Skip to content

OCPBUGS-87223: Add token-based auth prerequisite for oc adm upgrade recommend#112077

Merged
skopacz1 merged 1 commit into
openshift:mainfrom
asadawar:fix/osdocs-19867-recommend-auth
Jul 9, 2026
Merged

OCPBUGS-87223: Add token-based auth prerequisite for oc adm upgrade recommend#112077
skopacz1 merged 1 commit into
openshift:mainfrom
asadawar:fix/osdocs-19867-recommend-auth

Conversation

@asadawar

@asadawar asadawar commented May 21, 2026

Copy link
Copy Markdown

Summary

  • Adds a prerequisite to the oc adm upgrade recommend documentation noting that token-based authentication (e.g., oc login -u kubeadmin) is required
  • Documents that certificate-based auth (system:admin from the installer kubeconfig) causes the command to silently skip all alert-based precondition checks
  • Includes the exact error message users see so it is searchable

Context

Found during OCP 4.22 pre-GA hackathon testing of OCPSTRAT-2781. The Thanos monitoring route uses kube-rbac-proxy with TokenReview-based auth only (no --client-ca-file on port 9091), so certificate-based authentication is structurally impossible (source).

Root cause discussed with OTA maintainer (W Trevor King): The real fix belongs to the monitoring team — either providing a dedicated Thanos-access SA or adding --client-ca-file to kube-rbac-proxy-web. OTA should not hardcode SA assumptions. This doc PR is a band-aid documenting the current token requirement.

Test plan

  • Verified on OCP 4.22.0-rc.4 that system:admin produces Failed to check for at least some preconditions: no token is currently in use for this session
  • Verified that oc login -u kubeadmin resolves the issue and all precheck categories are displayed
  • Verified API server proxy to thanos-querier returns 401 (kube-rbac-proxy-web has no --client-ca-file)
  • Verified oc create token <SA> works from cert auth but choosing the right SA is a monitoring team decision

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-87223

@openshift-ci openshift-ci Bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 21, 2026
@openshift-ci

openshift-ci Bot commented May 21, 2026

Copy link
Copy Markdown

Hi @asadawar. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@asadawar

asadawar commented Jun 5, 2026

Copy link
Copy Markdown
Author

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 5, 2026
@ocpdocs-previewbot

ocpdocs-previewbot commented Jun 5, 2026

Copy link
Copy Markdown

Comment thread modules/oc-adm-upgrade-recommend.adoc
@asadawar asadawar changed the title Add token-based auth prerequisite for oc adm upgrade recommend OCPBUGS-87223 - Add token-based auth prerequisite for oc adm upgrade recommend Jun 5, 2026
@asadawar asadawar force-pushed the fix/osdocs-19867-recommend-auth branch from 3b0ac7b to 75e9782 Compare June 5, 2026 18:15
@asadawar

asadawar commented Jun 5, 2026

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@asadawar

asadawar commented Jun 5, 2026

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@asadawar asadawar changed the title OCPBUGS-87223 - Add token-based auth prerequisite for oc adm upgrade recommend OSDOCS-19867: Add token-based auth prerequisite for oc adm upgrade recommend Jun 5, 2026
@asadawar

asadawar commented Jun 5, 2026

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 5, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 5, 2026

Copy link
Copy Markdown

@asadawar: This pull request references OSDOCS-19867 which is a valid jira issue.

Details

In response to this:

Summary

  • Adds a prerequisite to the oc adm upgrade recommend documentation noting that token-based authentication (e.g., oc login -u kubeadmin) is required
  • Documents that certificate-based auth (system:admin from the installer kubeconfig) causes the command to silently skip all alert-based precondition checks
  • Includes the exact error message users see so it is searchable

Context

Found during OCP 4.22 pre-GA hackathon testing of OCPSTRAT-2781. The Thanos monitoring route uses kube-rbac-proxy with TokenReview-based auth only (no --client-ca-file on port 9091), so certificate-based authentication is structurally impossible (source).

Root cause discussed with OTA maintainer (W Trevor King): The real fix belongs to the monitoring team — either providing a dedicated Thanos-access SA or adding --client-ca-file to kube-rbac-proxy-web. OTA should not hardcode SA assumptions. This doc PR is a band-aid documenting the current token requirement.

Test plan

  • Verified on OCP 4.22.0-rc.4 that system:admin produces Failed to check for at least some preconditions: no token is currently in use for this session
  • Verified that oc login -u kubeadmin resolves the issue and all precheck categories are displayed
  • Verified API server proxy to thanos-querier returns 401 (kube-rbac-proxy-web has no --client-ca-file)
  • Verified oc create token <SA> works from cert auth but choosing the right SA is a monitoring team decision

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-87223

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot

openshift-ci-robot commented Jun 5, 2026

Copy link
Copy Markdown

@asadawar: This pull request references OSDOCS-19867 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@asadawar asadawar changed the title OSDOCS-19867: Add token-based auth prerequisite for oc adm upgrade recommend OCPBUGS-87223: Add token-based auth prerequisite for oc adm upgrade recommend Jun 5, 2026
@asadawar

asadawar commented Jun 5, 2026

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: This pull request references Jira Issue OCPBUGS-87223, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jun 5, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: This pull request references Jira Issue OCPBUGS-87223, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Adds a prerequisite to the oc adm upgrade recommend documentation noting that token-based authentication (e.g., oc login -u kubeadmin) is required
  • Documents that certificate-based auth (system:admin from the installer kubeconfig) causes the command to silently skip all alert-based precondition checks
  • Includes the exact error message users see so it is searchable

Context

Found during OCP 4.22 pre-GA hackathon testing of OCPSTRAT-2781. The Thanos monitoring route uses kube-rbac-proxy with TokenReview-based auth only (no --client-ca-file on port 9091), so certificate-based authentication is structurally impossible (source).

