Bug 1977657

In OpenShift 4.8, the service-ca.crt file contains only one CA certificate, the one for Service Serving Certificates, and this breaks the ability for NodeJS to verify Kubernetes API certificate.
Previously, all the internal CA certificates were present in service-ca.crt. Now, they are only present in ca.crt.
The quickest fix is to add the Service Serving CA certificate to ca.crt and use ca.crt as the bundle NodeJS trusts.

Please verify with build 2.10-19 / iib:88267.

As part of verifying this, can you also please try this to make sure we won't get redirect loops on login errors anymore?

* Make sure you are NOT logged in.
* Go to https://virt-openshift-mtv.apps.august.example.redhat.com/handle-login?error=%7B%22message%22%3A%22request+to+https%3A%2F%2Fkubernetes.default.svc.cluster.local%2F.well-known%2Foauth-authorization-server+failed%2C+reason%3A+self+signed+certificate+in+certificate+chain%22%2C%22type%22%3A%22system%22%2C%22errno%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%2C%22code%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%7D
* Verify that you see an error message on the page and you are not redirected to the login page.

That redirect loop was fixed in https://github.com/konveyor/forklift-ui/pull/665 and should not be present in 2.1.0 even if we get these errors at login time.

(In reply to Mike Turley from comment #3)
> As part of verifying this, can you also please try this to make sure we
> won't get redirect loops on login errors anymore?
> 
> * Make sure you are NOT logged in.
> * Go to
> https://virt-openshift-mtv.apps.august.example.redhat.com/handle-
> login?error=%7B%22message%22%3A%22request+to+https%3A%2F%2Fkubernetes.
> default.svc.cluster.local%2F.well-known%2Foauth-authorization-
> server+failed%2C+reason%3A+self+signed+certificate+in+certificate+chain%22%2C
> %22type%22%3A%22system%22%2C%22errno%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%2C%
> 22code%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%7D
> * Verify that you see an error message on the page and you are not
> redirected to the login page.
> 
> That redirect loop was fixed in
> https://github.com/konveyor/forklift-ui/pull/665 and should not be present
> in 2.1.0 even if we get these errors at login time.

Just tested on OCP 4.8.0-rc.3 with Konveyor 2.1.0 installed as per https://github.com/konveyor/forklift-operator/blob/main/README.md#installing-latest and it worked perfectly.
 
Next, went to the link above in a private browser (ie to ensure not logged in or aware) and it gave me the error:

Could not log in
request to https://kubernetes.default.svc.cluster.local/.well-known/oauth-authorization-server failed, reason: self signed certificate in certificate chain

Try Again

And did not redirect automatically.

Clicking *Try Again* brought me to the OCP oauth login page and I could authenticate properly.

So everything appears to be working with 2.1.0 

Very cool and thanks!

Moving to verified based on that QE has been testing recently OCP-4.8/CNV-4.8 with MTV-2.1.0-19 till MTV-2.1.0-40,
and the migration ui works fine on all those versions.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Migration Toolkit for Virtualization 2.1.0), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:3278