oauth not working with 'oc cluster up'

[tenfourty]

Just playing with the new oc cluster up command in OpenShift v1.3.0-alpha.3 and I've run into an issues that seems to be caused with the way oauth is setup:

Steps to repeat on a mac with Docker for Mac installed, I tried to follow the fabric8 docs as closely as possible:

brew install openshift-cli --devel
oc cluster up
oc login -u system:admin
gofabric8 deploy -y --domain=192.168.11.71.xip.io --api-server=192.168.11.71
gofabric8 secrets -y
oc get pods -w

Wait for all the fabric8 pods to be deployed.

○ → oc get routes
NAME                      HOST/PORT                                                PATH      SERVICE                   TERMINATION   LABELS
fabric8                   fabric8.myproject.192.168.11.71.xip.io                             fabric8                                 provider=fabric8
fabric8-docker-registry   fabric8-docker-registry.myproject.192.168.11.71.xip.io             fabric8-docker-registry                 provider=fabric8
fabric8-forge             fabric8-forge.myproject.192.168.11.71.xip.io                       fabric8-forge                           provider=fabric8
gogs                      gogs.myproject.192.168.11.71.xip.io                                gogs                                    provider=fabric8
gogs-ssh                  gogs-ssh.myproject.192.168.11.71.xip.io                            gogs-ssh                                provider=fabric8
jenkins                   jenkins.myproject.192.168.11.71.xip.io                             jenkins                                 provider=fabric8
jenkins-jnlp              jenkins-jnlp.myproject.192.168.11.71.xip.io                        jenkins-jnlp                            provider=fabric8
nexus                     nexus.myproject.192.168.11.71.xip.io                               nexus                                   provider=fabric8

As you can see the routes are all setup correctly and you can login to the openshift console to see everything deployed and working - default login for this is developer/developer.

At this point if you try to access the fabric8 console you will run into an oauth issue, so instead get the fabric8 oauth config:

○ → oc get oauthclient fabric8
NAME      SECRET    WWW-CHALLENGE   REDIRECT URIS
fabric8             FALSE           http://localhost:9090,http://localhost:2772,http://localhost:9000,http://fabric8.192.168.11.71.xip.io,https://fabric8.192.168.11.71.xip.io,http://192.168.11.71:31641

The issue seems to be that gofabric8 doesn't setup the oauth config correctly for the fabric8 client - it is failing to take into account the namespace of the project even though it setups the routes correctly oauth isn't setup right.

[rawlingsj]

Think I know what this is, we switched to automatically create the openshift routes (or ingress rules if running plain Kubernetes). When generating the hostnames we changed to include the namespace in the route just as we do for ingress.

The proper fix is to update the console oauthclient to include the namespace but it would be best to do that next week whilst also updating to use the f-m-p 3.x.

Until then I'll update the exposecontroller so that the namespace isn't included in the hostname so the oathclient matches.

[rawlingsj]

We've not yet versioned the ingress controller as it's quite new so you can just SSH to the VM and docker pull fabric8/exposecontroller:latest, delete all your routes (oc delete routes --all) and bounce the exposecontroller pod. The routes should all be recreated without the namespace and therefore match the oauthclient redirect so that you're able to log in.

Will get the fabric8-console updated next week to include the namespace as a proper fix but this at least should get past the issue.

Thanks for spotting and reporting this!

[tenfourty]

Thanks @rawlingsj that hack/workaround fixed the routes when I bounced the exposecontroller pod.

Login with oauth still doesn't work though, I seem to end up in an infinite loop when trying to login on the fabric8 console.

○ → oc get routes
NAME                      HOST/PORT                                      PATH      SERVICE                   TERMINATION   LABELS
fabric8                   fabric8.192.168.11.71.xip.io                             fabric8                                 provider=fabric8
fabric8-docker-registry   fabric8-docker-registry.192.168.11.71.xip.io             fabric8-docker-registry                 provider=fabric8
fabric8-forge             fabric8-forge.192.168.11.71.xip.io                       fabric8-forge                           provider=fabric8
gogs                      gogs.192.168.11.71.xip.io                                gogs                                    provider=fabric8
gogs-ssh                  gogs-ssh.192.168.11.71.xip.io                            gogs-ssh                                provider=fabric8
jenkins                   jenkins.192.168.11.71.xip.io                             jenkins                                 provider=fabric8
jenkins-jnlp              jenkins-jnlp.192.168.11.71.xip.io                        jenkins-jnlp                            provider=fabric8
nexus                     nexus.192.168.11.71.xip.io                               nexus                                   provider=fabric8

○ → oc get oauthclient fabric8
NAME      SECRET    WWW-CHALLENGE   REDIRECT URIS
fabric8             FALSE           http://localhost:9090,http://localhost:2772,http://localhost:9000,http://fabric8.192.168.11.71.xip.io,https://fabric8.192.168.11.71.xip.io,http://192.168.11.71:30259

Also I don't think an oauth client is setup for gogs either - should it be?

[rawlingsj]

Dam! Ok thanks @tenforty, I'll recreate the problem and make sure the next fix actually means we can log in next time :)

[rawlingsj]

Just recreated the issue and was able to log into the fabric8 console after updating the origin CORS whitelist and restarting the origin container.

Not sure if there's a better way just but here's what I did..

oc get -o jsonpath="{.spec.host}" route fabric8

copy the output, should be something like..

fabric8.192.168.99.101.xip.io

then add the hostname from above to the origin master config..

docker-machine ssh openshift
sudo vi /var/lib/origin/openshift.local.config/master/master-config.yaml

add the fabric8 console hostname, should look like this..

corsAllowedOrigins:
- 127.0.0.1
- 192.168.99.101:8443
- localhost
- fabric8.192.168.99.101.xip.io

now restart the origin master from inside the docker-machine..

docker restart origin

You should be able to log into the fabric8 console now. I'll write up a getting started guide for oc cluster up if this works.

Also I just noticed that oc cluster up suggests to use the developer:developer username and password to login. If you use this account then you'll need to give it permissions to see the default team that was created. Easiest way to do this is run

oc adm policy add-cluster-role-to-user cluster-admin developer

[rawlingsj]

BTW it seems a bit sluggish, probably because its using vagrant and virtualbox - I still prefer minishift ;)

[rawlingsj]

I added some docs to the getting started guide. Looks like there's a problem with the circleci env so the websites not updated yet but till then https://github.com/fabric8io/fabric8/blob/master/docs/getStarted/ocClusterUp.md

[feynmanliang]

Website appears updated.

I reordered the instructions in fabric8io/fabric8#6467 so that they appear in the order they should be run.