Skip to content

Add token-based auth prerequisite for oc adm upgrade recommend#112077

Open
asadawar wants to merge 1 commit into
openshift:mainfrom
asadawar:fix/osdocs-19867-recommend-auth
Open

Add token-based auth prerequisite for oc adm upgrade recommend#112077
asadawar wants to merge 1 commit into
openshift:mainfrom
asadawar:fix/osdocs-19867-recommend-auth

Conversation

@asadawar
Copy link
Copy Markdown

@asadawar asadawar commented May 21, 2026
edited
Loading

Summary

  • Adds a prerequisite to the oc adm upgrade recommend documentation noting that token-based authentication (e.g., oc login -u kubeadmin) is required
  • Documents that certificate-based auth (system:admin from the installer kubeconfig) causes the command to silently skip all alert-based precondition checks
  • Includes the exact error message users see so it is searchable

Context

Found during OCP 4.22 pre-GA hackathon testing of OCPSTRAT-2781. The Thanos monitoring route uses kube-rbac-proxy with TokenReview-based auth only (no --client-ca-file on port 9091), so certificate-based authentication is structurally impossible (source).

Root cause discussed with OTA maintainer (W Trevor King): The real fix belongs to the monitoring team — either providing a dedicated Thanos-access SA or adding --client-ca-file to kube-rbac-proxy-web. OTA should not hardcode SA assumptions. This doc PR is a band-aid documenting the current token requirement.

Test plan

  • Verified on OCP 4.22.0-rc.4 that system:admin produces Failed to check for at least some preconditions: no token is currently in use for this session
  • Verified that oc login -u kubeadmin resolves the issue and all precheck categories are displayed
  • Verified API server proxy to thanos-querier returns 401 (kube-rbac-proxy-web has no --client-ca-file)
  • Verified oc create token <SA> works from cert auth but choosing the right SA is a monitoring team decision

Fixes: https://redhat.atlassian.net/browse/OSDOCS-19867

Add token-based auth prerequisite for oc adm upgrade recommend
3b0ac7b 
The recommend command requires a bearer token to query the Thanos
monitoring route. Certificate-based auth (system:admin from the
installer kubeconfig) causes the command to silently skip all
alert-based precondition checks.

Fixes: https://redhat.atlassian.net/browse/OSDOCS-19867
@openshift-ci openshift-ci Bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 21, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 21, 2026

Hi @asadawar. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asadawar