Re: Web-Console masterURL configMap and authentication problems

[Dan Pungă]

Thanks for the reply Sam!

Unfortunately with this setup I get only the "invalid request" page that 
I've attached previously. But now the URL stays on 
loadbalance.my.net:8443/console:

https://loadbalance.my.net:8443/console/error?error=invalid_request&error_description=Client%20state%20could%20not%20be%20verified&error_uri=

The new configMap looks like this:

apiVersion: v1
data:
  webconsole-config.yaml: |
    apiVersion: webconsole.config.openshift.io/v1
    clusterInfo:
      consolePublicURL: https://loadbalance.my.net:8443/console/
      loggingPublicURL: https://kibana.apps.my.net
      logoutPublicURL: ''
      masterPublicURL: https://loadbalance.my.net:8443
      metricsPublicURL: 
https://hawkular-metrics.apps.my.net/hawkular/metrics
    extensions:
      properties: {}
      scriptURLs: []
      stylesheetURLs: []
    features:
      clusterResourceOverridesEnabled: false
      inactivityTimeoutMinutes: 0
    kind: WebConsoleConfiguration
    servingInfo:
      bindAddress: 0.0.0.0:8443
      bindNetwork: tcp4
      certFile: /var/serving-cert/tls.crt
      clientCA: ''
      keyFile: /var/serving-cert/tls.key
      maxRequestsInFlight: 0
      namedCertificates: null
      requestTimeoutSeconds: 0
kind: ConfigMap
metadata:
  creationTimestamp: 2018-05-16T23:11:11Z
  name: webconsole-config
  namespace: openshift-web-console
  resourceVersion: "1187596"
  selfLink: 
/api/v1/namespaces/openshift-web-console/configmaps/webconsole-config
  uid: 6c33acdd-595e-11e8-8a63-fa163ed601cb

The new oauthclient/openshift-web-console is now:

apiVersion: v1
grantMethod: auto
kind: OAuthClient
metadata:
  creationTimestamp: 2018-05-16T23:20:11Z
  name: openshift-web-console
  resourceVersion: "1189032"
  selfLink: /oapi/v1/oauthclients/openshift-web-console
  uid: ae780fee-595f-11e8-8a63-fa163ed601cb
redirectURIs:
- https://loadbalance.my.net:8443/console
- https://master1.my.net:8443/console
- https://master2.my.net:8443/console

Anything else I need to check maybe?

On 17.05.2018 01:32, Sam Padgett wrote:
I'd make these updates to the config map:

consolePublicURL: https://loadbalance.my.net:8443/console/
masterPublicURL: https://loadbalance.my.net:8443

Then edit the OAuth client as cluster-admin to add the console public 
URL to the allowed callbacks.

$ oc patch oauthclient/openshift-web-console -p 
'{"redirectURIs":["https://loadbalance.my.net:8443/"]}'

Editing the OAuth client should fix the invalid request error on login.

Sam


On Wed, May 16, 2018 at 6:03 PM, Dan Pungă <dan.pu...@gmail.com 
<mailto:dan.pu...@gmail.com>> wrote:

    Hello all!

    I'm setting up a recently installed Openshift Origin v3.9 and I've
    discovered a problem with the web-console.
    The environment has 2 masters: master1 and master2 and a
    loadbalancer, all installed via openshift-ansible.
    I'm accessing the web-console UI with
    https://loadbalance.my.net:8443 <https://loadbalance.my.net:8443>
    I've noticed some problems with the login form in the webconsole,
    where I got some error about invalid request (attached image). On
    a second attempt I can login succesfully.

    A second problem, maybe unrelated, is the content of the
    webconsole-config configmap which has:
    consolePublicURL: https://master1.my.net:8443/console/
    <https://master1.my.net:8443/console/>
    loggingPublicURL: https://....
    logoutPublicURL: ''
    masterPublicURL: https://master1.my.net:8443

    This looks like the configuration uses only the master1. I've
    tried modifying the values for consolePublicURL and
    masterPublicURL to point to loadbalance.my.net:8443
    <http://loadbalance.my.net:8443>, but after pod restart I get a
    json response with invalid request and the console doesn't load.
    I've checked the master-config.yaml on both masters and it "looks"
    fine to me:

    masterPublicURL: https://master1.my.net:8443
      assetPublicURL: https://master1.my.net:8443/console/
    <https://master1.my.net:8443/console/>
      masterPublicURL: https://master1.my.net:8443
      masterURL: https://loadbalance.my.net:8443
    <https://loadbalance.my.net:8443>
      subdomain: my.net <http://my.net>

    and the equivalent for master2.

    Also, I've read through the archives and I've checked the 
    oauthclient/openshift-web-console resource which is

    apiVersion: v1
    grantMethod: auto
    kind: OAuthClient
    metadata:
      creationTimestamp: 2018-05-11T13:09:54Z
      name: openshift-web-console
      resourceVersion: "1123438"
      selfLink: /oapi/v1/oauthclients/openshift-web-console
      uid: 98c50270-551c-11e8-a51b-fa163ed601cb
    redirectURIs:
    - https://master1.my.net:8443/console/
    <https://master1.my.net:8443/console/>
    - https://master2.my.net <http://my.net>:8443/console/


    Do you have any ideas about these 2 issues? Especially the second one.

    Thank you for any help in advance,
    Dan Pungă


    _______________________________________________
    users mailing list
    users@lists.openshift.redhat.com
    <mailto:users@lists.openshift.redhat.com>
    http://lists.openshift.redhat.com/openshiftmm/listinfo/users
    <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>



_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users