doesn't apply oidc parameters to kube-apiserver

[chukynax]

Environment:

• Cloud provider or hardware configuration:
  Hardware

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):
  Linux 4.15.0-147-generic x86_64
  NAME="Ubuntu"
  VERSION="18.04.5 LTS (Bionic Beaver)"
  ID=ubuntu
  ID_LIKE=debian
  PRETTY_NAME="Ubuntu 18.04.5 LTS"
  VERSION_ID="18.04"
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  VERSION_CODENAME=bionic
  UBUNTU_CODENAME=bionic

• Version of Ansible (ansible --version):
  ansible 2.9.22

• Version of Python (python --version):
  Python 2.7.18

Kubespray version (commit) (git rev-parse --short HEAD):
v2.14.1

Network plugin used:
Calico

Ansible doesn't apply defined in
kube_oidc_auth: true
kube_oidc_url: https://dex.domain.com
kube_oidc_client_id: kubernetes
kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.pem"
kube_oidc_username_claim: sub
kube_oidc_username_prefix: "oidc:"
kube_oidc_groups_claim: "groups"
kube_oidc_groups_prefix: "oidc:"

to /etc/kubernetes/manifests/kube-apiserver.yaml

therefore kube-apiserver pod doesn't have these parameters

[dgo-]

I am running in the same issue today.

I rerun cluster.yml to apply the oidc settings to the control plane.

I set the following group variables regarding oidc

kube_oidc_url: https://example.domain
kube_oidc_client_id: kubernetes
kube_oidc_username_claim: email
kube_oidc_username_prefix: "oidc:"
kube_oidc_groups_claim: groups
kube_oidc_groups_prefix: "oidc:" 

I see that the values are added to /etc/kubernetes/kubeadm-config.yaml

....
apiServer:
  extraArgs:
    oidc-issuer-url: "https://example.domain"
    oidc-client-id: "kubernetes"
    oidc-username-claim: "email"
    oidc-groups-claim: "groups"
    oidc-username-prefix: "oidc:"
    oidc-groups-prefix: "oidc:"
....

But no oidc entry in the /etc/kubernetes/manifests/kube-apiserver.yaml

[crinjes]

I've noticed the same using the v2.16.0 docker image. Kubeadm config is generated, but whatever makes kubeadm generate the updated kube-apiserver manifest is not run when using cluster.yml.

Two options that work:

• run upgrade-cluster.yml
• run cluster.yml with -e upgrade_cluster_setup=true (See Upgrades/Unsafe upgrade example)

Related: #4736

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[chukynax]

it didnt work for me ... both scenarios

[muratcabuk]

if we enable oidc after the cluster is deployed and apply to cluster it is not changing kube-apiserver settings.

[hhk7734]

I manually executed kubeadm init phase control-plane apiserver --config=/etc/kubernetes/kubeadm-config.yaml on the kube_control_plane nodes.