Giters

Kubeinit / kubeinit

Ansible automation to have a KUBErnetes cluster INITialized as soon as possible...

Home Page:https://www.kubeinit.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Error connecting to the cluster

ccamacho opened this issue · comments

commented

Error connecting to the cluster

I can login into "service" (10.0.0.253) ... but when I try to connect to the cluster I'm getting:

[root@service auth]# oc login -u kubeadmin -p <password from install_dir/auth/kubeadmin-password>
error: x509: certificate signed by unknown authority

any clues?

Some more detail:

[root@service auth]# oc login -u kubeadmin -p <password from install_dir/auth/kubeadmin-password> --loglevel 6
I1113 14:38:50.937371    5139 loader.go:372] Config loaded from file:  /root/install_dir/auth/kubeconfig
I1113 14:38:50.942779    5139 round_trippers.go:454] HEAD https://api.noicluster.kubeinit.local:6443/ 403 Forbidden in 5 milliseconds
I1113 14:38:50.942808    5139 request_token.go:89] GSSAPI Enabled
I1113 14:38:50.943319    5139 round_trippers.go:454] GET https://api.noicluster.kubeinit.local:6443/.well-known/oauth-authorization-server 200 OK in 0 milliseconds
I1113 14:38:50.970009    5139 request_token.go:470] falling back to kubeconfig CA due to possible x509 error: x509: certificate signed by unknown authority
I1113 14:38:50.973673    5139 round_trippers.go:454] GET https://oauth-openshift.apps.noicluster.kubeinit.local/oauth/authorize?client_id=openshift-challenging-client&code_challenge=GvGPMLLUoAoMajc9x6ta7JWnDbph0ZpNZoxN8H75V2A&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.noicluster.kubeinit.local%2Foauth%2Ftoken%2Fimplicit&response_type=code  in 3 milliseconds
I1113 14:38:50.975032    5139 round_trippers.go:454] GET https://api.noicluster.kubeinit.local:6443/api/v1/namespaces/openshift/configmaps/motd 403 Forbidden in 0 milliseconds
F1113 14:38:50.975318    5139 helpers.go:115] error: x509: certificate signed by unknown authority

btw, I can login into the WEB GUI console with the same credentials. (edited)

I've found a solution !!!!

get the ca.cert from oauth-openshift pod
oc rsh -n openshift-authentication <oauth-openshift-pod> cat /run/secrets/kubernetes.io/serviceaccount/ca.crt > ingress-ca.crt
2. login providing ingress-ca.crt
oc login -u kubeadmin -p <password from install_dir/auth/kubeadmin-password> --certificate-authority=ingress-ca.crt
Login successful.

You have access to 66 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".