory: 1Gi
timeout: 10m0s
test:
- as: download-kubeconfig
commands: |
set -euxo pipefail
export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
aws s3 cp s3://fxie-test/hcp.kubeconfig ${SHARED_DIR}/kubeconfig
oc get co --kubeconfig ${SHARED_DIR}/kubeconfig
echo "UjMTK-DWpjr-XFKaD-DjMIh" > ${SHARED_DIR}/kubeadmin-password
from_image:
name: "4.16"
namespace: ocp
tag: upi-installer
resources:
limits:
memory: 1Gi
requests:
cpu: "1"
memory: 1Gi
timeout: 10m0s
- ref: openshift-extended-web-tests-ext-oidc-cli-login
- ref: cucushift-hypershift-extended-external-oidc-grant-user-role
- ref: openshift-extended-test
- as: post-extended-test
commands: |
set -euxo pipefail
echo "Checking the existence of external OIDC cache files"
if [[ ! -r "$SHARED_DIR/oc-oidc-token" ]]; then
echo "SHARED_DIR/oc-oidc-token is either not found or not readable, exiting"
exit 1
fi
cat "$SHARED_DIR/oc-oidc-token"
if [[ ! -r "$SHARED_DIR/oc-oidc-token-filename" ]]; then
echo "SHARED_DIR/oc-oidc-token-filename is either not found or not readable, exiting"
exit 1
fi
cat "$SHARED_DIR/oc-oidc-token-filename"
echo "Restoring external OIDC cache dir"
mkdir -p ~/.kube/cache/oc
cat "$SHARED_DIR/oc-oidc-token" > ~/.kube/cache/oc/"$(cat "$SHARED_DIR/oc-oidc-token-filename")"
oc whoami
oc get co
from: tools
resources:
limits:
memory: 1Gi
requests:
cpu: "1"
memory: 1Gi
timeout: 10m0s |
| export EXTERNAL_AUTH_PROVIDERS=" externalAuthProviders: | ||
| - name: entra-id | ||
| issuer: | ||
| issuerURL: ${ISSUER_URL} | ||
| audiences: | ||
| - ${CONSOLE_CLIENT_ID} | ||
| - ${CLI_CLIENT_ID} | ||
| oidcClients: | ||
| - componentName: console | ||
| componentNamespace: openshift-console | ||
| clientID: ${CONSOLE_CLIENT_ID} | ||
| clientSecret: | ||
| name: ${CONSOLE_CLIENT_SECRET_NAME} | ||
| claimMappings: | ||
| username: | ||
| claim: email | ||
| prefixPolicy: | ||
| prefix: \"oidc-user-test:\" | ||
| groups: | ||
| claim: groups | ||
| prefix: \"oidc-groups-test:\"" | ||
| } |
There was a problem hiding this comment.
Not 100% sure about this but we may need to add the cli OIDC client as well:
| export EXTERNAL_AUTH_PROVIDERS=" externalAuthProviders: | |
| - name: entra-id | |
| issuer: | |
| issuerURL: ${ISSUER_URL} | |
| audiences: | |
| - ${CONSOLE_CLIENT_ID} | |
| - ${CLI_CLIENT_ID} | |
| oidcClients: | |
| - componentName: console | |
| componentNamespace: openshift-console | |
| clientID: ${CONSOLE_CLIENT_ID} | |
| clientSecret: | |
| name: ${CONSOLE_CLIENT_SECRET_NAME} | |
| claimMappings: | |
| username: | |
| claim: email | |
| prefixPolicy: | |
| prefix: \"oidc-user-test:\" | |
| groups: | |
| claim: groups | |
| prefix: \"oidc-groups-test:\"" | |
| } | |
| export EXTERNAL_AUTH_PROVIDERS=" externalAuthProviders: | |
| - name: entra-id | |
| issuer: | |
| issuerURL: ${ISSUER_URL} | |
| audiences: | |
| - ${CONSOLE_CLIENT_ID} | |
| - ${CLI_CLIENT_ID} | |
| oidcClients: | |
| - clientID: ... | |
| componentName: cli | |
| componentNamespace: openshift-console | |
| - componentName: console | |
| componentNamespace: openshift-console | |
| clientID: ${CONSOLE_CLIENT_ID} | |
| clientSecret: | |
| name: ${CONSOLE_CLIENT_SECRET_NAME} | |
| claimMappings: | |
| username: | |
| claim: email | |
| prefixPolicy: | |
| prefix: \"oidc-user-test:\" | |
| groups: | |
| claim: groups | |
| prefix: \"oidc-groups-test:\"" | |
| } |
There was a problem hiding this comment.
done, I have not tested this scenario. Let's debug it in this pr.thx
heliubj18
force-pushed
the
capi-azure-external-oidc
branch
from
0905e09
to
b5063e5
Compare
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
Are the jobs expected to be included in version 4.15? If so, I will need to cherry-pick my changes from openshift-tests-private back into the corresponding branch. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@heliubj18, If the problem persists, please contact Test Platform. |
heliubj18
force-pushed
the
capi-azure-external-oidc
branch
from
eb2c556
to
663b586
Compare
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
heliubj18
force-pushed
the
capi-azure-external-oidc
branch
from
d87ab5c
to
2ce9e71
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: heliubj18 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7 |
|
@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
[REHEARSALNOTIFIER]
A total of 1260 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs. A full list of affected jobs can be found here Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@heliubj18: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
replaced by #52499 |
|
/close |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-robot
added
the
needs-rebase
|
@heliubj18: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
enable external oidc in capi rosa hcp