cliconfig manifest rendered incorrectly

[Tyrone-W]

OKD cluster version: 4.17.0-0.okd-scos-2024-09-29-005341

The configmap created in the openshift-authentication namespace is rendered incorrectly if a space exists within the name of an identityProvider.

Example oauth object

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    release.openshift.io/create-only: "true"
  name: cluster
spec:
  identityProviders:
  - ldap:
      attributes:
        email:
        - mail
        id:
        - uid
        name:
        - displayName
        preferredUsername:
        - uid
      bindDN: uid=okd
      bindPassword:
        name: ldap-secret
      ca:
        name: ca-config-map
      url: ldaps://servername.okd.io
    mappingMethod: claim
    name: Name With A Space
    type: LDAP
  - ldap:
      attributes:
        email:
        - mail
        id:
        - uid
        name:
        - displayName
        preferredUsername:
        - uid
      bindDN: uid=okd
      bindPassword:
        name: ldap-secret
      ca:
        name: ca-config-map
      url: ldaps://servername.okd.io
    mappingMethod: claim
    name: Name
    type: LDAP
    

The configmap created in the openshift-authentication namespace once the oauth object is reconciled

apiVersion: v1
data:
  v4-0-config-system-cliconfig: '{"admission":{},"apiVersion":"osin.config.openshift.io/v1","auditConfig":{"auditFilePath":"","enabled":false,"logFormat":"","maximumFileRetentionDays":0,"maximumFileSizeMegabytes":0,"maximumRetainedFiles":0,"policyConfiguration":null,"policyFile":"","webHookKubeConfig":"","webHookMode":""},"corsAllowedOrigins":["//127\\.0\\.0\\.1(:|$)","//localhost(:|$)"],"kind":"OsinServerConfig","kubeClientConfig":{"connectionOverrides":{"acceptContentTypes":"","burst":400,"contentType":"","qps":400},"kubeConfig":""},"oauthConfig":{"alwaysShowProviderSelection":false,"assetPublicURL":"https://console-openshift-console.apps.test.okd.io","grantConfig":{"method":"deny","serviceAccountMethod":"prompt"},"identityProviders":[{"challenge":true,"login":true,"mappingMethod":"claim","name":"Name
    With A Space","provider":{"apiVersion":"osin.config.openshift.io/v1","attributes":{"email":["mail"],"id":["uid"],"name":["displayName"],"preferredUsername":["uid"]},"bindDN":"uid=okd","bindPassword":{"env":"","file":"/var/config/user/idp/0/secret/v4-0-config-user-idp-0-bind-password/bindPassword","keyFile":"","value":""},"ca":"/var/config/user/idp/0/configMap/v4-0-config-user-idp-0-ca/ca.crt","insecure":false,"kind":"LDAPPasswordIdentityProvider","url":"ldaps://servername.okd.io"}},{"challenge":true,"login":true,"mappingMethod":"claim","name":"Name","provider":{"apiVersion":"osin.config.openshift.io/v1","attributes":{"email":["mail"],"id":["uid"],"name":["displayName"],"preferredUsername":["uid"]},"bindDN":"uid=okd","bindPassword":{"env":"","file":"/var/config/user/idp/1/secret/v4-0-config-user-idp-1-bind-password/bindPassword","keyFile":"","value":""},"ca":"/var/config/user/idp/1/configMap/v4-0-config-user-idp-1-ca/ca.crt","insecure":false,"kind":"LDAPPasswordIdentityProvider","url":"ldaps://servername.okd.io"}}
kind: ConfigMap
metadata:
  labels:
    app: oauth-openshift
  name: v4-0-config-system-cliconfig
  namespace: openshift-authentication

Logs of the authentication-operator pod show the following when the configmap is updated.

I1002 13:10:26.497418       1 core.go:359] ConfigMap "openshift-authentication/v4-0-config-system-cliconfig" changes: {"data":{"v4-0-config-system-cliconfig":"{\"admission\":{},\"apiVersion\":\"osin.config.openshift.io/v1\",\"auditConfig\":{\"auditFilePath\":\"\",\"enabled\":false,\"logFormat\":\"\",\"maximumFileRetentionDays\":0,\"maximumFileSizeMegabytes\":0,\"maximumRetainedFiles\":0,\"policyConfiguration\":null,\"policyFile\":\"\",\"webHookKubeConfig\":\"\",\"webHookMode\":\"\"},\"corsAllowedOrigins\":[\"//127\\\\.0\\\\.0\\\\.1(:|$)\",\"//localhost(:|$)\"],\"kind\":\"OsinServerConfig\",\"kubeClientConfig\":{\"connectionOverrides\":{\"acceptContentTypes\":\"\",\"burst\":400,\"contentType\":\"\",\"qps\":400},\"kubeConfig\":\"\"},\"oauthConfig\":{\"alwaysShowProviderSelection\":false,\"assetPublicURL\":\"https://console-openshift-console.apps.test.okd.io\",\"grantConfig\":{\"method\":\"deny\",\"serviceAccountMethod\":\"prompt\"},\"identityProviders\":[{\"challenge\":true,\"login\":true,\"mappingMethod\":\"claim\",\"name\":\"Name With A Space\",\"provider\":{\"apiVersion\":\"osin.config.openshift.io/v1\",\"attributes\":{\"email\":[\"mail\"],\"id\":[\"uid\"],\"name\":[\"displayName\"],\"preferredUsername\":[\"uid\"]},\"bindDN\":\"uid=okd\",\"bindPassword\":{\"env\":\"\",\"file\":\"/var/config/user/idp/0/secret/v4-0-config-user-idp-0-bind-password/bindPassword\",\"keyFile\":\"\",\"value\":\"\"},\"ca\":\"/var/config/user/idp/0/configMap/v4-0-config-user-idp-0-ca/ca.crt\",\"insecure\":false,\"kind\":\"LDAPPasswordIdentityProvider\",\"url\":\"ldaps://servername.okd.io\"}}

Error given by openshift-authentication pods attempting to read the configmap.

panic: parsing "/login/Name With A Space": at offset 0: invalid method "/login/Name"

goroutine 1 [running]:
net/http.(*ServeMux).register(...)
        net/http/server.go:2738
net/http.(*ServeMux).Handle(0xc000455820?, {0xc0007774e8?, 0x2?}, {0x2977660?, 0xc00090f4c0?})
        net/http/server.go:2701 +0x56
github.com/openshift/oauth-server/pkg/server/login.(*Login).Install(...)
        github.com/openshift/oauth-server/pkg/server/login/login.go:95
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthenticationHandler(0xc0006c3dc0, {0x29824d8, 0xc0006ec1a0}, {0x29774a0, 0xc000743090})
        github.com/openshift/oauth-server/pkg/oauthserver/auth.go:374 +0x1a03
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthorizeAuthenticationHandlers(0xc0006c3dc0, {0x29824d8, 0xc0006ec1a0}, {0x29774a0, 0xc000743090})
        github.com/openshift/oauth-server/pkg/oauthserver/auth.go:242 +0x65
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).WithOAuth(0xc0006c3dc0, {0x2975460, 0xc0004547c0})
        github.com/openshift/oauth-server/pkg/oauthserver/auth.go:107 +0x21d
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).buildHandlerChainForOAuth(0xc0006c3dc0, {0x2975460?, 0xc0004547c0?}, 0xc000769188)
        github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:342 +0x45
k8s.io/apiserver/pkg/server.completedConfig.New.func1({0x2975460?, 0xc0004547c0?})
        k8s.io/[email protected]/pkg/server/config.go:825 +0x28
k8s.io/apiserver/pkg/server.NewAPIServerHandler({0x2520a77, 0xf}, {0x2988ea0, 0xc000767480}, 0xc0002a1740, {0x0, 0x0})
        k8s.io/[email protected]/pkg/server/handler.go:96 +0x2ad
k8s.io/apiserver/pkg/server.completedConfig.New({0xc000769188?, {0x0?, 0x0?}}, {0x2520a77, 0xf}, {0x29a6f20, 0xc000742fb0})
        k8s.io/[email protected]/pkg/server/config.go:833 +0x2a5
github.com/openshift/oauth-server/pkg/oauthserver.completedOAuthConfig.New({{0xc000718f60?}, 0xc0006c3dc8?}, {0x29a6f20?, 0xc000742fb0?})
        github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:322 +0x6a
github.com/openshift/oauth-server/pkg/cmd/oauth-server.RunOsinServer(0xc0002ab680?, 0xc00044c000?, 0xc0000c65a0)
        github.com/openshift/oauth-server/pkg/cmd/oauth-server/server.go:45 +0x73
github.com/openshift/oauth-server/pkg/cmd/oauth-server.(*OsinServerOptions).RunOsinServer(0xc000688318, 0xc0000c65a0)
        github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:108 +0x259
github.com/openshift/oauth-server/pkg/cmd/oauth-server.NewOsinServerCommand.func1(0xc000810200?, {0x250e987?, 0x4?, 0x250e98b?})
        github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:46 +0xed
github.com/spf13/cobra.(*Command).execute(0xc0001a4908, {0xc0002524d0, 0x7, 0x7})
        github.com/spf13/[email protected]/command.go:944 +0x867
github.com/spf13/cobra.(*Command).ExecuteC(0xc0001a4608)
        github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/[email protected]/command.go:992
k8s.io/component-base/cli.run(0xc0001a4608)
        k8s.io/[email protected]/cli/run.go:146 +0x290
k8s.io/component-base/cli.Run(0xc0000c65a0?)
        k8s.io/[email protected]/cli/run.go:46 +0x17
main.main()
        github.com/openshift/oauth-server/cmd/oauth-server/main.go:46 +0x2de

[MindTooth]

Can it be because of this: openshift/oauth-server@4d39d49#diff-26eb62ac396048ba3dc28ae5764caf68710f82c7956d15af24dfef8542c7fbc8R358

However, I think that spaces should be able to be a name of a login provider. 🤷🏻‍♂️

@ibihim thoughts?

[jonasbartho]

I can confirm the same behaviour in OCP 4.17

[ibihim]

Hi,

I just saw this. Is this still an issue?

We usually don't check the issues section. We usually assume being contacted over Slack.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale