Bug 1393943
Summary: | oc login is not using CA in kubeconfig file when server does not include port. | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ryan Howe <rhowe> |
Component: | oc | Assignee: | Juan Vallejo <jvallejo> |
Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.3.0 | CC: | aos-bugs, ffranz, jokerman, jvallejo, maszulik, mmccomas, tdawson, xiaocwan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: .kubeconfig file was being generated with a server url that did not include a port number. Although the port number was safely assumed to be `443` with an https protocol, it prevented the certificate from being successfully verified during the login sequence (an exact match including the port was required).
Consequence: The user was prompted with the warning "The server uses a certificate signed by an unknown authority." every time they attempted to log in using an openshift installation done through openshift-ansible.
Fix: The command `oadm create-kubeconfig` (used by the openshift-ansible playbook) was patched to normalize the server url so that it included the port with the server url in the generated .kubeconfig file every time.
Result: The user no longer sees the message "The server uses a certificate signed by an unknown authority." when logging in using a .kubeconfig file generated by an openshift-ansible installation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-04-12 19:16:39 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ryan Howe
2016-11-10 16:51:46 UTC
Related PR: https://github.com/openshift/origin/pull/12591 Which version should QE test against? Will the fix be back to 3.2? Please test with latest master. Not sure if this will be backported to 3.2, ffranz? This is OCP so I'm setting to MODIFIED until QE gets a build that includes this. No backport planned, so expect this to be only in 3.5. This has been merged into ocp and is in OCP v3.5.0.10 or newer. Does it need to be tested on HA masters with LB? If it's yes, will test it when the blocker bug is fixed for c0 step1 "multi master environment with the default LB" Bug 1419026 - openshift_master_certificates task failed when installing multiple masters env > Does it need to be tested on HA masters with LB? I have cc'd Maciej to verify, but yes, per the description in comment 0, this should be tested on a multi master env with a LB once the blocker is fixed. Moving back to ON_QA Yes, if that's the root cause it should be verified, though it looks like it already was :) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |