Description of problem: Install a SNO 4.8.0-rc.1 cluster and then install MTV 2.0.0. Install completes successfully with no errors. However clicking/opening the published route for the forklift-ui goes into a rewrite loop going through this URL: ..../handle-login?error=%7B%22message%22%3A%22request+to+https%3A%2F%2Fkubernetes.default.svc.cluster.local%2F.well-known%2Foauth-authorization-server+failed%2C+reason%3A+self+signed+certificate+in+certificate+chain%22%2C%22type%22%3A%22system%22%2C%22errno%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%2C%22code%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%7D Version-Release number of selected component (if applicable): 2.0.0 How reproducible: Deploy operator. Follow published route for forklift-ui: https://virt-openshift-mtv.apps.august.example.redhat.com this appears to go to https://virt-openshift-mtv.apps.august.example.redhat.com/welcome and then goes to https://virt-openshift-mtv.apps.august.example.redhat.com/handle-login?error=%7B%22message%22%3A%22request+to+https%3A%2F%2Fkubernetes.default.svc.cluster.local%2F.well-known%2Foauth-authorization-server+failed%2C+reason%3A+self+signed+certificate+in+certificate+chain%22%2C%22type%22%3A%22system%22%2C%22errno%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%2C%22code%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%7D And then back to /welcome and around in a loop. The UI never opens. Steps to Reproduce: 1. As above 2. 3. Actual results: As above Expected results: Forklift UI opens. Additional info:
In OpenShift 4.8, the service-ca.crt file contains only one CA certificate, the one for Service Serving Certificates, and this breaks the ability for NodeJS to verify Kubernetes API certificate. Previously, all the internal CA certificates were present in service-ca.crt. Now, they are only present in ca.crt. The quickest fix is to add the Service Serving CA certificate to ca.crt and use ca.crt as the bundle NodeJS trusts.
Please verify with build 2.10-19 / iib:88267.
As part of verifying this, can you also please try this to make sure we won't get redirect loops on login errors anymore? * Make sure you are NOT logged in. * Go to https://virt-openshift-mtv.apps.august.example.redhat.com/handle-login?error=%7B%22message%22%3A%22request+to+https%3A%2F%2Fkubernetes.default.svc.cluster.local%2F.well-known%2Foauth-authorization-server+failed%2C+reason%3A+self+signed+certificate+in+certificate+chain%22%2C%22type%22%3A%22system%22%2C%22errno%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%2C%22code%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%7D * Verify that you see an error message on the page and you are not redirected to the login page. That redirect loop was fixed in https://github.com/konveyor/forklift-ui/pull/665 and should not be present in 2.1.0 even if we get these errors at login time.
(In reply to Mike Turley from comment #3) > As part of verifying this, can you also please try this to make sure we > won't get redirect loops on login errors anymore? > > * Make sure you are NOT logged in. > * Go to > https://virt-openshift-mtv.apps.august.example.redhat.com/handle- > login?error=%7B%22message%22%3A%22request+to+https%3A%2F%2Fkubernetes. > default.svc.cluster.local%2F.well-known%2Foauth-authorization- > server+failed%2C+reason%3A+self+signed+certificate+in+certificate+chain%22%2C > %22type%22%3A%22system%22%2C%22errno%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%2C% > 22code%22%3A%22SELF_SIGNED_CERT_IN_CHAIN%22%7D > * Verify that you see an error message on the page and you are not > redirected to the login page. > > That redirect loop was fixed in > https://github.com/konveyor/forklift-ui/pull/665 and should not be present > in 2.1.0 even if we get these errors at login time. Just tested on OCP 4.8.0-rc.3 with Konveyor 2.1.0 installed as per https://github.com/konveyor/forklift-operator/blob/main/README.md#installing-latest and it worked perfectly. Next, went to the link above in a private browser (ie to ensure not logged in or aware) and it gave me the error: Could not log in request to https://kubernetes.default.svc.cluster.local/.well-known/oauth-authorization-server failed, reason: self signed certificate in certificate chain Try Again And did not redirect automatically. Clicking *Try Again* brought me to the OCP oauth login page and I could authenticate properly. So everything appears to be working with 2.1.0 Very cool and thanks!
Moving to verified based on that QE has been testing recently OCP-4.8/CNV-4.8 with MTV-2.1.0-19 till MTV-2.1.0-40, and the migration ui works fine on all those versions.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Migration Toolkit for Virtualization 2.1.0), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:3278