Bug 1393943 - oc login is not using CA in kubeconfig file when server does not include port.
Summary: oc login is not using CA in kubeconfig file when server does not include port.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Juan Vallejo
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-10 16:51 UTC by Ryan Howe
Modified: 2017-07-24 14:11 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: .kubeconfig file was being generated with a server url that did not include a port number. Although the port number was safely assumed to be `443` with an https protocol, it prevented the certificate from being successfully verified during the login sequence (an exact match including the port was required). Consequence: The user was prompted with the warning "The server uses a certificate signed by an unknown authority." every time they attempted to log in using an openshift installation done through openshift-ansible. Fix: The command `oadm create-kubeconfig` (used by the openshift-ansible playbook) was patched to normalize the server url so that it included the port with the server url in the generated .kubeconfig file every time. Result: The user no longer sees the message "The server uses a certificate signed by an unknown authority." when logging in using a .kubeconfig file generated by an openshift-ansible installation.
Clone Of:
Environment:
Last Closed: 2017-04-12 19:16:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1373788 0 medium CLOSED When master port is 443, oc start build by webhook from webconsole lost url port and failed with unknown signed certific... 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Internal Links: 1373788

Description Ryan Howe 2016-11-10 16:51:46 UTC 
Description of problem:

Prompted with certificate signed by an unknown authority when logging in using a kubeconfig file that is using a current context with a server defined that does not include the port. 


Version-Release number of selected component (if applicable):
3.2 3.3

How reproducible:
100%

Steps to Reproduce:
1. Install an multi master environment with the default LB. Use a anisble inventory where yo chang ethe cluster hostname and master api port to use port 443. 

# Native high availability cluster method with optional load balancer.
openshift_master_cluster_method=native
openshift_master_cluster_hostname=openshift.example.com
openshift_master_cluster_public_hostname=openshift.public.example.com
# Configure master API and console ports.
openshift_master_api_port=443
openshift_master_console_port=443

2. The admin.kubeconfig file that gets created has a cluster defined using a server URL that does not include port 443 (since its defaulted with https).

[root@master-1 ~]# cat .kube/config 
clusters
- cluster:
    certificate-authority-data: XXXXDATAXXXX
    server: https://openshift.example.com
  name: openshift-example-com:443
..
..
..

3. Run `oc login` 

[root@master-1 ~]# oc login -u system:admin
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): 


4. To correct set the cluster server to the URL:PORT

[root@master-1 ~]# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com:443 --certificate-authority=/etc/origin/master/ca.crt --config=.kube/config --embed-certs=true 
cluster "openshift-example-com:443" set.

[root@master-1 ~]# oc login -u system:admin
Logged into "https://openshift.example.com:443" as "system:admin" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

5. To break run 

# oc config set-cluster openshift-example-com:443 --server=https://openshift.example.com --certificate-authority=/etc/origin/master/ca.crt --config=.kube/config --embed-certs=true 


Actual results:
server uses a certificate signed by an unknown authority.

Expected results:
To log in using the CA defined in the kubeconfig file

Additional info:

I see this as more of a bug with `oc login` command most likely not using the CA defined in the kubeconfig due to some issue with the port not being defined.   


We can work around this by modifying the installer if fixing `oc login` is not possible, by adding the api port when creating master certs. 

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master_certificates/tasks/main.yml#L53-L65


- name: Create the master certificates if they do not already exist
  command: >
    {{ openshift.common.client_binary }} adm create-master-certs
    {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
    --certificate-authority {{ named_ca_certificate }}
    {% endfor %}
    --hostnames={{ openshift.common.all_hostnames | join(',') }}
    --master={{ openshift.master.api_url }}:{{ openshift.master.api_port }}
    --public-master={{ openshift.master.public_api_url }}:{{ openshift.master.api_port }}
    --cert-dir={{ openshift_master_generated_config_dir }}
    --overwrite=false
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"
Comment 1 Juan Vallejo 2017-01-20 23:14:52 UTC 
Related PR: https://github.com/openshift/origin/pull/12591
Comment 2 XiaochuanWang 2017-01-26 07:11:45 UTC 
Which version should QE test against? Will the fix be back to 3.2?
Comment 3 Juan Vallejo 2017-01-26 14:59:36 UTC 
Please test with latest master. Not sure if this will be backported to 3.2, ffranz?
Comment 4 Fabiano Franz 2017-01-26 20:17:35 UTC 
This is OCP so I'm setting to MODIFIED until QE gets a build that includes this. No backport planned, so expect this to be only in 3.5.
Comment 5 Troy Dawson 2017-01-27 17:25:24 UTC 
This has been merged into ocp and is in OCP v3.5.0.10 or newer.
Comment 6 XiaochuanWang 2017-02-06 09:04:59 UTC 
Does it need to be tested on HA masters with LB? 

If it's yes, will test it when the blocker bug is fixed for c0 step1 "multi master environment with the default LB"

Bug 1419026 - openshift_master_certificates task failed when installing multiple masters env
Comment 7 Juan Vallejo 2017-02-06 16:23:36 UTC 
> Does it need to be tested on HA masters with LB? 

I have cc'd Maciej to verify, but yes, per the description in comment 0, this should be tested on a multi master env with a LB once the blocker is fixed. Moving back to ON_QA
Comment 9 Maciej Szulik 2017-02-09 10:48:08 UTC 
Yes, if that's the root cause it should be verified, though it looks like it already was :)
Comment 11 errata-xmlrpc 2017-04-12 19:16:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884
Note You need to log in before you can comment on or make changes to this bug.