Cannot log in to the console after reinstallation of foundational services

After you uninstall IBM Cloud Pak foundational services and reinstall them on the same cluster, you cannot log in to the console with the default admin credentials.

Symptoms

You might see the following error:

CWOAU0038E: The client could not be verified. Either the client ID: t19ph7yimexir00h517actss98zbrg0m or client secret is incorrect.

Cause

After you uninstall the foundational services, if all the resources are not properly cleaned, reinstallation on the same cluster fails.

The cause of the failure might be either or both of the following reasons:

Resolving the problem

To resolve the issue, correct the client_id and client_secret values and restart all IM jobs.

  1. Log in to your boot node with the oc login command.

  2. Check whether the ibm-im-operator pod is running.

    oc -n <your-foundational-services-namespace> get pods | grep ibm-iam-operator
    
  3. Check whether all the auth pods are running without any errors. If you see errors, check the logs and resolve the issue.

    oc -n <your-foundational-services-namespace> get pods | grep auth
    
  4. Check the client_id and client_secret values in the platform-oidc-credentials secret and in the registration-json configmap.

    • Check the values in the platform-oidc-credentials secret:

      oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_ID}" | base64 --decode
      oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_SECRET}" | base64 --decode
      
    • Check the values in the registration-json configmap:

      oc -n <your-foundational-services-namespace> get cm registration-json -o "jsonpath={.data['platform-oidc-registration\.json']}" > platform-oidc-registration.json
      cat platform-oidc-registration.json
      
  5. If the values in the secret and configmap do not match, update the values in the registration-json configmap with the values from the platform-oidc-credentials secret. To edit the configmap, run the following command:

    oc -n <your-foundational-services-namespace> edit cm registration-json
    

    Replace the client_id and client_secret values, and save and exit the configmap.

  6. Restart the following IM job.

    oc -n <your-foundational-services-namespace> delete job oidc-client-registration
    
  7. Wait for some time and check the job status.

    oc -n <your-foundational-services-namespace> get jobs
    

    The status should show as Completed.

  8. Restart the common-web-ui pods so that the client_id and client_secret get the correct values from the platform-oidc-credentials secret.

    1. Get the common-web-ui pod name.

       oc -n <your-foundational-services-namespace> get pods | grep common-web-ui
      
    2. Delete the pod.

       oc -n <your-foundational-services-namespace> delete <common-web-ui-pod-name>
      
  9. Wait for sometime until the common-web-ui and management-ingress pods show the Running status. You can check the status by running the following command:

    oc -n <your-foundational-services-namespace> get pods | grep -e common-web-ui
    

After the pods are running, you can log in to the console with the default cpadmin credentials.