OpenShift 4.2 Authentication pods crash when a badly formatted certificate is provided

Solution Verified - Updated -

Issue

  • I would expect the authentication-operator to check the formatting before propagating to Pods.
  • The following error was seen in OAuth pod logs after configuring a new IDP client keypair per this documentation.
panic: Error building BasicAuthPasswordIdentityProvider client: error loading x509 keypair from cert file /var/config/user/idp/0/secret/v4-0-config-user-idp-0-tls-client-cert/tls.crt and key file /var/config/user/idp/0/secret/v4-0-config-user-idp-0-tls-client-key/tls.key: tls: failed to find any PEM data in certificate input

goroutine 1 [running]:
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).buildHandlerChainForOAuth(0xc000461500, 0x1be6b00, 0xc0003a03e0, 0xc0002a8c40, 0x16b57a0, 0xc0005e9638)
    /go/src/github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:303 +0xee
github.com/openshift/oauth-server/vendor/k8s.io/apiserver/pkg/server.completedConfig.New.func1(0x1be6b00, 0xc0003a03e0, 0x1be6b00, 0xc0003a03e0)
    /go/src/github.com/openshift/oauth-server/vendor/k8s.io/apiserver/pkg/server/config.go:444 +0x45
github.com/openshift/oauth-server/vendor/k8s.io/apiserver/pkg/server.NewAPIServerHandler(0x18dc66b, 0xf, 0x1c1b7c0, 0xc0004bbec0, 0xc0003a0380, 0x0, 0x0, 0x0)
    /go/src/github.com/openshift/oauth-server/vendor/k8s.io/apiserver/pkg/server/handler.go:96 +0x2fc
github.com/openshift/oauth-server/vendor/k8s.io/apiserver/pkg/server.completedConfig.New(0xc0002a8c40, 0x0, 0x0, 0x18dc66b, 0xf, 0x1c378a0, 0x2bc4f80, 0xc0002a8c40, 0x0, 0x0)
    /go/src/github.com/openshift/oauth-server/vendor/k8s.io/apiserver/pkg/server/config.go:446 +0x124
github.com/openshift/oauth-server/pkg/oauthserver.completedOAuthConfig.New(0xc0003a0360, 0xc000461508, 0x1c378a0, 0x2bc4f80, 0x4, 0x1c00dc0, 0xc000610e00)
    /go/src/github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:286 +0x70
github.com/openshift/oauth-server/pkg/cmd/oauth-server.RunOsinServer(0xc000258600, 0xc00009c720, 0xd07, 0xf07)
    /go/src/github.com/openshift/oauth-server/pkg/cmd/oauth-server/server.go:40 +0x8a
github.com/openshift/oauth-server/pkg/cmd/oauth-server.(*OsinServer).RunOsinServer(0xc00048ce80, 0xc00009c720, 0x5ac320, 0x16a1ce0)
    /go/src/github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:91 +0x35c
github.com/openshift/oauth-server/pkg/cmd/oauth-server.NewOsinServer.func1(0xc0001fc500, 0xc0004a4a40, 0x0, 0x2)
    /go/src/github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:39 +0xf4
github.com/openshift/oauth-server/vendor/github.com/spf13/cobra.(*Command).execute(0xc0001fc500, 0xc0004a49e0, 0x2, 0x2, 0xc0001fc500, 0xc0004a49e0)
    /go/src/github.com/openshift/oauth-server/vendor/github.com/spf13/cobra/command.go:760 +0x2ae
github.com/openshift/oauth-server/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc0001fc280, 0xc0001fc280, 0x0, 0x0)
    /go/src/github.com/openshift/oauth-server/vendor/github.com/spf13/cobra/command.go:846 +0x2ec
github.com/openshift/oauth-server/vendor/github.com/spf13/cobra.(*Command).Execute(...)
    /go/src/github.com/openshift/oauth-server/vendor/github.com/spf13/cobra/command.go:794
main.main()
    /go/src/github.com/openshift/oauth-server/cmd/oauth-server/main.go:41 +0x2cf

Environment

OpenShift Container Platform 4.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content