2042300 – SubCtl error retrieving Submariner resource: Unauthorized - when kubeconfig has multiple users' contexts

Bug 2042300 - SubCtl error retrieving Submariner resource: Unauthorized - when kubeconfig has multiple users' contexts

Summary: SubCtl error retrieving Submariner resource: Unauthorized - when kubeconfig h...

Keywords:
Status:	CLOSED DUPLICATE of bug 2013711
Alias:	None
Product:	Red Hat Advanced Cluster Management for Kubernetes
Classification:	Red Hat
Component:	Submariner
Sub Component:
Version:	rhacm-2.4.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Maayan Friedman
QA Contact:	Noam Manos
Docs Contact:	Christopher Dawson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-19 08:19 UTC by Noam Manos
Modified:	2022-01-19 11:21 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-19 11:21:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	stolostron backlog issues 19237	0	None	None	None	2022-01-19 10:41:35 UTC

Description Noam Manos 2022-01-19 08:19:41 UTC

Description of problem:
"subctl show" and "subctl diagnose" can fail with: "Error retrieving Submariner resource: Unauthorized" - When kubeconfig has multiple contexts & users.

Version-Release number of selected component (if applicable):
# OCP version: 4.9.15

### Submariner components ###

subctl version: v0.11.0
Cluster "nmanos-devcluster-a-aws"
 • Showing versions  ...
COMPONENT                       REPOSITORY                                            VERSION         
submariner                      registry.redhat.io/rhacm2-tech-preview                v0.11.0         
submariner-operator             registry.redhat.io/rhacm2-tech-preview                e52df6171cf1f1f 
service-discovery               registry.redhat.io/rhacm2-tech-preview                v0.11.0   

How reproducible:
When using merged kubeconfig, that has multiple contexts, where the current user (e.g. "master") is not the same user in all contexts.


Steps to Reproduce:
https://qe-jenkins-csb-skynet.apps.ocp4.prod.psi.redhat.com/job/ACM-2.4.1-Submariner-0.11.0-AWSx2-SDN/64/Test-Report/

1) Get SubCtl 0.11.0
2) Add a new user to the cluster, and oc login with it.
2) Export kubeconfig (which now includes multiple context and different users of same cluster).
3) Run for example: "subctl show versions" or "subctl diagnose cni"


Actual results:

$ export KUBECONFIG=nmanos-devcluster-a-aws/auth/kubeconfig:nmanos-cluster-c-aws/auth/kubeconfig

$ oc whoami
master


# See how one of the contexts has different user ("admin"), which cause subctl command to fail in authentication:


$ oc config get-contexts

CURRENT   NAME                                                                                   CLUSTER                                                     AUTHINFO                                                           NAMESPACE
          default/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443/master                  api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      master/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      test-submariner
          default/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master               api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   test-submariner
          nmanos-cluster-c-aws                                                                   nmanos-cluster-c-aws                                        admin                                                              default
          nmanos-devcluster-a-aws                                                                nmanos-devcluster-a-aws                                     admin                                                              default
          ocm/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master                   api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   ocm
          submariner-operator/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443/master      api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      master/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      submariner-operator
*         submariner-operator/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master   api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   submariner-operator
          submariner/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master            api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   submariner
          test-submariner/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443/master          api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      master/api-nmanos-cluster-c-aws-devcluster-openshift-com:6443      test-submariner
          test-submariner/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443/master       api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   master/api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443   test-submariner


$ subctl show endpoints

Cluster "api-nmanos-cluster-c-aws-devcluster-openshift-com:6443"
 • Showing Endpoints  ...
 ✓ Showing Endpoints
CLUSTER ID                    ENDPOINT IP     PUBLIC IP       CABLE DRIVER        TYPE            
acm-nmanos-cluster-c-aws      10.12.51.217    52.14.213.188   libreswan           local           
acm-nmanos-devcluster-a-aws   10.8.62.17      3.145.211.34    libreswan           remote          

Cluster "api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443"
 • Showing Endpoints  ...
CLUSTER ID                    ENDPOINT IP     PUBLIC IP       CABLE DRIVER        TYPE            
acm-nmanos-devcluster-a-aws   10.8.62.17      3.145.211.34    libreswan           local           
acm-nmanos-cluster-c-aws      10.12.51.217    52.14.213.188   libreswan           remote          

Cluster "api-nmanos-devcluster-a-aws-devcluster-openshift-com:6443"
 ✓ Showing Endpoints
 • Showing Endpoints  ...
 ✓ Showing Endpoints
CLUSTER ID                    ENDPOINT IP     PUBLIC IP       CABLE DRIVER        TYPE            
acm-nmanos-devcluster-a-aws   10.8.62.17      3.145.211.34    libreswan           local           
acm-nmanos-cluster-c-aws      10.12.51.217    52.14.213.188   libreswan           remote          

Cluster "nmanos-devcluster-a-aws"
Error retrieving Submariner resource: Unauthorized


Expected results:
SubCtl commands should be able to use different kubeconfig contexts and users, and switch authentication between them.

Comment 1 Maayan Friedman 2022-01-19 11:21:22 UTC

we should track all issues related to merged config files in one place

*** This bug has been marked as a duplicate of bug 2013711 ***

Note You need to log in before you can comment on or make changes to this bug.