Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2091287

Summary: Inconsistent behavior when "oc login" and "oc login https://api.<domain>"
Product: OpenShift Container Platform Reporter: Chen <cchen>
Component: ocAssignee: Maciej Szulik <maszulik>
oc sub component: oc QA Contact: zhou ying <yinzhou>
Status: CLOSED NOTABUG Docs Contact:
Severity: medium    
Priority: unspecified CC: mfojtik
Version: 4.10   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-29 13:12:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chen 2022-05-28 14:58:56 UTC 
Description of problem:

Inconsistent behavior when "oc login" and "oc login https://api.<domain>"

Version-Release number of selected component (if applicable):

4.10.13

How reproducible:

100%

Steps to Reproduce:

1. Set KUBECONFIG parameter to the correct kubeconfig
2. oc login -u <user>

Result: error: x509: certificate signed by unknown authority will be output.
Expected behavior because $KUBECONFIG doesn't have Ingress CA

3. oc login -u <user> https://api.<domain>:6443
Result:

The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Authentication required for https://api.ocp4.example.net:6443 (openshift)
Username: admin
Password:
Login successful.

This is unexpected behavior. The login should fail as same as "oc login -u admin" without api URL. Seems by specifying the api URL can bypass the Ingress CA check. 

Additional info: