Bug 1653228

Summary: [Next_gen_installer] Got 'error: unsupported protocol scheme ""' when oc login
Product: OpenShift Container Platform Reporter: weiwei jiang <wjiang>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.0CC: aos-bugs, evb, slaznick, wsun, xxia
Target Milestone: ---Keywords: TestBlocker
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The OAuth .well-known endpoint was advertising wrong values because of a bad default configuration and general incompleteness of the feature in 4.0 Consequence: The code tried to parse empty string as an URL causing the error message `error: unsupported protocol scheme ""` Fix: Fixed by both implementing an operator that sets the masterURL properly in OAuth config and by removing the corrupted code path. Result: The default OAuth configuration in 4.0 does not cause failures now.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:41:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description weiwei jiang 2018-11-26 10:22:58 UTC 
Description of problem:
When oc login, got error:
$ oc login  --loglevel=8
I1126 17:40:48.742955   22817 loader.go:359] Config loaded from file /home/openshift/kubeconfig
I1126 17:40:48.757998   22817 loader.go:359] Config loaded from file /home/openshift/kubeconfig
I1126 17:40:48.758333   22817 round_trippers.go:383] HEAD https://ocp-api.tt.testing:6443/
I1126 17:40:48.758342   22817 round_trippers.go:390] Request Headers:
I1126 17:40:48.843410   22817 round_trippers.go:408] Response Status: 403 Forbidden in 85 milliseconds
I1126 17:40:48.843431   22817 round_trippers.go:411] Response Headers:
I1126 17:40:48.843442   22817 round_trippers.go:414]     X-Content-Type-Options: nosniff
I1126 17:40:48.843463   22817 round_trippers.go:414]     Content-Length: 210
I1126 17:40:48.843475   22817 round_trippers.go:414]     Date: Mon, 26 Nov 2018 09:40:48 GMT
I1126 17:40:48.843486   22817 round_trippers.go:414]     Cache-Control: no-store
I1126 17:40:48.843499   22817 round_trippers.go:414]     Content-Type: application/json
I1126 17:40:48.843576   22817 round_trippers.go:383] GET https://ocp-api.tt.testing:6443/.well-known/oauth-authorization-server
I1126 17:40:48.843591   22817 round_trippers.go:390] Request Headers:
I1126 17:40:48.843601   22817 round_trippers.go:393]     X-Csrf-Token: 1
I1126 17:40:48.845272   22817 round_trippers.go:408] Response Status: 200 OK in 1 milliseconds
I1126 17:40:48.845287   22817 round_trippers.go:411] Response Headers:
I1126 17:40:48.845295   22817 round_trippers.go:414]     Content-Length: 453
I1126 17:40:48.845304   22817 round_trippers.go:414]     Date: Mon, 26 Nov 2018 09:40:48 GMT
I1126 17:40:48.845310   22817 round_trippers.go:414]     Cache-Control: no-store
I1126 17:40:48.845316   22817 round_trippers.go:414]     Content-Type: application/json
I1126 17:40:48.845539   22817 round_trippers.go:383] GET /oauth/authorize?client_id=openshift-challenging-client&code_challenge=h9aIMIsggq_n7jWtriJb4wyUUtTU7wJ74G5s7yzLPyM&code_challenge_method=S256&redirect_uri=%2Foauth%2Ftoken%2Fimplicit&response_type=code
I1126 17:40:48.845558   22817 round_trippers.go:390] Request Headers:
I1126 17:40:48.845573   22817 round_trippers.go:393]     X-Csrf-Token: 1
I1126 17:40:48.845583   22817 round_trippers.go:408] Response Status:  in 0 milliseconds
I1126 17:40:48.845591   22817 round_trippers.go:411] Response Headers:
F1126 17:40:48.845614   22817 helpers.go:119] error: unsupported protocol scheme ""


Version-Release number of selected component (if applicable):
$ bin/openshift-install version
bin/openshift-install v0.4.0-2-gc9d39e1e0a65dbb140725a27e55bad0d00a6026e
Terraform v0.11.8

Your version of Terraform is out of date! The latest version
is 0.11.10. You can update by downloading from www.terraform.io/downloads.html


$ oc version 
oc v4.0.0-0.66.0
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ocp-api.tt.testing:6443
kubernetes v1.11.0+d4cacc0


How reproducible:
Always

Steps to Reproduce:
1. setup cluster with libvirt provider via openshift-install
2.
3.

