OpenShift - oc login command

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The oc login command is used to authenticate against the API server. The oc get apiserver command can be used to display the API Server URL (api.openshift.example.com in this example), but you need to be logged in to use these commands.

AVOID TROUBLE

Before version 4.7 of OpenShift, the oc login command could be used without the -u or --username option. Starting with version 4.7, if the -u or --username option is not include, "you must obtain an API token" will be returned. Refer to How to resolve "you must obtain an API token" on OpenShift.

oc login --username john.doe api.openshift.example.com:6443

 

The oc get apiserver command can be used to display the API Server URL (api.openshift.example.com in this example), but you need to be logged in to use this commands.

~]$ oc get apiserver cluster --output jsonpath={.spec.servingCerts.namedCertificates[*].names[*]}
api.openshift.example.com

 

If you provide a bogus host to connect to, something like this will be displayed.

~]# oc login --username john.doe bogus.example.com
error: dial tcp: lookup bogus.example.com on 10.14.155.57:53: no such host - verify you have provided the correct host and port and that the server is currently running.

 

If the authentication attempt fails, something like this should be displayed.

~]# oc login --username badusername --password invalidpassword api.openshift.example.com
Login failed (401 Unauthorized)
Verify you have provided correct credentials.

 

If you are authenticated, something like this should be displayed.

Login successful.

You have access to 193 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
Welcome! See 'oc help' to get started.

 


Password

if you do not use the -p or --password option, you will be prompted to enter your password.

~]# oc login --username john.doe api.openshift.example.com:6443
Authentication required for https://api.openshift.example.com:6443 (openshift)
Password:

 

Or, the -p or --password option can be used.

oc login --username john.doe --password itsasecret api.openshift.example.com:6443

 


.kube/confilg

If the /home/your_username/.kube/confilg does not exist, it will be created after the first successful log in.

apiVersion: v1
clusters:
- cluster:
    server: https://api.openshift.example.com:6443
  name: os.example.com:6443
contexts:
- context:
    cluster: api.openshift.example.com:6443
    namespace: default
    user: john.doe
  name: default/api.openshift.example.com:6443/john.doe
current-context: default/api.openshift.example.com:6443/john.doe
kind: Config
preferences: {}
users:
- name: john.doe
  user:
    token: Mn8cvscRkYgEUo_DcoUHUk3Z7Cu8W2RQikRBwmglet8

 

The --kubeconfig option can be used to specify the ~/.kube/config file to use, like this.

oc login api.openshift.example.com:6443 --kubeconfig /home/john.doe/.kube/config

 


Token

Instead of using a username and password, a token can be used. The token can be obtained by attempting to sign in without using the --token or --username options.

~]$ oc login api.openshift.example.com:6443
You must obtain an API token by visiting https://oauth-openshift.apps.openshift.example.com/oauth/token/request

 

And then you can sign in using the --token option.

~]# oc login --token sha256~rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM api.openshift.example.com:6443
Logged into "https://api.openshift.example.com:6443" as "john.doe" using the token provided.

 

This will update your users /home/username/.kube/config file to have the token.

~]$ tail /home/john.doe/.kube/config
users:
- name: john.doe
  user:
    token: sha256~rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM

 

Once signed in, the oc whoami command can be used to display your token.

~]# oc whoami --show-token=true
rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM

 


Debugging

When debugging some issue, you may want to use the --loglevel option.

oc login api.openshift.example.com:6443 --loglevel=6

 

In this scenario, log level 6 is probably a good starting place, and should return output like this.

I0128 07:06:43.146516   27366 loader.go:375] Config loaded from file:  /home/john.doe/.kube/config
I0128 07:06:43.238439   27366 round_trippers.go:443] HEAD https://api.op.example.com:6443/ 403 Forbidden in 90 milliseconds
I0128 07:06:43.238471   27366 request_token.go:86] GSSAPI Enabled
I0128 07:06:43.240481   27366 round_trippers.go:443] GET https://api.op.example.com:6443/.well-known/oauth-authorization-server 200 OK in 1 milliseconds
I0128 07:06:43.258731   27366 request_token.go:447] using system roots as no error was encountered
I0128 07:06:43.288514   27366 round_trippers.go:443] GET https://oauth-openshift.apps.openshift.example.com/oauth/authorize?client_id=openshift-challenging-client&code_challenge=abc123&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.op.example.com%2Foauth%2Ftoken%2Fimplicit&response_type=code 401 Unauthorized in 29 milliseconds
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: john.doe
Password: 
I0128 07:06:49.834683   27366 round_trippers.go:443] GET https://oauth-openshift.apps.op.example.com/oauth/authorize?client_id=openshift-challenging-client&code_challenge=abc123&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.op.example.com%2Foauth%2Ftoken%2Fimplicit&response_type=code 302 Found in 79 milliseconds
I0128 07:06:49.891957   27366 round_trippers.go:443] POST https://oauth-openshift.apps.op.example.com/oauth/token 200 OK in 57 milliseconds
I0128 07:06:49.921048   27366 round_trippers.go:443] GET https://api.op.example.com:6443/apis/user.openshift.io/v1/users/~ 200 OK in 28 milliseconds
Login successful.

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 2c14c in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |