Known issues in foundational services
Get a quick overview of the known issues for the available foundational services.
| Service |
Description | More information |
|---|---|---|
| IM | Client registration failure in Platform UI console while upgrading foundational services version 3.22 or version 3.23 to foundational services version 4.x.x. | This limitation is planned to be fixed in an upcoming release. Until then, to work around the issue, see Client registration failure in Platform UI console. |
| IM | Login failure in Platform UI console while upgrading foundational services version 3.22 or version 3.23 to foundational services version 4.x.x. | This limitation is planned to be fixed in an upcoming release. Until then, to work around the issue, see Intermittent login failure in Platform UI console. |
| IM | In foundational services version 3.23 and later, while listing the users in the group in Platform UI console by using Azure SCIM integration, the username in the group might be displayed as undefined undefined. | It is a limitation from Azure. Currently, no workaround is available. |
| IM | While login into Platform UI console by using SAML option, login page is displayed twice. It means, once you provide the login details, instead of displaying the home page of the console, the login page is displayed again. However, the second time you don't need to provide the details in the login page, you just need to click Login and the home page of the console will be displayed. | It is a known limitation. Currently, no workaround is available. |
| IM | Before you register the OIDC clients by using IdP V3 API, you need to login into third party ID provider. And, then you can register the OIDC clients in the application. While registering, you
use application url as cp-console url and redirect URL as https://<cp-console-url>/ibm/api/social-login/redirect/<name of the oidc>. However, you might face issue while opening the cp-console browser. When you click
the configured ID provider name, you might not be redirected to the authentication page of that IdP. |
To troubleshoot the issue, see OIDC registration fails to update. |
| IM | The iam-onboarding job is not completed on bare metal cluster because the auth-idp pod is not running completely. The platform-auth-service container restarts every time due to application error. The
platform-auth-service container fails because it is present in the auth-idp pod and has dependency on the liberty rest API. The JVM (Java virtual machine) fails because many javacore dump files generate in the container
that stops liberty process. |
The JVM is specific to Bare Metal cluster where HugePages feature is integrated into the Linux kernel. If HugePages are enabled, JVM uses the HugePages by default. In normal scenario, if physical HugePages are not available then operating
system provides small 4k pages. In the container, if the pod environment is not allowed to access the HugePages, the operating system deletes the process that uses HugePages. Currently, no work around is available to complete the iam-onboarding job because you cannot edit the files inside the container. |
| IM | LDAP user names are case-sensitive. | You must use the name exactly the way it is configured in your LDAP directory. |
| IM | SAML user with Platform UI administrator permission only has viewer role set in IM. | You must assign roles individually to SAML users in IM. |
| IM | The OpenShift group does not synchronize when a user is added or removed from an LDAP group. | An OpenShift group is created when you add the LDAP group to teams. When a user is added or removed from an LDAP group at the LDAP server side, the OpenShift group does not update by any process or thread in IM. To resolve this issue, delete and re-add the LDAP group to teams to recreate the OpenShift group with the latest members. |
| IM | The OpenShift users are not removed when you remove them from the LDAP group. | An OpenShift group is created when you add the LDAP group to teams. An OpenShift user is created when you add an LDAP user to teams, or when this LDAP user logs in to the IBM Cloud Pak console. When a user is removed from an LDAP group at
the LDAP server side, the OpenShift group does not update by any process or thread in IM. An OpenShift user or group is deleted only if this user or group is deleted from teams. To resolve this issue, delete and re-add the LDAP group to
teams to recreate the OpenShift group with the latest members, and manually delete the OpenShift user. To delete the user, use the following command: oc delete user <user_id>. |
| Installer - Federal Information Processing Standard (FIPS) | When you enable FIPS compliance for a service by using the CommonService CR, the configuration is not propagated in the OperandConfig. If you use the OperandConfig to add the configuration,
the configuration might be removed after an upgrade. |
To work around this issue, enable FIPS-compliance in the OperandConfig by adding spec.fipsEnabled: true. If you upgrade foundational services, you must re-enable FIPS-compliance in the OperandConfig. |
| Installer | OLM is unable to generate new installation plans for updates or new installations. | For more information about the issue and the steps to resolve the issue, see OLM is unable to generate new install plans. |
| Installer | After you upgrade foundational services, you might see some of the operator pods are in Crashloopbackoff status. This is because of an Operator Lifecycle Manager (OLM) known issue. |
For more information about the issue and the steps to resolve the issue, see Operator upgrade fails - OLM known issue. |
| Installer - IM | When there is an OpenShift user admin it collides with IBM Cloud Pak foundational services default user admin. | To resolve the issue, rename the IBM Cloud Pak foundational services default username if an admin username exists in OpenShift. For more information, see Changing the default admin username |
| Installer | When you install or upgrade foundational services, you might see that some of the operators are in a Pending, Unknown, or Can't Update status. This is because of an Operator Lifecycle Manager (OLM)
known issue. |
For more information about the issue and the steps to resolve the issue, see the following topics: |
| Installer | When you install foundational services on Azure environment with Azure storage, foundational services pods do not start. | To resolve this issue, get the scc.uid from the installation namespace before creating the custom Azure storage class. For more information, see Using Azure File storage class. |
| Installer - EDB Postgres | When you upgrade foundational services version 3.12.x or older with EDB Postgres in a namespace other than ibm-comon-services, cloud-native-postgresql does not work correctly. |
To resolve this issue, complete the steps in Incorrect EDB Postgres operator environment variable configuration. |
| Installer | When you install foundational services, cloud-native-postgresql is installed with the certified-operators catalogsource. | To resolve this issue, see cloud-native-postgresql is installed with certified-operators CatalogSource. |
| MongoDB | When you install foundational services, the use of NFS storage and self-defined persistent volumes have extra restrictions that might stop some of your workloads. For example, MongoDB deployment might not run properly. | |
| Cert-manager | If there are two cert-managers on your cluster, your Certificates might not be in the ready status. You must uninstall one of the cert-managers. | See Problem when you install two different cert-managers. |
| Cert-manager | The self-signed CA certificate that is used by IBM Cloud Pak foundational services and created by the cert-manager service has a duration of 90 days. The CA certificate is refreshed by cert-manager but the leaf certificates that use the CA certificate must be manually refreshed. | Recommend that user check the expiration date for the CA certificate and refresh the CA certificate before the expiration date and renew the leaf certificates. The CA certificate duration can also be updated. See Refreshing IBM Cloud Pak foundational services internal CA certificate. |
| Cert-manager | Multiple CertificateRequests in the cert-manager blocks the Certificates to be in the ready status. | To resolve the issue, delete the duplicate CertificateRequests. See Multiple CertificateRequest objects block Certificate objects from becoming ready. |
| License Service Reporter | After you upgrade to foundational services version 4.0 or later, the Error 404 - Not found error message is displayed when you select the Licensing menu in the IBM Cloud Pak console. |
To resolve the issue, remove the ibm-license-service-reporter-bindinfo-ibm-license-service-reporter-zen configmap from the namespace where you deployed the foundational services. For more information, see Retrieving License Service Reporter console route to access the License Service Reporter console directly. |
| Events operator | When upgrading Events operator from previous versions, a Zookeeper pod ends up in a CrashLoopBackOff state. |
To resolve this problem, see Zookeeper pod hangs in a CrashLoopBackOff state. |
| Events operator | Events operator is periodically printing the following message: Failed to acquire lock during the reconciliation process, and it is timing out. This might indicate that the lock was not properly released due to an error. |
To resolve the problem, restart the Events operator to release the lock. |
| Platform UI | Upgrade of Platform UI (zen) operand fails. |
To resolve this problem, see Upgrade of Platform UI (zen) operand fails. |