Actual results:
error: unsupported protocol scheme ""

Expected results:
Should not met any error


Additional info:
Comment 1 Standa Laznicka 2018-12-03 09:13:03 UTC 
I don't think your expected result is correct. There will always be an error if you try to login w/o having an identity provider set for your cluster. The thing here is - it should probably be a different error informing you about what's actually wrong (in this case, we're missing URLs in the default OAuth config) and we should definitely fix that.

Right now there is no default identity providers configuration in 4.0 clusters. If you would like a temporary workaround to be able to login as a random user, you can use the patch commands from https://github.com/openshift/installer/pull/758/files. Importantly, be aware that these commands move your cluster to an unsupported state, so this is by far not the permanent solution.

Note that there is a running effort to improve the situation around bootstrapped OAuth:
https://github.com/openshift/origin/pull/21580
https://github.com/openshift/cluster-kube-apiserver-operator/pull/152
Comment 2 Standa Laznicka 2018-12-06 11:52:50 UTC 
Simply running `oc login` should not be throwing errors anymore as of https://github.com/openshift/origin/pull/21621.

The current workflow is to login as the user kubeadmin with the password from auth/kubeadmin-password from the installation directory to set up your identity providers (which is still under development).
Comment 3 weiwei jiang 2018-12-07 04:51:18 UTC 
Checked and this has been fixed. Thanks

$ bin/openshift-install version
bin/openshift-install v0.5.0-master-36-gb4f5ceb6bfde8d3dc0e29f708e0494488ea37ee0
Terraform v0.11.8

Your version of Terraform is out of date! The latest version
is 0.11.10. You can update by downloading from www.terraform.io/downloads.html


$ oc version
oc v4.0.0-0.66.0
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ocp-api.tt.testing:6443
kubernetes v1.11.0+99b66db


$ oc login --server=https://ocp-api.tt.testing:6443  --config=test --insecure-skip-tls-verify=true
Authentication required for https://ocp-api.tt.testing:6443 (openshift)
Username: kubeadmin
Password:
Login successful.

You have access to the following projects and can switch between them with 'oc project <projectname>':

  * default
    kube-public
    kube-system
    openshift
    openshift-apiserver
    openshift-cluster-api
    openshift-cluster-dns
    openshift-cluster-dns-operator
    openshift-cluster-kube-apiserver-operator
    openshift-cluster-kube-controller-manager-operator
    openshift-cluster-kube-scheduler-operator
    openshift-cluster-machine-approver
    openshift-cluster-network-operator
    openshift-cluster-node-tuning-operator
    openshift-cluster-openshift-apiserver-operator
    openshift-cluster-openshift-controller-manager-operator
    openshift-cluster-samples-operator
    openshift-cluster-version
    openshift-config
    openshift-config-managed
    openshift-console
    openshift-controller-manager
    openshift-core-operators
    openshift-csi-operator
    openshift-image-registry
    openshift-infra
    openshift-ingress
    openshift-ingress-operator
    openshift-kube-apiserver
    openshift-kube-controller-manager
    openshift-kube-scheduler
    openshift-machine-config-operator
    openshift-monitoring
    openshift-node
    openshift-operator-lifecycle-manager
    openshift-sdn
    openshift-service-cert-signer

Using project "default".
Comment 6 errata-xmlrpc 2019-06-04 10:41:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758