[RHOCP 4.6] Authentication operator degraded with error " WellKnownReadyController_SyncError "

Solution Verified - Updated -

Environment

  • Red Hat Openshift Container Platform
    • 4.6 IPI
  • VMware vSphere

Issue

  • Authentication Operator fails with error,
    message: 'WellKnownReadyControllerDegraded: failed to GET kube-apiserver oauth
      endpoint https://10.xx.yy.zz:6443/.well-known/oauth-authorization-server: Forbidden'
    reason: WellKnownReadyController_SyncError
    status: 'True'
    type: Degraded

Resolution

  • Edit the proxy configuration
$ oc edit proxy/cluster
  • Check the noproxy parameter in the spec section
spec:
  httpProxy: http://<ip>:80
  httpsProxy: http://<ip>:80
  noProxy: example.com
  • Add machine CIDR and vCenter IP to noproxy parameter

Root Cause

  • noproxy should contain a list of destination domain names, domains, IP addresses, or other network CIDRs to exclude proxying. One must include vCenter’s IP address and the IP range that is used for its machines.

Diagnostic Steps

  • Login to the OAuth pod and check if you can reach API through proxy
$ oc rsh <oauth pod> 
$ curl -kv https://$API:6443/.well-known/oauth-authorization-server

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments