OIDC client creation is not successful

There can be many reasons that why the OIDC client creation is not successful, however, the few obvious reasons are listed following:

If you have verified that the client CR is valid, associated pods are running properly or dependent services are also running properly and still the OIDC client creation is still not successful then the possible reason might be that the oidc-client-watcher is not able to connect with auth-service endpoint properly. This might be because of not having the correct certificate entry at the auth-service end.

Confirming the certificate import issue if oidc-client-watcher pod is not able to connect with auth-service endpoint properly

The following symptoms might confirm whether there is certificate import issue:

In case you see this error, you can verify whether you are observing the error due to the certificate issue. If there are multiple platform-auth-service instances, you need to verify for all the instances by using the following command:

   oc login
   oc project $namespace
   oc exec -it $platform-auth-service-xxx /bin/bash
   cd /opt/ibm/wlp/output/defaultServer/resources/security
   keytool -v -list -keystore key.jks -alias default -storepass insecurePass

Replace the platform-auth-service-xxx with the platform-auth-service instance names. And, provide the namespace where common-services are installed.

If you find the default alias entry that contains the following information as Issuer and Owner, it means that the certificate import is an issue.

   Owner: OU=ISL, O=IBM India, L=BANGALORE, ST=KARNATAKA, C=IN
   Issuer: EMAILADDRESS=test@test.local, CN=CFSSL TEST Root CA, O=CFSSL TEST, L=San Francisco, ST=California, C=US

Note: If certificate import is the issue, see Steps to follow if certificate import is an issue. If certificate import is not the issue then there might be different reason that why the client creation is not happening and that needs to be checked.

Steps to follow if certificate import is an issue

  1. Login to the cluster by using oc CLI.

  2. Save the content of shell as updateJKS.sh.

  3. Run the shell script as updateJKS.sh $namespace. Provide the namespace where common-services are installed.

oc project $1
for pod in $(oc get pod -o name | grep platform-auth-service);
do
  echo "Going to update jks for pod Name: ${pod}"
  oc exec -it ${pod} /bin/bash -c 'platform-auth-service' -- keytool -importkeystore -destkeystore /opt/ibm/wlp/output/defaultServer/resources/security/key.jks -srckeystore /certs/generated/platformauth-ks.p12 -srcstoretype pkcs12 -alias default -storepass insecurePass -srcstorepass insecurePass -noprompt
  echo  "Done"
done

Note: It is possible that after restart you might see the same issue so it is recommended to re-run the script.