Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oc login system:admin prompting for password #2442

Closed
thomasmckay opened this issue Jun 8, 2018 · 12 comments
Closed

oc login system:admin prompting for password #2442

thomasmckay opened this issue Jun 8, 2018 · 12 comments
Labels
kind/bug priority/major

Comments

@thomasmckay
Copy link
Contributor

General information

#2422

After minishift start against a centos7 vm, oc login system:admin is prompting for a password.

Logs seemed to be without error, including this:

About to run SSH command:
/var/lib/minishift/bin/oc login -u system:admin
SSH cmd err, output: <nil>: Logged into "https://192.168.123.240:8443" as "system:admin" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    default
    kube-public
    kube-system
  * myproject
    openshift
    openshift-infra
    openshift-node
    openshift-web-console

Using project "myproject".
@LalatenduMohanty
Copy link
Member

@thomasmckay It seems to be a duplicate of #2107. I guess you had admin-user add-on enabled right?

@LalatenduMohanty LalatenduMohanty changed the title refs issue #392 - oc login system:admin prompting for password oc login system:admin prompting for password Jun 11, 2018
@thomasmckay
Copy link
Contributor Author

thomasmckay commented Jun 11, 2018
edited by LalatenduMohanty

@LalatenduMohanty - Yes, I minishift addon apply admin-user after minishift start and can then use the admin user as a workaround. My issue appears to be same as #2107.

@praveenkumar
Copy link
Contributor

praveenkumar commented Jun 13, 2018
edited

After doing some debugging looks like we can't make this behaviour back again since now cluster up happen inside the vm and system:admin user created with it along the certs (something like below), there is currently no way we take that outside and update the current config file until we again put a logic to parse and update which might not work in longer term since ~/.kube/config does contain lot of different type of cofiguration as per provider (like openshift, kubernetes, GKE, azure ...etc.)

[...]
users:
- name: system:admin/192-168-42-75:8443
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lCQnpBTkJna3Foa2lHOXcwQkFRc0ZBREFtTVNRd0lnWURWUVFEREJ0dmNHVnUKYzJocFpuUXRjMmxuYm1WeVFERTFNamc0T1RRek9UY3dIaGNOTVRnd05qRXpNVEkxTXpFNFdoY05NakF3TmpFeQpNVEkxTXpFNVdqQk9NVFV3SEFZRFZRUUtFeFZ6ZVhOMFpXMDZZMngxYzNSbGNpMWhaRzFwYm5Nd0ZRWURWUVFLCkV3NXplWE4wWlcwNmJXRnpkR1Z5Y3pFVk1CTUdBMVVFQXhNTWMzbHpkR1Z0T21Ga2JXbHVNSUlCSWpBTkJna3EKaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFwYmg4T2lVdUNaQXRCeFpUeEcwM3JzejdsbUZSaUU2bgpGVzl3UTJMdVh4ck9TSGw2VG1qcmdyV3ZhZ1B6WUdJMzRSQkxTL1NmOUNCTUs1WWo3Q3dhSGFDU1picS9CQkJDCmV0NTM1dVoyVnB2emJ2QVRRMzQ0RVFWQlZYeUUzNjZId3YvbGZsc3c3RDZxV01zL2E5K20za3pRWWhuaUNJYmQKVHJ4cXltQUtrY0hMSXhKeXU4dzlyZlgyeGVZMlZHVEZpaHdSM1I1WXFuaTBQVWtGUFNwN0dwWC9nbXFwODc0Ywoxdnc5RGNlMExMRUxXQ1dFSENsd1FKSzMwKzVGV1Zib1dNYkFsdE4zQnFIQzRZTVFONjA4bnB5eXMrSWVsYTRxCnYydm01cGxmbUNFTWJ0YzFGWkZ0d3B6bTM3djYvYkova3NJNUIzZmp1bEd3ekQ5dDhJMHM4UUlEQVFBQm96VXcKTXpBT0JnTlZIUThCQWY4RUJBTUNCYUF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFILwpCQUl3QURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVVkZDFQa0F3SmVaMndXd2hxa1BTVnpINitEUFJMMkNUCi9LRmYyVVBQMml3Y2czdW45Mi9uV0NKNHE2RC82YWpVaklOQURCcllwWWhQZFFpZHJXQWpwZWdpTUF1WnhVODcKSmZSWGZRL1JIWHJCUVlvZnV3S0h3N2tkMllRTHFndmpMdks1c1U3WVYweEdvWkN6eVpyQitHeXFiVGlKU09HbApqY2JOVWdJdTdDSjBSR1JvSXBkcnRmOWtFcXlzQ1E4bTR5MDlRRjQ0dkVUN3pYUW8zMy9TZVd2dGx2enFRQzQ1ClZzZWI4V0JDK1libndCWE5tMGRlMUtLcDVtZjdjLzNqZ2MwSTg3SjVtOEtYUUdTdkFpd0I3QnY5SEZPeExuS1cKS0l2aTRqTHlpZXRmWlZnZHU4NVViYWZ6TTZEdzhhOEN2VnJjVkQ0VStxYStaOGJvWWVwTThnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBcGJoOE9pVXVDWkF0QnhaVHhHMDNyc3o3bG1GUmlFNm5GVzl3UTJMdVh4ck9TSGw2ClRtanJncld2YWdQellHSTM0UkJMUy9TZjlDQk1LNVlqN0N3YUhhQ1NaYnEvQkJCQ2V0NTM1dVoyVnB2emJ2QVQKUTM0NEVRVkJWWHlFMzY2SHd2L2xmbHN3N0Q2cVdNcy9hOSttM2t6UVlobmlDSWJkVHJ4cXltQUtrY0hMSXhKeQp1OHc5cmZYMnhlWTJWR1RGaWh3UjNSNVlxbmkwUFVrRlBTcDdHcFgvZ21xcDg3NGMxdnc5RGNlMExMRUxXQ1dFCkhDbHdRSkszMCs1RldWYm9XTWJBbHROM0JxSEM0WU1RTjYwOG5weXlzK0llbGE0cXYydm01cGxmbUNFTWJ0YzEKRlpGdHdwem0zN3Y2L2JKL2tzSTVCM2ZqdWxHd3pEOXQ4STBzOFFJREFRQUJBb0lCQVFDTnordHVqblp3OUpHegpxT1dTQjZ4SXgxemIrUGVlWDBBWDFiOEp5MVVVeVltUTkzTTBPaENmVC82R0NFOXlRVnAwSEU5eTlpa1M3YmlBCjdBQmRqL2ZoTnBGUXdKZkpVR2l6WUVEV3RJeTczTVJhUU5NYlJKMlI0eDlmbWlqU2lUWGdKcjhxZTdySHozQlMKZjhzTDh0MkhDZENnd21sc3hvd0hYckU3OFNmYVJjMk9Pc3pCclVhLzdrSjFDS2lCSnN4ZDd6TGVCRnJzcTZWRgpvMEo2eEloYWZRMWJRQ2JNaTZzb041b2F5emZpOWZOTjJSdk1ibGkwaU5mTE5LM2VtNll4aUhJQnlWVTZaemVTCkU0aE8rZU9PQzFWeVBwYUoxMG5uT0o1QXVWQks5bXRYU3VKNWFsU2F1Q2h2T3BTQVdZUWtaRDNJWDVoY1JQWWwKbHE0ZjlSNEpBb0dCQU5Hem0xOXUwT3p1VkVqM296K0ZacHo3TVBiSHJxbFNQSjJqMTc2U2FyVDlTRFJkYmhGSQpmOUVaaGlDeTFJalJLMjJmUlpUZXhGMk0zdDh0ZlVld1RkazdncXRYOW1VT2E5bVc3aHp6KzJ2bm5FUkRHaEJnCm45WE05dFJ4QkJ5dEhVK2RjMW9id2tHV3BSc0pDNjBGd2pjUHVtQXR4RTMyK015NWR2SVFvQkVQQW9HQkFNcFAKRUI0ZDhralBQUVpJWm1FbVZDUmtVbm12NUh1N0ljSlVEbElyaG1yVlN3NHVVYnpkT2FRa05kWnk3NmJDanQ5SQpMYTdRcTh0RTBWeEZFR2V6MnlTbmpuamY1dERiK0phdzRjRkFNblRkQlo2SllFdVhpN0w2ZjMzQzNieGJjendRCjZYbkRmb2djSzZNcEVZMll5Q2dxbm5KQ2NCWmNscnR2ZlVSd0F1SC9Bb0dCQUlYeHlFdXoxK1dPOGUxTnFFdVoKcFFxZWRBOGRTdFpDZmc5ZktSNUVIYjZQamdCTXNWSiswWTI1VlBBcjZnK2VNN1FvcU9SSFNueEt6ODBVSEZLZgpMWXFWTllqR2ZjN2M0RXl5MkZOTUVJdEMvSkNwbjh0WVBKL3U5TGFMbmNuSFZkS1Z5cW1DMDVqYlpZaVlSWW4yCkJMRHc3ZVlqTmFGcklFNThKSnJIdmNaSEFvR0JBSXVDM2pDR29qQUhpYU90aGJ4MC9BMWtpV09WSWxFWkNQekQKam1TbjB6Z1ZBbjh5L2ZicDcvZjdhSTBNRWF2RCsxYUtwY1lwN0c1dWRKblducXVFNGhoeTI5TUxSRmEvZXJ3ZwpHbTV6NE5lcUcxZnFrRmRRbUd2Q1J1em8xcFF2MUZXVnJBdmwvbm5LUTJWdXlzWUVsL0xyQVB6MlIrbUR6QVpSCnFlYnAvM0x0QW9HQVVXd09oL1VZRXhUTWpkMXNVSVJTY0xmR3B4bHpWUG91eTMvM0k4c1pRa21Qbk5MNitLaFkKeTJmTFhCejRVZy9SeTBJRE9heXVzeU4vd0kxTjU5N3hoVks0N1R0K2lidyt5MHFmNzk2WXdhdlBzQmxjM3EzZwoweTFMRzRWbFlyN213RERxUEhaSElEbXJkVytodmE0ai82b25xcjVmODc2eGY5SXUyZ3VDbUw4PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

I am thinking to make admin-user addon as part of post clusterup so that it will be always there without the addon and then depreicate the admin-user addon after 1-2 releases.

