Bug 1393565 - oc login can not handle embeded certificate-authority-data
Summary: oc login can not handle embeded certificate-authority-data
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Fabiano Franz
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-09 21:24 UTC by Ryan Howe
Modified: 2016-11-10 16:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-10 16:54:44 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ryan Howe 2016-11-09 21:24:09 UTC 
Description of problem:

Prompted with certificate signed by an unknown authority when logging in using a kubeconfig file that is using an embeded certificate-authority.  

`oc login` is not using the CA with it is embeded. 

Version-Release number of selected component (if applicable):
3.2 and 3.3

How reproducible:
100%

Steps to Reproduce:
1. Starting from a fresh admin.kubeconfig on the master
#cp /etc/origin/master/admin.kubeconfig ~/.kube/config 
2. Login as a token user, you will hit the insecure prompt. This step is just to change the current-context easily. 
# oc login -u testuser 
3. Login again as system:admin
# oc login -u system:admin 

Actual results:
Prompted for password as well as "certificate signed by an unknown authority"

Expected results:
To user the embeded cert. 

Additional info:

To work around this either manually set the current context to that of the server and system:admin 

OR set the cluster to use the path to the CA. 

# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com --config=/etc/origin/master/admin.kubeconfig --certificate-authority=etc/origin/master/ca.crt

# oc login -u system:admin 
** NO PROMPT for untrusted or pw


Example to break it again. 

# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com --config=/etc/origin/master/admin.kubeconfig --certificate-authority=etc/origin/master/ca.crt --embed-certs=true

# oc login -u system:admin 
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
 
Authentication required for https://openshift.example.com:443 
Username: system:admin
Password:
Comment 1 Ryan Howe 2016-11-09 21:25:30 UTC 
EDIT:

Example to break it again. 

# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com --certificate-authority=etc/origin/master/ca.crt --embed-certs=true

# oc login -u system:admin 
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
 
Authentication required for https://openshift.example.com:443 
Username: system:admin
Password:
Comment 2 Fabiano Franz 2016-11-10 16:30:33 UTC 
Can you please attach the contents of your original admin.kubeconfig and ca.crt?
Comment 3 Ryan Howe 2016-11-10 16:54:44 UTC 
Closing this as this bug is incorrect. 

Created new bug 1393943

https://bugzilla.redhat.com/show_bug.cgi?id=1393943

After digging deeper this issue is when the port is not included with the server in the kubeconfig file. 

In a cluster that has changed the default api port to 443. All the URLs in the master-config.yaml do not include port 443 in the URL, since 443 is defaulted with https. 

The kubeconfig has server set to just the url, this is when user gets message. The the certificate is signed by an unknown authority  on login.
Note You need to log in before you can comment on or make changes to this bug.