OCPBUGS-7860: azure: session: fix unclear auth error messages #6901
Conversation
openshift-ci-robot
added
jira/severity-low
|
@r4f4: This pull request references Jira Issue OCPBUGS-7860, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@r4f4: This pull request references Jira Issue OCPBUGS-7860, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
There was a problem hiding this comment.
nit: Might be able to clean this warning up a bit. "Certs are only supported by the installer, not the cluster". Maybe something like that.
There was a problem hiding this comment.
I didn't add this warning, just moved it. It was added in #6250. But I can reword if we think it's necessary.
The `autorest/auth` library expects specific keys in the json file for certificate authentication [1]. If we ever saved the Credentials object to a json file during survey, it would have used the wrong keys: `certificatePath` and `certificatePassword` instead of `clientCertificate` and `clientCertificatePassword`, respectively. This change aims to fix that so that the saved `osServicePrincipal.json` file with certificate authentication details can be correctly loaded by the autorest library. It'll also be important in a follow-up change where we are going to load the file ourselves instead of using autorest. Notice that this is not breaking compatibility with previous versions since those fields were never used to create a file (we only survey client secret credentials). [1] https://github.com/Azure/go-autorest/blob/main/autorest/azure/auth/auth.go#L348-L349
If you tried to authenticate with a certificate and provided the wrong password, the installer error message didn't actually say what the error was. It just said ``` $ ./openshift-install create install-config --dir ipi-test INFO Could not get an azure authorizer from file: auth file missing client and certificate credentials INFO Asking user to provide authentication info ? azure subscription id [? for help] ``` That happens because the autorest lib would just ignore the auth errors in favor of a generic message [1]. Since the `autorest/auth` module is going out of support by March 31, 2023, let's get rid of it and load the auth file ourselves. Now when doing cert authentication with the wrong password we get: ``` INFO Credentials loaded from file "/root/.azure/osServicePrincipal.json" WARNING Using client certs to authenticate. Please be warned cluster does not support certs and only the installer does. ERROR failed to fetch Kubeconfig Admin Client: failed to load asset "Install Config": failed to create install config: creating Azure session: failed to parse client certificate: pkcs12: decryption password incorrect ``` [1] https://github.com/Azure/go-autorest/blob/main/autorest/azure/auth/auth.go#L264-L270
r4f4
force-pushed
the
azure-remove-autorest-auth
branch
from
6abfb63 to
fcaccfa
Compare
|
Added a new commit to isoloate and explain why the json annotations were changed. No code changes were introduced. |
|
@r4f4: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: patrickdillon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/lgtm |
|
@r4f4: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-7860 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
If you tried to authenticate with a certificate and provided the wrong password, the installer error message didn't actually say what the error was. It just said
That happens because the autorest lib would just ignore the auth errors in favor of a generic message [1]. Since the
autorest/authmodule is going out of support by March 31, 2023, let's get rid of it and load the auth file ourselves.Now when doing cert authentication with the wrong password we get:
[1] https://github.com/Azure/go-autorest/blob/main/autorest/azure/auth/auth.go#L264-L270