Bug 1393565

Summary: oc login can not handle embeded certificate-authority-data
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: ocAssignee: Fabiano Franz <ffranz>
Status: CLOSED WORKSFORME QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, jokerman, mmccomas, rhowe
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 16:54:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ryan Howe 2016-11-09 21:24:09 UTC 
Description of problem:

Prompted with certificate signed by an unknown authority when logging in using a kubeconfig file that is using an embeded certificate-authority.  

`oc login` is not using the CA with it is embeded. 

Version-Release number of selected component (if applicable):
3.2 and 3.3

How reproducible:
100%

Steps to Reproduce:
1. Starting from a fresh admin.kubeconfig on the master
#cp /etc/origin/master/admin.kubeconfig ~/.kube/config 
2. Login as a token user, you will hit the insecure prompt. This step is just to change the current-context easily. 
# oc login -u testuser 
3. Login again as system:admin
# oc login -u system:admin 

Actual results:
Prompted for password as well as "certificate signed by an unknown authority"

Expected results:
To user the embeded cert. 

Additional info:

To work around this either manually set the current context to that of the server and system:admin 

OR set the cluster to use the path to the CA. 

# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com --config=/etc/origin/master/admin.kubeconfig --certificate-authority=etc/origin/master/ca.crt

# oc login -u system:admin 
** NO PROMPT for untrusted or pw


Example to break it again. 

# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com --config=/etc/origin/master/admin.kubeconfig --certificate-authority=etc/origin/master/ca.crt --embed-certs=true

# oc login -u system:admin 
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
 
Authentication required for https://openshift.example.com:443 
Username: system:admin
Password:
Comment 1 Ryan Howe 2016-11-09 21:25:30 UTC 
EDIT:

Example to break it again. 

# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com --certificate-authority=etc/origin/master/ca.crt --embed-certs=true

# oc login -u system:admin 
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
 
Authentication required for https://openshift.example.com:443 
Username: system:admin
Password:
Comment 2 Fabiano Franz 2016-11-10 16:30:33 UTC 
Can you please attach the contents of your original admin.kubeconfig and ca.crt?
Comment 3 Ryan Howe 2016-11-10 16:54:44 UTC 
Closing this as this bug is incorrect. 

Created new bug 1393943

https://bugzilla.redhat.com/show_bug.cgi?id=1393943

After digging deeper this issue is when the port is not included with the server in the kubeconfig file. 

In a cluster that has changed the default api port to 443. All the URLs in the master-config.yaml do not include port 443 in the URL, since 443 is defaulted with https. 

The kubeconfig has server set to just the url, this is when user gets message. The the certificate is signed by an unknown authority  on login.