This is a clone of issue OCPBUGS-30162. The following is the description of the original issue:
—
Description of problem:
Introduce --issuer-url flag in oc login .
Version-Release number of selected component (if applicable):
[xxia@2024-03-01 21:03:30 CST my]$ oc version --client Client Version: 4.16.0-0.ci-2024-03-01-033249 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 [xxia@2024-03-01 21:03:50 CST my]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.16.0-0.ci-2024-02-29-213249 True False 8h Cluster version is 4.16.0-0.ci-2024-02-29-213249
How reproducible:
Always
Steps to Reproduce:
1. Launch fresh HCP cluster. 2. Login to https://entra.microsoft.com. Register application and set properly. 3. Prepare variables. HC_NAME=hypershift-ci-267920 MGMT_KUBECONFIG=/home/xxia/my/env/xxia-hs416-2-267920-4.16/kubeconfig HOSTED_KUBECONFIG=/home/xxia/my/env/xxia-hs416-2-267920-4.16/hypershift-ci-267920.kubeconfig AUDIENCE=7686xxxxxx ISSUER_URL=https://login.microsoftonline.com/64dcxxxxxxxx/v2.0 CLIENT_ID=7686xxxxxx CLIENT_SECRET_VALUE="xxxxxxxx" CLIENT_SECRET_NAME=console-secret 4. Configure HC without oauthMetadata. [xxia@2024-03-01 20:29:21 CST my]$ oc create secret generic console-secret -n clusters --from-literal=clientSecret=$CLIENT_SECRET_VALUE --kubeconfig $MGMT_KUBECONFIG [xxia@2024-03-01 20:34:05 CST my]$ oc patch hc $HC_NAME -n clusters --kubeconfig $MGMT_KUBECONFIG --type=merge -p=" spec: configuration: authentication: oauthMetadata: name: '' oidcProviders: - claimMappings: groups: claim: groups prefix: 'oidc-groups-test:' username: claim: email prefixPolicy: Prefix prefix: prefixString: 'oidc-user-test:' issuer: audiences: - $AUDIENCE issuerURL: $ISSUER_URL name: microsoft-entra-id oidcClients: - clientID: $CLIENT_ID clientSecret: name: $CLIENT_SECRET_NAME componentName: console componentNamespace: openshift-console type: OIDC " Wait pods to renew: [xxia@2024-03-01 20:52:41 CST my]$ oc get po -n clusters-$HC_NAME --kubeconfig $MGMT_KUBECONFIG --sort-by metadata.creationTimestamp ... certified-operators-catalog-7ff9cffc8f-z5dlg 1/1 Running 0 5h44m kube-apiserver-6bd9f7ccbd-kqzm7 5/5 Running 0 17m kube-apiserver-6bd9f7ccbd-p2fw7 5/5 Running 0 15m kube-apiserver-6bd9f7ccbd-fmsgl 5/5 Running 0 13m openshift-apiserver-7ffc9fd764-qgd4z 3/3 Running 0 11m openshift-apiserver-7ffc9fd764-vh6x9 3/3 Running 0 10m openshift-apiserver-7ffc9fd764-b7znk 3/3 Running 0 10m konnectivity-agent-577944765c-qxq75 1/1 Running 0 9m42s hosted-cluster-config-operator-695c5854c-dlzwh 1/1 Running 0 9m42s cluster-version-operator-7c99cf68cd-22k84 1/1 Running 0 9m42s konnectivity-agent-577944765c-kqfpq 1/1 Running 0 9m40s konnectivity-agent-577944765c-7t5ds 1/1 Running 0 9m37s 5. Check console login and oc login. $ export KUBECONFIG=$HOSTED_KUBECONFIG $ curl -ksS $(oc whoami --show-server)/.well-known/oauth-authorization-server { "issuer": "https://:0", "authorization_endpoint": "https://:0/oauth/authorize", "token_endpoint": "https://:0/oauth/token", ... } Check console login, it succeeds, console upper right shows correctly user name oidc-user-test:xxia@redhat.com. Check oc login: $ rm -rf ~/.kube/cache/oc/ $ oc login --exec-plugin=oc-oidc --client-id=$CLIENT_ID --client-secret=$CLIENT_SECRET_VALUE --extra-scopes=email --callback-port=8080 error: oidc authenticator error: oidc discovery error: Get "https://:0/.well-known/openid-configuration": dial tcp :0: connect: connection refused error: oidc authenticator error: oidc discovery error: Get "https://:0/.well-known/openid-configuration": dial tcp :0: connect: connection refused Unable to connect to the server: getting credentials: exec: executable oc failed with exit code 1
Actual results:
Console login succeeds. oc login fails.
Expected results:
oc login should also succeed.
Additional info:{}
- clones
-
OCPBUGS-30162 Introduce --issuer-url flag in oc login
- Closed
- is blocked by
-
OCPBUGS-30162 Introduce --issuer-url flag in oc login
- Closed
- links to
-
RHSA-2024:1210 OpenShift Container Platform 4.15.z security update
- mentioned on