Bug 1653228 - [Next_gen_installer] Got 'error: unsupported protocol scheme ""' when oc login
Summary: [Next_gen_installer] Got 'error: unsupported protocol scheme ""' when oc login
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.1.0
Assignee: Standa Laznicka
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-26 10:22 UTC by weiwei jiang
Modified: 2019-06-04 10:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The OAuth .well-known endpoint was advertising wrong values because of a bad default configuration and general incompleteness of the feature in 4.0 Consequence: The code tried to parse empty string as an URL causing the error message `error: unsupported protocol scheme ""` Fix: Fixed by both implementing an operator that sets the masterURL properly in OAuth config and by removing the corrupted code path. Result: The default OAuth configuration in 4.0 does not cause failures now.
Clone Of:
Environment:
Last Closed: 2019-06-04 10:41:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:41:09 UTC

Description weiwei jiang 2018-11-26 10:22:58 UTC
Description of problem:
When oc login, got error:
$ oc login  --loglevel=8
I1126 17:40:48.742955   22817 loader.go:359] Config loaded from file /home/openshift/kubeconfig
I1126 17:40:48.757998   22817 loader.go:359] Config loaded from file /home/openshift/kubeconfig
I1126 17:40:48.758333   22817 round_trippers.go:383] HEAD https://ocp-api.tt.testing:6443/
I1126 17:40:48.758342   22817 round_trippers.go:390] Request Headers:
I1126 17:40:48.843410   22817 round_trippers.go:408] Response Status: 403 Forbidden in 85 milliseconds
I1126 17:40:48.843431   22817 round_trippers.go:411] Response Headers:
I1126 17:40:48.843442   22817 round_trippers.go:414]     X-Content-Type-Options: nosniff
I1126 17:40:48.843463   22817 round_trippers.go:414]     Content-Length: 210
I1126 17:40:48.843475   22817 round_trippers.go:414]     Date: Mon, 26 Nov 2018 09:40:48 GMT
I1126 17:40:48.843486   22817 round_trippers.go:414]     Cache-Control: no-store
I1126 17:40:48.843499   22817 round_trippers.go:414]     Content-Type: application/json
I1126 17:40:48.843576   22817 round_trippers.go:383] GET https://ocp-api.tt.testing:6443/.well-known/oauth-authorization-server
I1126 17:40:48.843591   22817 round_trippers.go:390] Request Headers:
I1126 17:40:48.843601   22817 round_trippers.go:393]     X-Csrf-Token: 1
I1126 17:40:48.845272   22817 round_trippers.go:408] Response Status: 200 OK in 1 milliseconds
I1126 17:40:48.845287   22817 round_trippers.go:411] Response Headers:
I1126 17:40:48.845295   22817 round_trippers.go:414]     Content-Length: 453
I1126 17:40:48.845304   22817 round_trippers.go:414]     Date: Mon, 26 Nov 2018 09:40:48 GMT
I1126 17:40:48.845310   22817 round_trippers.go:414]     Cache-Control: no-store
I1126 17:40:48.845316   22817 round_trippers.go:414]     Content-Type: application/json
I1126 17:40:48.845539   22817 round_trippers.go:383] GET /oauth/authorize?client_id=openshift-challenging-client&code_challenge=h9aIMIsggq_n7jWtriJb4wyUUtTU7wJ74G5s7yzLPyM&code_challenge_method=S256&redirect_uri=%2Foauth%2Ftoken%2Fimplicit&response_type=code
I1126 17:40:48.845558   22817 round_trippers.go:390] Request Headers:
I1126 17:40:48.845573   22817 round_trippers.go:393]     X-Csrf-Token: 1
I1126 17:40:48.845583   22817 round_trippers.go:408] Response Status:  in 0 milliseconds
I1126 17:40:48.845591   22817 round_trippers.go:411] Response Headers:
F1126 17:40:48.845614   22817 helpers.go:119] error: unsupported protocol scheme ""


Version-Release number of selected component (if applicable):
$ bin/openshift-install version
bin/openshift-install v0.4.0-2-gc9d39e1e0a65dbb140725a27e55bad0d00a6026e
Terraform v0.11.8

Your version of Terraform is out of date! The latest version
is 0.11.10. You can update by downloading from www.terraform.io/downloads.html


$ oc version 
oc v4.0.0-0.66.0
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ocp-api.tt.testing:6443
kubernetes v1.11.0+d4cacc0


How reproducible:
Always

Steps to Reproduce:
1. setup cluster with libvirt provider via openshift-install
2.
3.

Actual results:
error: unsupported protocol scheme ""

Expected results:
Should not met any error


Additional info:

Comment 1 Standa Laznicka 2018-12-03 09:13:03 UTC
I don't think your expected result is correct. There will always be an error if you try to login w/o having an identity provider set for your cluster. The thing here is - it should probably be a different error informing you about what's actually wrong (in this case, we're missing URLs in the default OAuth config) and we should definitely fix that.

Right now there is no default identity providers configuration in 4.0 clusters. If you would like a temporary workaround to be able to login as a random user, you can use the patch commands from https://github.com/openshift/installer/pull/758/files. Importantly, be aware that these commands move your cluster to an unsupported state, so this is by far not the permanent solution.

Note that there is a running effort to improve the situation around bootstrapped OAuth:
https://github.com/openshift/origin/pull/21580
https://github.com/openshift/cluster-kube-apiserver-operator/pull/152

Comment 2 Standa Laznicka 2018-12-06 11:52:50 UTC
Simply running `oc login` should not be throwing errors anymore as of https://github.com/openshift/origin/pull/21621.

The current workflow is to login as the user kubeadmin with the password from auth/kubeadmin-password from the installation directory to set up your identity providers (which is still under development).

Comment 3 weiwei jiang 2018-12-07 04:51:18 UTC
Checked and this has been fixed. Thanks

$ bin/openshift-install version
bin/openshift-install v0.5.0-master-36-gb4f5ceb6bfde8d3dc0e29f708e0494488ea37ee0
Terraform v0.11.8

Your version of Terraform is out of date! The latest version
is 0.11.10. You can update by downloading from www.terraform.io/downloads.html


$ oc version
oc v4.0.0-0.66.0
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ocp-api.tt.testing:6443
kubernetes v1.11.0+99b66db


$ oc login --server=https://ocp-api.tt.testing:6443  --config=test --insecure-skip-tls-verify=true
Authentication required for https://ocp-api.tt.testing:6443 (openshift)
Username: kubeadmin
Password:
Login successful.

You have access to the following projects and can switch between them with 'oc project <projectname>':

  * default
    kube-public
    kube-system
    openshift
    openshift-apiserver
    openshift-cluster-api
    openshift-cluster-dns
    openshift-cluster-dns-operator
    openshift-cluster-kube-apiserver-operator
    openshift-cluster-kube-controller-manager-operator
    openshift-cluster-kube-scheduler-operator
    openshift-cluster-machine-approver
    openshift-cluster-network-operator
    openshift-cluster-node-tuning-operator
    openshift-cluster-openshift-apiserver-operator
    openshift-cluster-openshift-controller-manager-operator
    openshift-cluster-samples-operator
    openshift-cluster-version
    openshift-config
    openshift-config-managed
    openshift-console
    openshift-controller-manager
    openshift-core-operators
    openshift-csi-operator
    openshift-image-registry
    openshift-infra
    openshift-ingress
    openshift-ingress-operator
    openshift-kube-apiserver
    openshift-kube-controller-manager
    openshift-kube-scheduler
    openshift-machine-config-operator
    openshift-monitoring
    openshift-node
    openshift-operator-lifecycle-manager
    openshift-sdn
    openshift-service-cert-signer

Using project "default".

Comment 6 errata-xmlrpc 2019-06-04 10:41:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.