If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
There are various ways to log into OpenShift.
- Log into OpenShift using a username and password (this article)
- Log into OpenShift using a user account token
- Log into OpenShift using a service account token
The oc get apiserver command can be used to display the API Server URL (api.openshift.example.com in this example), but you need to be logged in to use these commands.
AVOID TROUBLE
Before version 4.7 of OpenShift, the oc login command could be used without the -u or --username option. Starting with version 4.7, if the -u or --username option is not included, "you must obtain an API token" will be returned. Refer to How to resolve "you must obtain an API token" on OpenShift.
oc login --username john.doe api.openshift.example.com:6443
The oc get apiserver command can be used to display the API Server URL (api.openshift.example.com in this example), but you need to be logged in to use this commands.
~]$ oc get apiserver cluster --output jsonpath={.spec.servingCerts.namedCertificates[*].names[*]}
api.openshift.example.com
If you provide a bogus host to connect to, something like this will be displayed.
~]# oc login --username john.doe bogus.example.com
error: dial tcp: lookup bogus.example.com on 10.14.155.57:53: no such host - verify you have provided the correct host and port and that the server is currently running.
If the authentication attempt fails, something like this should be displayed.
~]# oc login --username badusername --password invalidpassword api.openshift.example.com
Login failed (401 Unauthorized)
Verify you have provided correct credentials.
If you are authenticated, something like this should be displayed.
Login successful.
You have access to 193 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "default".
Welcome! See 'oc help' to get started.
The oc status command can be used to validate that you are logged in.
~]$ oc status
In project default on server https://api.openshift.example.com:6443
Password
If you do not use the -p or --password option, you will be prompted to enter your password.
~]# oc login --username john.doe api.openshift.example.com:6443
Authentication required for https://api.openshift.example.com:6443 (openshift)
Password:
Or, the -p or --password option can be used.
oc login --username john.doe --password itsasecret api.openshift.example.com:6443
.kube/confilg
If the /home/your_username/.kube/config does not exist, it will be created after the first successful log in.
apiVersion: v1
clusters:
- cluster:
server: https://api.openshift.example.com:6443
name: os.example.com:6443
contexts:
- context:
cluster: api.openshift.example.com:6443
namespace: default
user: john.doe
name: default/api.openshift.example.com:6443/john.doe
current-context: default/api.openshift.example.com:6443/john.doe
kind: Config
preferences: {}
users:
- name: john.doe
user:
token: Mn8cvscRkYgEUo_DcoUHUk3Z7Cu8W2RQikRBwmglet8
The --kubeconfig option can be used to specify the ~/.kube/config file to use, like this.
oc login api.openshift.example.com:6443 --kubeconfig /home/john.doe/.kube/config
Token
Instead of using a username and password, a token can be used. The token can be obtained by attempting to sign in without using the --token or --username options.
~]$ oc login api.openshift.example.com:6443
You must obtain an API token by visiting https://oauth-openshift.apps.openshift.example.com/oauth/token/request
And then you can sign in using the --token option.
~]# oc login --token sha256~rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM api.openshift.example.com:6443
Logged into "https://api.openshift.example.com:6443" as "john.doe" using the token provided.
This will update your users /home/username/.kube/config file to have the token.
~]$ tail /home/john.doe/.kube/config
users:
- name: john.doe
user:
token: sha256~rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM
Once signed in, the oc whoami command can be used to display your token.
~]# oc whoami --show-token=true
rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM
SSL
There are a couple ways to get the OpenShift API Server public certificates.
By far, the openssl s_client command is much easier. The oc and OpenSSL commands provide much greater detail and understanding.
~]$ echo "Q" | openssl s_client -connect api.openshift.example.com:6443 -showcerts 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:C = US, ST = CA, L = Los Angeles, O = Acme, OU = Information Technology, CN = api.openshift.example.com
i:DC = com, DC = example, CN = ACMEROOTCA
1 s:DC = com, DC = example, CN = ACMEROOTCA
i:CN = ACMEROOTCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITSAAABOyl0tY12345wQABAAAE7DANBgkqhkiG9w0BAQsF
ADBKMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLVGhyaXZl
bnREZXYxFjAUBgNVBAMTDVRocml2ZW50RGV2Q0EwHhcNMjQwNjE4MTI1OTM2WhcN
MjUwNjE4MTI1OTM2WjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldJMREwDwYD
VQQHEwhBcHBsZXRvbjEbMBkGA1UEChMSVGhyaXZlbnQgRmluYW5jaWFsMR8wHQYD
VQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMwIQYDVQQDExphcGkubGFiMDAx
Lm9wLnRocml2ZW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMXc8WgDsyb0xgqVKtadsfadfasfmndmasdndasfk8MGV193PIAAaJsV6O5v5KnA
/wQ0wWsM4ca1jDhn3KeC5KjNness/cAvGOc2+D9uBodIcbLw6DMg/uYKnOyyMFr5
WTxqbNnN//B3N5Kcd5gP2k3jMben5VScUtN74o+4i8ceaLnLOEWxM7CE7cyhzTMx
6GrFXEnu7RUISj01R2kq76rPafXDMJUwlqravg9W4RnltYJjNKMGIRyt203cv6bK
rh7mwQ3Iv/HQNd0vhdinh576aQEP0ytPBzymPkPIVU0gulgIy0fpHM/uQnD7upPk
kCQ2DiG9r+d44FrjnDh8sCcCAwEAAaOCAw4wggMKMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJQYDVR0RBB4wHIIaYXBpLmxh
YjAwMS5vcC50aHJpdmVudC5jb20wHQYDVR0OBBYEFMSbCMDMr8vtoawltjG/wouk
m81OMB8GA1UdIwQtadsfadfasfmndmadfdffdd0t0hoOtQxcMIIBAwYDVR0fBIH7
MIH4MIH1oIHyoIHvhoG+bGRhcDovLy9DTj1UaHJpdmVudERldkNBLENOPVRIUklW
RU5UREVWQ0EsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZlbnREZXYsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludIYsaHR0cDovL2NybC50aHJpdmVudGRldi5jb20vVGhyaXZl
bnREZXZDQS5jcmwwggasdfasdfdafdsfasfdasCB8DCBsAYIKwYBBQUHMAKGgaNs
ZGFwOi8vL0NOPVRocml2ZW50RGV2Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZl
bnREZXYsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aG9yaXR5MDsGCCsGAQUFBzAChi9odHRwOi8vY3JsLnRocml2
ZW50ZGV2LmNvbS9UaasdfasdfasdfasfasfadfsfdaA+BgkrBgEEAYI3FQcEMTAv
BicrBgEEAYI3FQiHxr0bgdSMZoXtiSmCyqBqgr7kW4EzgvTiGoKRqkkCAWQCARMw
JwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDATAKBggrBgEFBQcDAjANBgkqhkiG
9w0BAQsFAAOCAQEAbG1oAa+MWGOoZ7hZDbEabldyb3+YCozG01hYgb74cWC6mRAr
WEsNHQXDpBmrKVfmqasdfasdfasfadsdfasfasdfr6Jcwqc2i5kKOW2qOl6alq7Q
lQ4nLoVJjmoe7e0gnDZ3e9AAF6yzygvQr0rpjwnynhA7RLaIOe75XXIiwMgoUHVs
4LoIAx+7pxQcMasdfasdfasdfasdfasdfasdfasdySpYJucVG6zb3Ium8idkxb9R
FunT0xJPtxz3HcUa+fbyDQtl2o5nA9hI/fqlEeEd3EkLkOflc/SMGoh51K8HV6ls
vvnEPb7hvJasdfasdfasdfadfscKeDKA==
-----END CERTIFICATE-----
Almost always, and by default, the /etc/pki/tls/certs/ca-bundle.crt file is used to present an SSL certificate that can be used to establish the SSL handshake with the OpenShift API Server. For example, let's say /etc/pki/tls/certs/ca-bundle.crt is renamed or deleted or does not contain an SSL certificate that can be used to establish the SSL handshake with the OpenShift API Server. Then something like this should be returned since SSL cannot be established. Of course, the easiest solution here is to ensure that the /etc/pki/tls/certs/ca-bundle.crt file exists and contains a certificate that can be used to establish the SSL connection to OpenShift.
~]$ oc login -u john.doe api.openshift.example.com:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): n
error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.
If for whatever reason you can't use the /etc/pki/tls/certs/ca-bundle.crt file, then you can use the --certificate-authority option to point to a file that contains the public certificate that can be used to establish the SSL connection. The --certificate-authority option will take precedence over all other ways of pointing to the CRT file that contains the public certificate that can be used to establish the SSL handshake with the OpenShift API Server.
oc login -u john.doe api.openshift.example.com:6443 --certificate-authority /path/to/ca-bundle.crt
Or you can update your hidden .kube/config file to contain client-certificate.
apiVersion: v1
clusters:
- cluster:
server: https://api.openshift.example.com:6443
name: os.example.com:6443
contexts:
- context:
cluster: api.openshift.example.com:6443
namespace: default
user: john.doe
name: default/api.openshift.example.com:6443/john.doe
current-context: default/api.openshift.example.com:6443/john.doe
kind: Config
preferences: {}
users:
- name: john.doe
user:
token: Mn8cvscRkYgEUo_DcoUHUk3Z7Cu8W2RQikRBwmglet8
client_certificate: /path/to/ca-bundle.crt
Debugging
When debugging some issue, you may want to use the --loglevel option.
oc login api.openshift.example.com:6443 --loglevel=6
In this scenario, log level 6 is probably a good starting place, and should return output like this.
I0128 07:06:43.146516 27366 loader.go:375] Config loaded from file: /home/john.doe/.kube/config
I0128 07:06:43.238439 27366 round_trippers.go:443] HEAD https://api.op.example.com:6443/ 403 Forbidden in 90 milliseconds
I0128 07:06:43.238471 27366 request_token.go:86] GSSAPI Enabled
I0128 07:06:43.240481 27366 round_trippers.go:443] GET https://api.op.example.com:6443/.well-known/oauth-authorization-server 200 OK in 1 milliseconds
I0128 07:06:43.258731 27366 request_token.go:447] using system roots as no error was encountered
I0128 07:06:43.288514 27366 round_trippers.go:443] GET https://oauth-openshift.apps.openshift.example.com/oauth/authorize?client_id=openshift-challenging-client&code_challenge=abc123&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.op.example.com%2Foauth%2Ftoken%2Fimplicit&response_type=code 401 Unauthorized in 29 milliseconds
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: john.doe
Password:
I0128 07:06:49.834683 27366 round_trippers.go:443] GET https://oauth-openshift.apps.op.example.com/oauth/authorize?client_id=openshift-challenging-client&code_challenge=abc123&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.op.example.com%2Foauth%2Ftoken%2Fimplicit&response_type=code 302 Found in 79 milliseconds
I0128 07:06:49.891957 27366 round_trippers.go:443] POST https://oauth-openshift.apps.op.example.com/oauth/token 200 OK in 57 milliseconds
I0128 07:06:49.921048 27366 round_trippers.go:443] GET https://api.op.example.com:6443/apis/user.openshift.io/v1/users/~ 200 OK in 28 milliseconds
Login successful.
Did you find this article helpful?
If so, consider buying me a coffee over at 