Bug 1935102

Summary: Error: specifying a root certificates file with the insecure flag is not allowed during oc login
Product: OpenShift Container Platform Reporter: Praveen Kumar <prkumar>
Component: ocAssignee: Mike Dame <mdame>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.8CC: aos-bugs, cfergeau, jokerman, mfojtik
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:51:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Praveen Kumar 2021-03-04 12:08:02 UTC 
Description of problem: Nightly version of oc client is error out when try to login to cluster using `--insecure-skip-tls-verify` option.

Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.8.0-0.nightly-2021-03-04-014703

How reproducible:
```

$ oc version --client
Client Version: 4.8.0-0.nightly-2021-03-04-014703

$ oc login  --insecure-skip-tls-verify -u kubeadmin -p xKoZo-BLF3h-eCdfE-EhQ8q https://api.crc.testing:6443
error: specifying a root certificates file with the insecure flag is not allowed


$ /usr/local/bin/oc version --client
Client Version: 4.6.17

$ /usr/local/bin/oc login  --insecure-skip-tls-verify -u kubeadmin -p xKoZo-BLF3h-eCdfE-EhQ8q https://api.crc.testing:6443
Login successful.

```

Actual results:
error: specifying a root certificates file with the insecure flag is not allowed

Expected results:
login should be successful.

Additional info:
Comment 1 Maciej Szulik 2021-03-05 11:35:25 UTC 
Mike I wonder if that's related to your recent changes to how we treat --insecure-skip-tls-verify.
Comment 2 Mike Dame 2021-03-05 16:06:24 UTC 
Yeah, that does look suspiciously like a regression

The error comes from k8s.io/client-go/transport/transport.go: https://github.com/openshift/oc/blob/f7835631278b03e4388f65145b56e1fd93bf4e37/vendor/k8s.io/client-go/transport/transport.go#L64-L66

That Insecure field is copied from the rest.Config object: https://github.com/openshift/oc/blob/f7835631278b03e4388f65145b56e1fd93bf4e37/vendor/k8s.io/client-go/rest/transport.go#L70

I think this is the field we tied the --insecure-skip-tls-verify flag to in https://github.com/openshift/oc/pull/746: https://github.com/damemi/oc/blob/2e4a10d26057354829acd2c47a848a39f188b198/pkg/cli/login/loginoptions.go#L137

So, it seems the fix we went with is not the right way to fix this, or it needs to be addressed upstream. This level of client/auth knowledge is a bit beyond my scope so I don't know the best way to address this. Though, I think we should revert the PR for now.
Comment 4 zhou ying 2021-03-08 08:02:22 UTC 
Can't reproduce now : 
[root@localhost ~]# oc login --insecure-skip-tls-verify -u kubeadmin -p ieLYM-fKSif-aui2z-B4vx7   https://api.yinzhou8aws.qe.devcluster.openshift.com:6443
Login successful.

You have access to 62 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
[root@localhost ~]# oc version 
Client Version: 4.8.0-202103080232.p0-f749845
Server Version: 4.8.0-0.nightly-2021-03-06-055252
Kubernetes Version: v1.20.0+aa519d9
Comment 7 errata-xmlrpc 2021-07-27 22:51:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438