OCPBUGS-87223: Add token-based auth prerequisite for oc adm upgrade recommend#112077
Conversation
|
Hi @asadawar. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
|
🤖 Thu Jul 09 16:59:57 - Prow CI generated the docs preview: |
3b0ac7b to
75e9782
Compare
|
/jira refresh |
|
@asadawar: No Jira issue is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@asadawar: No Jira issue is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@asadawar: This pull request references OSDOCS-19867 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@asadawar: This pull request references OSDOCS-19867 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@asadawar: This pull request references Jira Issue OCPBUGS-87223, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@asadawar: This pull request references Jira Issue OCPBUGS-87223, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/label merge-review-needed |
|
/lgtm |
skopacz1
left a comment
There was a problem hiding this comment.
Just one small formatting thing, then this PR is good to go! Thanks for submitting this
| ==== | ||
| The `oc adm upgrade recommend` command requires a bearer token to query the cluster's Thanos monitoring service for firing alerts. Certificate-based authentication, such as the `system:admin` identity provided in the default `kubeconfig` file from the installation program, does not satisfy this requirement. If you use certificate-based authentication, the command output displays the following message and skips all alert-based precondition checks: | ||
|
|
||
| `Failed to check for at least some preconditions: no token is currently in use for this session` |
There was a problem hiding this comment.
Could you change this to a code block instead? It would look like this:
| `Failed to check for at least some preconditions: no token is currently in use for this session` | |
| [source,terminal] | |
| ---- | |
| Failed to check for at least some preconditions: no token is currently in use for this session | |
| ---- |
There was a problem hiding this comment.
sure. Thanks for the review. Applying the suggested changes.
The recommend command requires a bearer token to query the Thanos monitoring route. Certificate-based auth (system:admin from the installer kubeconfig) causes the command to silently skip all alert-based precondition checks. Fixes: https://redhat.atlassian.net/browse/OSDOCS-19867
75e9782 to
1417b39
Compare
|
New changes are detected. LGTM label has been removed. |
|
@asadawar: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@asadawar: Jira Issue OCPBUGS-87223: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-87223 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cherrypick enterprise-4.22 |
|
@skopacz1: new pull request created: #115031 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@skopacz1: new pull request created: #115032 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Summary
oc adm upgrade recommenddocumentation noting that token-based authentication (e.g.,oc login -u kubeadmin) is requiredsystem:adminfrom the installer kubeconfig) causes the command to silently skip all alert-based precondition checksContext
Found during OCP 4.22 pre-GA hackathon testing of OCPSTRAT-2781. The Thanos monitoring route uses
kube-rbac-proxywith TokenReview-based auth only (no--client-ca-fileon port 9091), so certificate-based authentication is structurally impossible (source).Root cause discussed with OTA maintainer (W Trevor King): The real fix belongs to the monitoring team — either providing a dedicated Thanos-access SA or adding
--client-ca-fileto kube-rbac-proxy-web. OTA should not hardcode SA assumptions. This doc PR is a band-aid documenting the current token requirement.Test plan
system:adminproducesFailed to check for at least some preconditions: no token is currently in use for this sessionoc login -u kubeadminresolves the issue and all precheck categories are displayed--client-ca-file)oc create token <SA>works from cert auth but choosing the right SA is a monitoring team decisionFixes: https://redhat.atlassian.net/browse/OCPBUGS-87223