-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.12
-
Important
-
No
-
Proposed
-
False
-
Description of problem:
after creating an HyperShift-CNV spoke cluster, with installation completing successfully, cannot login with normal created users to the spoke cluster.
Version-Release number of selected component (if applicable):
ClusterVersion: Stable at "4.12.10"
How reproducible:
create hypershift-cnv spoke cluster, create normal user. try to login
Actual results:
[kni@provisionhost-0-0 ~]$ oc login 192.168.123.15:6443 -u demouser1 -p demouser1 WARNING: Using insecure TLS client config. Setting this option is not supported! Login failed (401 Unauthorized) Verify you have provided the correct credentials.
it is still possible to login to kubeadmin user
oc login 192.168.123.15:6443 -u kubeadmin -p <password> WARNING: Using insecure TLS client config. Setting this option is not supported! Login successful.You have access to 65 projects, the list has been suppressed. You can list all projects with 'oc projects'Using project "default".
Expected results:
successfull login
Additional info:
Error seem to caused by failure to verify certificate
[kni@provisionhost-0-0 ~]$ openssl s_client -connect 192.168.123.15:6443 CONNECTED(00000003) Can't use SSL_get_servername depth=0 O = kubernetes, CN = kubernetes verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = kubernetes, CN = kubernetes verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:O = kubernetes, CN = kubernetes i:OU = openshift, CN = root-ca --- Server certificate -----BEGIN CERTIFICATE----- .......... -----END CERTIFICATE----- subject=O = kubernetes, CN = kubernetes issuer=OU = openshift, CN = root-ca