@minishift/minishift-dev comments/Suggestions?

@gbraad
Copy link
Member

gbraad commented Jun 14, 2018

Not completely following the reason why this can't work. what is missing compared to before?

@LalatenduMohanty
Copy link
Member

LalatenduMohanty commented Jun 14, 2018
edited

what is missing compared to before?

The issue is we did not have to anything extra to make oc login -u system:admin work as oc binary was on the host and it was implicitly doing all teh changes in ~/.kube (we were using cluster up on remote docker daemon). But now we run oc cluster up in the VM itself, so we need explicitly do changes in kube config to make this work.

@praveenkumar the issue is that in the output of minishift start we say oc login -u system:admin will work. So either we change the output of minishift start by removing oc login -u system:admin and saying oc login -u admin -p admin or we need code changes to make sure oc login -u system:admin works.

$ minishift start
-- Starting profile 'minishift'
-- Check if depereccated options are used ... OK
-- Checking if https://github.com is reachable ... OK
-- Checking if requested OpenShift version 'v3.9.0' is valid ... SKIP
-- Checking if requested OpenShift version 'v3.9.0' is supported ... OK
-- Checking if requested hypervisor 'xhyve' is supported on this platform ... OK
-- Checking if xhyve driver is installed ...
   Driver is available at /usr/local/bin/docker-machine-driver-xhyve
   Checking for setuid bit ... OK
-- Checking the ISO URL ... OK
-- Checking if provided oc flags are supported ... OK
-- Starting local OpenShift cluster using 'xhyve' hypervisor ...
-- Minishift VM will be configured with ...
   Memory:    2 GB
   vCPUs :    2
   Disk size: 20 GB
-- Starting Minishift VM .............. OK
-- Checking for IP address ... OK
-- Checking for nameservers ... OK
-- Checking if external host is reachable from the Minishift VM ...
   Pinging 8.8.8.8 ... OK
-- Checking HTTP connectivity from the VM ...
   Retrieving http://minishift.io/index.html ... OK
-- Checking if persistent storage volume is mounted ... OK
-- Checking available disk space ... 1% used OK
   Importing 'openshift/origin:v3.9.0' ......... OK
   Importing 'openshift/origin-docker-registry:v3.9.0' .. OK
   Importing 'openshift/origin-haproxy-router:v3.9.0' .. OK
-- OpenShift cluster will be configured with ...
   Version: v3.9.0
-- Copying oc binary from the OpenShift container image to VM . OK
-- Starting OpenShift cluster ...................................
Using nsenter mounter for OpenShift volumes
Using public hostname IP 192.168.64.2 as the host IP
Using 192.168.64.2 as the server IP
Starting OpenShift using openshift/origin:v3.9.0 ...
OpenShift server started.

The server is accessible via web console at:
    https://192.168.64.2:8443

You are logged in as:
    User:     developer
    Password: <any value>

To login as administrator:
    oc login -u system:admin

@LalatenduMohanty
Copy link
Member

Personally I think we need to do code changes to make oc login -u system:admin work.

@gbraad
Copy link
Member

gbraad commented Jun 14, 2018 via email

@praveenkumar
Copy link
Contributor

I spend some more time today and there is no way as of now to merge the kubeconfig file on fly. Kubernetes/Openshift uses KUBECONFIG env variable to look up and that variable does have a capability to merge, but again this is run by the user.

I am not thinking to modify the output message from the oc cluster up and display what user should used for login as administrator.

@minishift/minishift-dev wdyt?

@alexellis
Copy link

I'm completely stuck setting up minishift because of this breaking change. Could anyone point me in the right direction to get this command working on minishift? I also get prompted for a password.

$ minishift version
minishift v1.19.0+1750702

@alexellis
Copy link 

oc login https://192.168.99.102:8443  -u system:admin
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Authentication required for https://192.168.99.102:8443 (openshift)
Username: system:admin
Password:

I can't get past this - following example by @mhausenblas from the OpenShift blog. https://blog.openshift.com/openfaas-on-openshift/

If I leave off the IP I get a different error:

oc login -u system:admin
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

error: couldn't get https://104.198.175.52:443/.well-known/oauth-authorization-server: unexpected response status 403

@LalatenduMohanty
Copy link
Member

@alexellis Please check the workaround #2107 (comment) and we are trying to fix the issue asap.

@LalatenduMohanty
Copy link
Member

Closing this issue as a duplicate of #2107

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug priority/major
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gbraad @thomasmckay @praveenkumar @LalatenduMohanty @alexellis