migtools/mig-ui

Got "Authentication failed" when access to migration-ui url

jmontleon opened this issue · 7 comments

From the original report migtools/mig-operator#763 :

Migration Toolkit for Containers Operator: 1.6.1

Got following log in migration-ui pod:
"Access Token Error The content-type is not JSON compatible"

cc: @louise-zhang

@louise-zhang are you using a proxy in your environment? I think one theory was that a proxy may be stripping a required header or headers, but the reports so far are limited so we're not sure that proxy use is a common thread.

Can you also let us know what version of OCP you are using and anything else about your environment you think might be relevant?

Also, if you can exec into the ui pod, for example:
oc exec -it migration-ui-794869ccfb-fflb4 /bin/bash and run curl -k https://openshift.default.svc/.well-known/oauth-authorization-server the output may be helpful.

@jmontleon Thanks for the help, yeah, I'm using a proxy for my openshift cluster.

OCP version is 4.7.30, working fine with Migration Toolkit for Containers Operator 1.5.1

Following is exec into 1.6.0 mtc ui pod:

$ oc exec -it migration-ui-bb4645546-w2vqh /bin/bash

kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.

bash-4.4$ curl -k https://openshift.default.svc/.well-known/oauth-authorization-server
{
  "issuer": "https://oauth-openshift.apps.xxxxxxxxxxxxxxxxxx",
  "authorization_endpoint": "https://oauth-openshift.apps.xxxxxxxxxxxxxxxxxx/oauth/authorize",
  "token_endpoint": "https://oauth-openshift.apps..xxxxxxxxxxxxxxxxxx/oauth/token",
  "scopes_supported": [
    "user:check-access",
    "user:full",
    "user:info",
    "user:list-projects",
    "user:list-scoped-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}

@louise-zhang I think we've been able to pinpoint the issue. If you're able to do it, you could try a patched image we have to see if it fixes the issue for you by overriding the UI server image on the MigrationController:

$ oc edit migrationcontroller -n openshift-migration migration-controller

# Set the following fields on the spec:
mig_ui_image: quay.io/ibolton336/mig-ui
mig_ui_version: no-proxy-fix

We have the details captured around what we are pretty confident is the root cause here: https://bugzilla.redhat.com/show_bug.cgi?id=2015550

Expect an upstream fix to land today, which you could use to build yourself an image. We expect to release a fix for this as part of our 1.6.2 release, tentatively 11/10. About 2 weeks from now.

There is a dev image at quay.io/ibolton336/mig-ui:no-proxy-fix that should fix this until it's merged.

You can
oc edit -n openshift-migration migrationcontroller migration-controller

and under spec add:
mig_ui_image_fqin: quay.io/ibolton336/mig-ui:no-proxy-fix to use it. If you do and can confirm it fixes the issue it would be great to have another confirmation.

Thank you!

Thanks @eriknelson @jmontleon, I have tested images for my mtc, both images are working fine.

Thanks @louise-zhang for testing. Sorry about the second message. I did not look close enough and see that Erik had commented already.