Cannot log in to the console after reinstallation of foundational services

After you uninstall IBM Cloud Pak foundational services and reinstall them on the same cluster, you cannot log in to the console with the default admin credentials.

Symptoms

You might see the following error:

CWOAU0038E: The client could not be verified. Either the client ID: t19ph7yimexir00h517actss98zbrg0m or client secret is incorrect.

Cause

After you uninstall the foundational services, if all the resources are not properly cleaned, reinstallation on the same cluster fails.

The cause of the failure might be either or both of the following reasons:

Resolving the problem

To resolve the issue, correct the client_id and client_secret values and restart all IAM jobs.

  1. Log in to your boot node with the oc login command.

  2. Check whether the ibm-iam-operator pod is running.

    oc -n ibm-common-services get pods | grep ibm-iam-operator
    
  3. Check whether all the auth pods are running without any errors. If you see errors, check the logs and resolve the issue.

    oc -n ibm-common-services get pods | grep auth
    
  4. Check the client_id and client_secret values in the platform-oidc-credentials secret and in the registration-json configmap.

    • Check the values in the platform-oidc-credentials secret:

       oc -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_ID}" | base64 --decode
       oc -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_SECRET}" | base64 --decode
      
    • Check the values in the registration-json configmap:

       oc -n ibm-common-services get cm registration-json -o "jsonpath={.data['platform-oidc-registration\.json']}" > platform-oidc-registration.json
       cat platform-oidc-registration.json
      
  5. If the values in the secret and configmap do not match, update the values in the registration-json configmap with the values from the platform-oidc-credentials secret. To edit the configmap, run the following command:

    oc -n ibm-common-services edit cm registration-json
    

    Replace the client_id and client_secret values, and save and exit the configmap.

  6. Restart these IAM jobs.

    oc -n ibm-common-services delete job oidc-client-registration
    oc -n ibm-common-services delete job iam-onboarding
    oc -n ibm-common-services delete job security-onboarding
    
  7. Wait for some time and check the job status.

    oc -n ibm-common-services get jobs
    

    The status should show as Completed.

  8. Restart the following pods so that the client_id and client_secret get the correct values from the platform-oidc-credentials secret.

    • Delete all common-web-ui pods:

      1. Get the common-web-ui pod name.

        oc -n ibm-common-services get pods | grep common-web-ui
        
      2. Delete the pod.

        oc -n ibm-common-services delete <common-web-ui-pod-name>
        
    • Delete all management-ingress pods:

      1. Get the management-ingress pod name.

        oc -n ibm-common-services get pods | grep management-ingress
        
      2. Delete the pod.

        oc -n ibm-common-services delete <management-ingress-pod-name>
        
  9. Wait for sometime until the common-web-ui and management-ingress pods show the Running status. You can check the status by running the following command:

    oc -n ibm-common-services get pods | grep -e common-web-ui -e management-ingress
    

After the pods are running, you can log in to the console with the default admin credentials.