Known issues in foundational services

Get a quick overview of the known issues for the available foundational services.

Table 1. Known issues
Service
Description More information
IM Client registration failure in Platform UI console while upgrading foundational services version 3.22 or version 3.23 to foundational services version 4.x.x. This limitation is planned to be fixed in an upcoming release. Until then, to work around the issue, see Client registration failure in Platform UI console.
IM Login failure in Platform UI console while upgrading foundational services version 3.22 or version 3.23 to foundational services version 4.x.x. This limitation is planned to be fixed in an upcoming release. Until then, to work around the issue, see Intermittent login failure in Platform UI console.
IM In foundational services version 3.23 and later, the username in the group is displayed as undefined undefined when you list the users in the group in Platform UI console by using Azure SCIM integration or SAML without LDAP configuration. It is a known limitation. Currently, no workaround is available.
IM While login into Platform UI console by using SAML option, login page is displayed twice. It means, once you provide the login details, instead of displaying the home page of the console, the login page is displayed again. However, the second time you don't need to provide the details in the login page, you just need to click Login and the home page of the console will be displayed. It is a known limitation. Currently, no workaround is available.
IM Before you register the OIDC clients by using IdP V3 API, you need to login into third party ID provider. And, then you can register the OIDC clients in the application. While registering, you use application url as cp-console url and redirect URL as https://<cp-console-url>/ibm/api/social-login/redirect/<name of the oidc>. However, you might face issue while opening the cp-console browser. When you click the configured ID provider name, you might not be redirected to the authentication page of that IdP. To troubleshoot the issue, see OIDC registration fails to update.
IM LDAP user names are case-sensitive. You must use the name exactly the way it is configured in your LDAP directory.
IM SAML user with Platform UI administrator permission only has viewer role set in IM. You must assign roles individually to SAML users in IM.
IM The OpenShift group does not synchronize when a user is added or removed from an LDAP group. An OpenShift group is created when you add the LDAP group to teams. When a user is added or removed from an LDAP group at the LDAP server side, the OpenShift group does not update by any process or thread in IM. To resolve this issue, delete and re-add the LDAP group to teams to recreate the OpenShift group with the latest members.
IM The OpenShift users are not removed when you remove them from the LDAP group. An OpenShift group is created when you add the LDAP group to teams. An OpenShift user is created when you add an LDAP user to teams, or when this LDAP user logs in to the IBM Cloud Pak console. When a user is removed from an LDAP group at the LDAP server side, the OpenShift group does not update by any process or thread in IM. An OpenShift user or group is deleted only if this user or group is deleted from teams. To resolve this issue, delete and re-add the LDAP group to teams to recreate the OpenShift group with the latest members, and manually delete the OpenShift user. To delete the user, use the following command: oc delete user <user_id>.
IM The SAML and LDAP authentication types are displayed in the cp-console login page when you migrate IM from version 3.x to 4.x with the configuration of SAML with LDAP dependency using V2 API. To resolve the issue, update the Identity Provider (IdP) for SAML with LDAP dependency with V3 API schema elements. For more information, see SAML with LDAP dependency using V2 API does not work correctly.
IM The SAML identity provider is removed from the SAML configuration when you upgrade from OCP version 4.10 to 4.12 To resolve the issue, complete the following steps:
1. Restart the MongoDB and auth pods.
oc delete pod -n ibm-common-services -l app=icp-mongodb
2. Verify that the pods are running.
oc get pod -n ibm-common-services | egrep 'NAME | icp-mongodb'
If the pod status shows as Running, proceed with the next step.
3. Delete the auth pods.
oc delete pod -n ibm-common-services -l k8s-app=auth-idp
oc delete pod -n ibm-common-services -l k8s-app=auth-pap
oc delete pod -n ibm-common-services -l k8s-app=auth-pdp
4. Verify the pod status.
oc get pod -n ibm-common-services | egrep 'NAME|auth-idp|auth-pap|auth-pdp
IM IM access token API (/idprovider/v1/auth/identitytoken) fails when you upgrade IBM Cloud Pak for Data version 4.7.4 to 5.0.0. The following error is diplayed in the log when you generate IM access token:
Failed to get access token, Liberty error: {\"error_description\":\"CWWKS1406E: The token request had an invalid client credential. The request URI was \\/oidc\\/endpoint\\/OP\\/token.\",\"error\":\"invalid_client\"}"
To resolve the IM access token issue, run the following command to restart the oidc-client-registration job:
oc -n <your-foundational-services-namespace> delete job oidc-client-registration
Installer The cp-console address is changed after the CS operator is upgraded to v4, but IAM service remains in v3. For more information, see cp-console address is changed after CS operator is upgraded to v4, but IAM service is still in v3
IM The SAML identity provider is removed from the SAML configuration when you upgrade from OCP version 4.10 to 4.12 To resolve the issue, complete the following steps:
1. Restart the MongoDB and auth pods.
oc delete pod -n ibm-common-services -l app=icp-mongodb
2. Verify that the pods are running.
oc get pod -n ibm-common-services
egrep 'NAME icp-mongodb'
If the pod status shows as Running, proceed with the next step.
3. Delete the auth pods.
oc delete pod -n ibm-common-services -l k8s-app=auth-idp
oc delete pod -n ibm-common-services -l k8s-app=auth-pap
oc delete pod -n ibm-common-services -l k8s-app=auth-pdp
4. Verify the pod status.
oc get pod -n ibm-common-services
egrep 'NAME auth-idp auth-pap auth-pdp'
Installer OLM is unable to generate new installation plans for updates or new installations. For more information about the issue and the steps to resolve the issue, see OLM is unable to generate new install plans.
Installer After you upgrade foundational services, you might see some of the operator pods are in Crashloopbackoff status. This is because of an Operator Lifecycle Manager (OLM) known issue. For more information about the issue and the steps to resolve the issue, see Operator upgrade fails - OLM known issue.
Installer - IM When there is an OpenShift user admin it collides with IBM Cloud Pak foundational services default user admin. To resolve the issue, rename the IBM Cloud Pak foundational services default username if an admin username exists in OpenShift. For more information, see Changing the default admin username
Installer When you install or upgrade foundational services, you might see that some of the operators are in a Pending, Unknown, or Can't Update status. This is because of an Operator Lifecycle Manager (OLM) known issue. For more information about the issue and the steps to resolve the issue, see the following topics:
Installer When you install foundational services on Azure environment with Azure storage, foundational services pods do not start. To resolve this issue, get the scc.uid from the installation namespace before creating the custom Azure storage class. For more information, see Using Azure File storage class.
Installer After upgrading an OpenShift cluster to OpenShift version 4.15.x via the OpenShift console, the foundational services operator CSV fails with the following message: install strategy failed: rolebindings.rbac.authorization.k8s.io "ibm-common-service-operator-service-auth-reader". To resolve this issue, see Install strategy fails after upgrading OpenShift to 4.15.x.
MongoDB When you install foundational services, the use of NFS storage and self-defined persistent volumes have extra restrictions that might stop some of your workloads. For example, MongoDB deployment might not run properly.
Cert-manager If there are two cert-managers on your cluster, your Certificates might not be in the ready status. You must uninstall one of the cert-managers. See Problem when you install two different cert-managers.
Cert-manager The self-signed CA certificate that is used by IBM Cloud Pak foundational services and created by the cert-manager service has a duration of 90 days. The CA certificate is refreshed by cert-manager but the leaf certificates that use the CA certificate must be manually refreshed. Recommend that user check the expiration date for the CA certificate and refresh the CA certificate before the expiration date and renew the leaf certificates. The CA certificate duration can also be updated.
Cert-manager Multiple CertificateRequests in the cert-manager block the Certificates to be in the ready status. To resolve the issue, delete the duplicate CertificateRequests. See Multiple CertificateRequest objects block Certificate objects from becoming ready.
License Service Reporter After you upgrade to foundational services version 4.0 or later, the Error 404 - Not found error message is displayed when you select the Licensing menu in the IBM Cloud Pak console. To resolve the issue, remove the ibm-license-service-reporter-bindinfo-ibm-license-service-reporter-zen configmap from the namespace where you deployed the foundational services.
Events operator When upgrading Events operator from previous versions, a Zookeeper pod ends up in a CrashLoopBackOff state. To resolve this problem, see Zookeeper pod hangs in a CrashLoopBackOff state.
Events operator Events operator is periodically printing the following message: Failed to acquire lock during the reconciliation process, and it is timing out. This might indicate that the lock was not properly released due to an error. To resolve the problem, restart the Events operator to release the lock.
Platform UI Upgrade of Platform UI (zen) operand fails. To resolve this problem, see Upgrade of Platform UI (zen) operand fails.