Bug 2091287 - Inconsistent behavior when "oc login" and "oc login https://api.<domain>"
Summary: Inconsistent behavior when "oc login" and "oc login https://api.<domain>"
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-28 14:58 UTC by Chen
Modified: 2022-05-29 13:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-29 13:12:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Chen 2022-05-28 14:58:56 UTC 
Description of problem:

Inconsistent behavior when "oc login" and "oc login https://api.<domain>"

Version-Release number of selected component (if applicable):

4.10.13

How reproducible:

100%

Steps to Reproduce:

1. Set KUBECONFIG parameter to the correct kubeconfig
2. oc login -u <user>

Result: error: x509: certificate signed by unknown authority will be output.
Expected behavior because $KUBECONFIG doesn't have Ingress CA

3. oc login -u <user> https://api.<domain>:6443
Result:

The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Authentication required for https://api.ocp4.example.net:6443 (openshift)
Username: admin
Password:
Login successful.

This is unexpected behavior. The login should fail as same as "oc login -u admin" without api URL. Seems by specifying the api URL can bypass the Ingress CA check. 

Additional info:
Note You need to log in before you can comment on or make changes to this bug.