Root cause discussed with OTA maintainer (W Trevor King): The real fix belongs to the monitoring team — either providing a dedicated Thanos-access SA or adding --client-ca-file to kube-rbac-proxy-web. OTA should not hardcode SA assumptions. This doc PR is a band-aid documenting the current token requirement.

Test plan

  • Verified on OCP 4.22.0-rc.4 that system:admin produces Failed to check for at least some preconditions: no token is currently in use for this session
  • Verified that oc login -u kubeadmin resolves the issue and all precheck categories are displayed
  • Verified API server proxy to thanos-querier returns 401 (kube-rbac-proxy-web has no --client-ca-file)
  • Verified oc create token <SA> works from cert auth but choosing the right SA is a monitoring team decision

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-87223

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@asadawar

asadawar commented Jul 9, 2026

Copy link
Copy Markdown
Author

/label merge-review-needed

@openshift-ci openshift-ci Bot added the merge-review-needed Signifies that the merge review team needs to review this PR label Jul 9, 2026
@dis016

dis016 commented Jul 9, 2026

Copy link
Copy Markdown

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@skopacz1 skopacz1 added the merge-review-in-progress Signifies that the merge review team is reviewing this PR label Jul 9, 2026

@skopacz1 skopacz1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one small formatting thing, then this PR is good to go! Thanks for submitting this

Comment thread modules/oc-adm-upgrade-recommend.adoc Outdated
====
The `oc adm upgrade recommend` command requires a bearer token to query the cluster's Thanos monitoring service for firing alerts. Certificate-based authentication, such as the `system:admin` identity provided in the default `kubeconfig` file from the installation program, does not satisfy this requirement. If you use certificate-based authentication, the command output displays the following message and skips all alert-based precondition checks:

`Failed to check for at least some preconditions: no token is currently in use for this session`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you change this to a code block instead? It would look like this:

Suggested change
`Failed to check for at least some preconditions: no token is currently in use for this session`
[source,terminal]
----
Failed to check for at least some preconditions: no token is currently in use for this session
----

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure. Thanks for the review. Applying the suggested changes.

The recommend command requires a bearer token to query the Thanos
monitoring route. Certificate-based auth (system:admin from the
installer kubeconfig) causes the command to silently skip all
alert-based precondition checks.

Fixes: https://redhat.atlassian.net/browse/OSDOCS-19867
@asadawar asadawar force-pushed the fix/osdocs-19867-recommend-auth branch from 75e9782 to 1417b39 Compare July 9, 2026 16:49
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci Bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 9, 2026
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

@asadawar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@skopacz1 skopacz1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@skopacz1 skopacz1 added this to the Continuous Release milestone Jul 9, 2026
@skopacz1 skopacz1 merged commit ddbdf76 into openshift:main Jul 9, 2026
2 checks passed
@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: Jira Issue OCPBUGS-87223: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-87223 has been moved to the MODIFIED state.

Details

In response to this:

Summary

  • Adds a prerequisite to the oc adm upgrade recommend documentation noting that token-based authentication (e.g., oc login -u kubeadmin) is required
  • Documents that certificate-based auth (system:admin from the installer kubeconfig) causes the command to silently skip all alert-based precondition checks
  • Includes the exact error message users see so it is searchable

Context

Found during OCP 4.22 pre-GA hackathon testing of OCPSTRAT-2781. The Thanos monitoring route uses kube-rbac-proxy with TokenReview-based auth only (no --client-ca-file on port 9091), so certificate-based authentication is structurally impossible (source).

Root cause discussed with OTA maintainer (W Trevor King): The real fix belongs to the monitoring team — either providing a dedicated Thanos-access SA or adding --client-ca-file to kube-rbac-proxy-web. OTA should not hardcode SA assumptions. This doc PR is a band-aid documenting the current token requirement.

Test plan

  • Verified on OCP 4.22.0-rc.4 that system:admin produces Failed to check for at least some preconditions: no token is currently in use for this session
  • Verified that oc login -u kubeadmin resolves the issue and all precheck categories are displayed
  • Verified API server proxy to thanos-querier returns 401 (kube-rbac-proxy-web has no --client-ca-file)
  • Verified oc create token <SA> works from cert auth but choosing the right SA is a monitoring team decision

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-87223

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@skopacz1

skopacz1 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

/cherrypick enterprise-4.22
/cherrypick enterprise-5.0

@openshift-cherrypick-robot

Copy link
Copy Markdown

@skopacz1: new pull request created: #115031

Details

In response to this:

/cherrypick enterprise-4.22
/cherrypick enterprise-5.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot

Copy link
Copy Markdown

@skopacz1: new pull request created: #115032

Details

In response to this:

/cherrypick enterprise-4.22
/cherrypick enterprise-5.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@skopacz1 skopacz1 removed merge-review-in-progress Signifies that the merge review team is reviewing this PR merge-review-needed Signifies that the merge review team needs to review this PR labels Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

branch/enterprise-4.22 branch/enterprise-5.0 jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants