make test consistently fails on `plugin/pkg/auth/authenticator/token/oidc` #20242

timothysc · 2016-01-27T22:21:48Z

This issue has existed for some time now on my f23 env.

https://paste.fedoraproject.org/315507/14539328/
go1.5.3

/cc @yifan-gu @liggitt (also seen on latest origin rebase as well)

yifan-gu · 2016-01-28T07:19:49Z

@timothysc Thanks for reporting.
/cc @ericchiang

ericchiang · 2016-01-28T07:48:02Z

Maybe something to do with these test's use of os.TempDir here?

Wasn't able to replicate timeouts like in the pasted code, but need to tweak the tests before running stress.

$ godep go test -c -race 
$ stress ./oidc.test -test.run=TestOIDCAuthentication
2 runs so far, 0 failures
4 runs so far, 0 failures
8 runs so far, 0 failures

/tmp/go-stress886503499
I0127 23:33:18.673952   13625 oidc.go:98] Fetched provider config from https://127.0.0.1:35067: oidc.ProviderConfig{Issuer:"https://127.0.0.1:35067", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:35067/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0127 23:33:18.815125   13625 oidc.go:98] Fetched provider config from https://127.0.0.1:35067: oidc.ProviderConfig{Issuer:"https://127.0.0.1:35067", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:35067/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0127 23:33:18.987013   13625 oidc.go:98] Fetched provider config from https://127.0.0.1:35067: oidc.ProviderConfig{Issuer:"https://127.0.0.1:35067", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:35067/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
E0127 23:33:18.997738   13625 oidc.go:94] Failed to fetch provider config, trying again in 3s: Get https://127.0.0.1:35067/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "127.0.0.1@1453966398")
E0127 23:33:22.001041   13625 oidc.go:94] Failed to fetch provider config, trying again in 3s: Get https://127.0.0.1:35067/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "crypto/r

/tmp/go-stress890593582
I0127 23:33:18.413839   13632 oidc.go:98] Fetched provider config from https://127.0.0.1:37527: oidc.ProviderConfig{Issuer:"https://127.0.0.1:37527", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:37527/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0127 23:33:18.560412   13632 oidc.go:98] Fetched provider config from https://127.0.0.1:37527: oidc.ProviderConfig{Issuer:"https://127.0.0.1:37527", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:37527/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0127 23:33:18.732062   13632 oidc.go:98] Fetched provider config from https://127.0.0.1:37527: oidc.ProviderConfig{Issuer:"https://127.0.0.1:37527", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:37527/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0127 23:33:18.850003   13632 oidc.go:98] Fetched provider config from https://127.0.0.1:37527: oidc.ProviderConfig{Issuer:"https://127.0.0.1:37527", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:37527/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0127 23:33:19.055062   13632 oidc.go:98] Fetched provider config from https
11 runs so far, 2 failures
13 runs so far, 2 failures

$ git diff oidc_test.go
diff --git a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
index 348ae19..528c68c 100644
--- a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
+++ b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
@@ -202,11 +202,14 @@ func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
        var err error
        expectErr := fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery")

-       cert := path.Join(os.TempDir(), "oidc-cert")
-       key := path.Join(os.TempDir(), "oidc-key")
+       tempdir, err := ioutil.TempDir("", "")
+       if err != nil {
+               t.Fatal(err)
+       }
+       defer os.RemoveAll(tempdir)

-       defer os.Remove(cert)
-       defer os.Remove(key)
+       cert := path.Join(tempdir, "oidc-cert")
+       key := path.Join(tempdir, "oidc-key")

        generateSelfSignedCert(t, "127.0.0.1", cert, key)

$ godep go test -c -race 
$ stress ./oidc.test -test.run=TestOIDCAuthentication
2 runs so far, 0 failures
8 runs so far, 0 failures
11 runs so far, 0 failures
16 runs so far, 0 failures
20 runs so far, 0 failures
25 runs so far, 0 failures
28 runs so far, 0 failures
33 runs so far, 0 failures
37 runs so far, 0 failures
41 runs so far, 0 failures
45 runs so far, 0 failures
50 runs so far, 0 failures
54 runs so far, 0 failures
59 runs so far, 0 failures
63 runs so far, 0 failures
67 runs so far, 0 failures
71 runs so far, 0 failures
75 runs so far, 0 failures
79 runs so far, 0 failures

timothysc · 2016-01-28T15:26:28Z

repro on f23 w/go1.5.3 is 100%

ericchiang · 2016-01-28T17:32:52Z

@timothysc by f23 you mean fedora 23? Odd, that's what I'm using.

I'll try to parse the stack trace and figure out what's going on.

yifan-gu · 2016-01-28T17:51:55Z

@timothysc What's the command you use to run the test?

timothysc · 2016-01-28T17:59:20Z

@yifan-gu make test

ericchiang · 2016-01-28T18:21:07Z

These pass for me when running through the Makefile.

$ make test WHAT=plugin/pkg/auth/authenticator/token/oidc
hack/test-go.sh plugin/pkg/auth/authenticator/token/oidc 
Running tests for APIVersion: v1,extensions/v1beta1,metrics/v1alpha1 with etcdPrefix: registry
+++ [0128 10:03:39] Running tests without code coverage
ok      k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc  7.275s
Running tests for APIVersion: v1,extensions/v1beta1,metrics/v1alpha1 with etcdPrefix: kubernetes.io/registry
+++ [0128 10:03:52] Running tests without code coverage
ok      k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc  7.455s

Logs of a full make test here

timothysc · 2016-01-28T18:29:22Z

@ericchiang - what version of golang are you running?

ericchiang · 2016-01-28T18:32:34Z

@timothysc sorry should have specified that

$ go version
go version go1.5.3 linux/amd64

dcbw · 2016-02-04T17:22:14Z

Hitting this on two different Fedora 23 machines consistently...

golang-1.5.3-1.fc23.x86_64

ericchiang · 2016-02-04T17:29:30Z

@dcbw does the error look the same as the original comment? Can you paste the output of

$ cd $GOPATH/src/k8s.io
$ godep go test -v ./plugin/pkg/auth/authenticator/token/oidc

Are you installing Go via dnf or through the binary distributions from golang.org?

dcbw · 2016-02-04T18:01:20Z

@ericchiang it's a similar error, though not exactly the same. But perhaps similar enough to be the same root cause?

$ make test WHAT=plugin/pkg/auth/authenticator/token/oidc GOFLAGS=-v
hack/test-go.sh plugin/pkg/auth/authenticator/token/oidc 
Running tests for APIVersion: v1,extensions/v1beta1,metrics/v1alpha1 with etcdPrefix: registry
+++ [0204 11:58:59] Running tests without code coverage
=== RUN   TestOIDCDiscoveryTimeout
I0204 11:59:02.662823    5418 oidc.go:72] No x509 certificates provided, will use host's root CA set
E0204 11:59:02.712165    5418 oidc.go:94] Failed to fetch provider config, trying again in 1s: Get https://foo/bar/.well-known/openid-configuration: dial tcp: lookup foo: No address associated with hostname
E0204 11:59:03.748918    5418 oidc.go:94] Failed to fetch provider config, trying again in 1s: Get https://foo/bar/.well-known/openid-configuration: dial tcp: lookup foo: No address associated with hostname
E0204 11:59:04.759155    5418 oidc.go:94] Failed to fetch provider config, trying again in 1s: Get https://foo/bar/.well-known/openid-configuration: dial tcp: lookup foo: No address associated with hostname
--- PASS: TestOIDCDiscoveryTimeout (3.10s)
=== RUN   TestOIDCDiscoveryNoKeyEndpoint
I0204 11:59:06.224165    5418 oidc.go:98] Fetched provider config from https://127.0.0.1:41106: oidc.ProviderConfig{Issuer:"https://127.0.0.1:41106", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
--- PASS: TestOIDCDiscoveryNoKeyEndpoint (0.46s)
=== RUN   TestOIDCDiscoverySecureConnection
E0204 11:59:06.560479    5418 oidc.go:94] Failed to fetch provider config, trying again in 1s: Get https://127.0.0.1:42249/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "127.0.0.1@1454608746")
E0204 11:59:07.561300    5418 oidc.go:94] Failed to fetch provider config, trying again in 1s: Get https://127.0.0.1:42249/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "127.0.0.1@1454608746")
E0204 11:59:08.562491    5418 oidc.go:94] Failed to fetch provider config, trying again in 1s: Get https://127.0.0.1:42249/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "127.0.0.1@1454608746")
--- PASS: TestOIDCDiscoverySecureConnection (3.34s)
=== RUN   TestOIDCAuthentication
I0204 11:59:10.281694    5418 oidc.go:98] Fetched provider config from https://127.0.0.1:39713: oidc.ProviderConfig{Issuer:"https://127.0.0.1:39713", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:39713/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0204 11:59:10.289408    5418 oidc.go:98] Fetched provider config from https://127.0.0.1:39713: oidc.ProviderConfig{Issuer:"https://127.0.0.1:39713", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:39713/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0204 11:59:10.297004    5418 oidc.go:98] Fetched provider config from https://127.0.0.1:39713: oidc.ProviderConfig{Issuer:"https://127.0.0.1:39713", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:39713/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0204 11:59:10.305314    5418 oidc.go:98] Fetched provider config from https://127.0.0.1:39713: oidc.ProviderConfig{Issuer:"https://127.0.0.1:39713", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:39713/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0204 11:59:10.314927    5418 oidc.go:98] Fetched provider config from https://127.0.0.1:39713: oidc.ProviderConfig{Issuer:"https://127.0.0.1:39713", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:39713/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}
I0204 11:59:10.322470    5418 oidc.go:98] Fetched provider config from https://127.0.0.1:39713: oidc.ProviderConfig{Issuer:"https://127.0.0.1:39713", AuthEndpoint:"", TokenEndpoint:"", KeysEndpoint:"https://127.0.0.1:39713/keys", ResponseTypesSupported:[]string(nil), GrantTypesSupported:[]string(nil), SubjectTypesSupported:[]string(nil), IDTokenAlgValuesSupported:[]string(nil), TokenEndpointAuthMethodsSupported:[]string(nil), ExpiresAt:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}

The last test eventually times out.

I'm installing Go via dnf; since bare 'go' and 'godep' commands don't work (they don't use the environment set up by make and the hack/* scripts) I'm using this instead.

$ make test WHAT=plugin/pkg/auth/authenticator/token/oidc GOFLAGS=-v

ericchiang · 2016-02-04T18:04:03Z

@dcbw ah I'm installing via the binary distros. Maybe the dnf installs are slightly different? Will investigate.

dcbw · 2016-02-04T18:06:43Z

@ericchiang full failure is at http://people.redhat.com/dcbw/oidc.log

dcbw · 2016-02-04T18:39:58Z

@ericchiang the test hangs on client.Close() for the last testcase:

    {
        "sub",
        op.generateExpiredToken(t, srv.URL, "client-foo", "client-foo", "sub", "user-foo"),
        nil,
        false,
        "oidc: JWT claims invalid: token is expired",
    },

dcbw · 2016-02-04T20:58:13Z

@ericchiang I lied; it's actually hanging on the httptest.Server Close() from the defer srv.Close(). Trying to track that down...

ericchiang · 2016-02-04T22:52:03Z

Either way, maybe a lack of dial timeouts in the transport might be causing the hang?

dcbw · 2016-02-05T23:01:21Z

@ericchiang looks like it's actually golang/go#12262 and there are a couple other places in oidc_test.go that comment out srv.Close() due to this. Doing that fixes it for me too...

dcbw · 2016-02-05T23:07:28Z

@ericchiang the original bug is probably different, so I'll drop off this report and handle this in #20752 instead.

timothysc · 2016-06-17T21:24:36Z

I have not seen this in a long time, closing.

upstream machinery picks Origin-commit: ea877acae817559712c8d42ef2c5caee880d319d

a-robinson added team/none area/test labels Jan 30, 2016

vishh mentioned this issue Jun 7, 2016

Enable support for memory eviction configuration via salt #26828

Merged

timothysc closed this as completed Jun 17, 2016

openshift-publish-robot pushed a commit to openshift/kubernetes that referenced this issue Jul 12, 2018

Merge pull request kubernetes#20242 from deads2k/pick-01

35f2d9d

upstream machinery picks Origin-commit: ea877acae817559712c8d42ef2c5caee880d319d

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

make test consistently fails on `plugin/pkg/auth/authenticator/token/oidc` #20242

make test consistently fails on `plugin/pkg/auth/authenticator/token/oidc` #20242

timothysc commented Jan 27, 2016

yifan-gu commented Jan 28, 2016

ericchiang commented Jan 28, 2016

timothysc commented Jan 28, 2016

ericchiang commented Jan 28, 2016

yifan-gu commented Jan 28, 2016

timothysc commented Jan 28, 2016

ericchiang commented Jan 28, 2016

timothysc commented Jan 28, 2016

ericchiang commented Jan 28, 2016

dcbw commented Feb 4, 2016

ericchiang commented Feb 4, 2016

dcbw commented Feb 4, 2016

ericchiang commented Feb 4, 2016

dcbw commented Feb 4, 2016

dcbw commented Feb 4, 2016

dcbw commented Feb 4, 2016

ericchiang commented Feb 4, 2016

dcbw commented Feb 5, 2016

dcbw commented Feb 5, 2016

timothysc commented Jun 17, 2016

make test consistently fails on plugin/pkg/auth/authenticator/token/oidc #20242

make test consistently fails on plugin/pkg/auth/authenticator/token/oidc #20242

Comments

timothysc commented Jan 27, 2016

yifan-gu commented Jan 28, 2016

ericchiang commented Jan 28, 2016

timothysc commented Jan 28, 2016

ericchiang commented Jan 28, 2016

yifan-gu commented Jan 28, 2016

timothysc commented Jan 28, 2016

ericchiang commented Jan 28, 2016

timothysc commented Jan 28, 2016

ericchiang commented Jan 28, 2016

dcbw commented Feb 4, 2016

ericchiang commented Feb 4, 2016

dcbw commented Feb 4, 2016

ericchiang commented Feb 4, 2016

dcbw commented Feb 4, 2016

dcbw commented Feb 4, 2016

dcbw commented Feb 4, 2016

ericchiang commented Feb 4, 2016

dcbw commented Feb 5, 2016

dcbw commented Feb 5, 2016

timothysc commented Jun 17, 2016

make test consistently fails on `plugin/pkg/auth/authenticator/token/oidc` #20242

make test consistently fails on `plugin/pkg/auth/authenticator/token/oidc` #20242