Bug 2042300

Summary:	SubCtl error retrieving Submariner resource: Unauthorized - when kubeconfig has multiple users' contexts
Product:	Red Hat Advanced Cluster Management for Kubernetes	Reporter:	Noam Manos <nmanos>
Component:	Submariner	Assignee:	Maayan Friedman <maafried>
Status:	CLOSED DUPLICATE	QA Contact:	Noam Manos <nmanos>
Severity:	low	Docs Contact:	Christopher Dawson <cdawson>
Priority:	unspecified
Version:	rhacm-2.4.z	CC:	nyechiel
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-01-19 11:21:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Noam Manos 2022-01-19 08:19:41 UTC

Description of problem:
"subctl show" and "subctl diagnose" can fail with: "Error retrieving Submariner resource: Unauthorized" - When kubeconfig has multiple contexts & users.

Version-Release number of selected component (if applicable):
# OCP version: 4.9.15

### Submariner components ###

subctl version: v0.11.0
Cluster "nmanos-devcluster-a-aws"
 • Showing versions  ...
COMPONENT                       REPOSITORY                                            VERSION         
submariner                      registry.redhat.io/rhacm2-tech-preview                v0.11.0         
submariner-operator             registry.redhat.io/rhacm2-tech-preview                e52df6171cf1f1f 
service-discovery               registry.redhat.io/rhacm2-tech-preview                v0.11.0   

How reproducible:
When using merged kubeconfig, that has multiple contexts, where the current user (e.g. "master") is not the same user in all contexts.


Steps to Reproduce:
https://qe-jenkins-csb-skynet.apps.ocp4.prod.psi.redhat.com/job/ACM-2.4.1-Submariner-0.11.0-AWSx2-SDN/64/Test-Report/

1) Get SubCtl 0.11.0
2) Add a new user to the cluster, and oc login with it.
2) Export kubeconfig (which now includes multiple context and different users of same cluster).
3) Run for example: "subctl show versions" or "subctl diagnose cni"


Actual results:

$ export KUBECONFIG=nmanos-devcluster-a-aws/auth/kubeconfig:nmanos-cluster-c-aws/auth/kubeconfig

$ oc whoami
master


# See how one of the contexts has different user ("admin"), which cause subctl command to fail in authentication:


$ oc config get-contexts

CURRENT   NAME                                                                                   CLUSTER                                                     AUTHINFO                                                           NAMESPACE
          default/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443/master                  api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      master/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      test-submariner
          default/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master               api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   test-submariner
          nmanos-cluster-c-aws                                                                   nmanos-cluster-c-aws                                        admin                                                              default
          nmanos-devcluster-a-aws                                                                nmanos-devcluster-a-aws                                     admin                                                              default
          ocm/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master                   api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   ocm
          submariner-operator/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443/master      api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      master/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      submariner-operator
*         submariner-operator/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master   api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   submariner-operator
          submariner/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master            api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   submariner
          test-submariner/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443/master          api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      master/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      test-submariner
          test-submariner/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master       api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   test-submariner


$ subctl show endpoints

Cluster "api-nmanos-cluster-c-aws-devcluster-openshift-com:6443"
 • Showing Endpoints  ...
 ✓ Showing Endpoints
CLUSTER ID                    ENDPOINT IP     PUBLIC IP       CABLE DRIVER        TYPE            
acm-nmanos-cluster-c-aws      10.12.51.217    52.14.213.188   libreswan           local           
acm-nmanos-devcluster-a-aws   10.8.62.17      3.145.211.34    libreswan           remote          

Cluster "api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443"
 • Showing Endpoints  ...
CLUSTER ID                    ENDPOINT IP     PUBLIC IP       CABLE DRIVER        TYPE            
acm-nmanos-devcluster-a-aws   10.8.62.17      3.145.211.34    libreswan           local           
acm-nmanos-cluster-c-aws      10.12.51.217    52.14.213.188   libreswan           remote          

Cluster "api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443"
 ✓ Showing Endpoints
 • Showing Endpoints  ...
 ✓ Showing Endpoints
CLUSTER ID                    ENDPOINT IP     PUBLIC IP       CABLE DRIVER        TYPE            
acm-nmanos-devcluster-a-aws   10.8.62.17      3.145.211.34    libreswan           local           
acm-nmanos-cluster-c-aws      10.12.51.217    52.14.213.188   libreswan           remote          

Cluster "nmanos-devcluster-a-aws"
Error retrieving Submariner resource: Unauthorized


Expected results:
SubCtl commands should be able to use different kubeconfig contexts and users, and switch authentication between them.

Comment 1 Maayan Friedman 2022-01-19 11:21:22 UTC

we should track all issues related to merged config files in one place

*** This bug has been marked as a duplicate of bug 2013711 ***