-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Eclipse Che pod bootstrap timeout on chectl install, when using Che operator with TLS and unsigned certificate on non-OpenShift kube #16280
Comments
@tolusha could you please take a look? |
@jgwest It would be useful if you provide details of generated certificate, you can do it into your browser[1] or via open-ssl[2] |
Hi, any way to fix this issue before the PR is ready? |
@eder-santos |
The issue has been reproduced for installation on minishift 3.11 using custom-resource.yaml with
|
@jgwest I've started investigation of the issue. kubectl create secret generic self-signed-cert "--from-file=$OUT_DIR/ca.crt" -n che should be kubectl create secret generic self-signed-certificate "--from-file=$OUT_DIR/ca.crt" -n che But it still doesn't help... I continue the investigation. |
Thanks @mmorhun, re: |
Another thing which I've found is wrong ingress to secret binding. All Che ingresses should have |
@jgwest with all the changes from the PRs above it should work (tested on minikube though). @eder-santos
One may implicitly set |
@themr0c @boczkowska we have mistake in our docs, please see this comment and the one above. |
@mmorhun - Looks good, with those two changes I am able to install Che as expected. 👍 Re: docs, it's this page that still suggests to use |
I am going to create a PR into docs. |
I think the problem is resolved, so closing this issue. |
Describe the bug
When attempting to install Che 7.9.0 on generic Kubernetes, with TLS enabled and a self-signed certificate, using chectl via the Che operator, the Che pod fails to start due to an inability to connect to Keycloak.
The Che pod appears not to allow connecting to Keycloak via a self-signed certificate.
As per the attached Che pod logs, the che pod is failing to start due to the following exception
The che pod appears to be attempting to access this URL
https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/.well-known/openid-configuration
URL, which I am able to successfully access from my browser (albeit behind a self-signed cert browser warning) and curl:jgw@pulse-orange$ curl https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/.well-known/openid-configuration --insecure {"issuer":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che","authorization_endpoint":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/auth","token_endpoint":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/token","token_introspection_endpoint":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/userinfo","end_session_endpoint":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/logout","jwks_uri":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/certs","check_session_iframe":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","microprofile-jwt","web-origins","roles","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://keycloak-che.9.42.80.171.nip.io/auth/realms/che/protocol/openid-connect/token/introspect"}
A Helm install against the same cluster, using the following install command, does not exhibit this problem:
Che version
7.9.0
Steps to reproduce
ingressDomain: ''
with your ingress domain (eg ` ingressDomain: '9.42.80.171.nip.io')Output
See attached logs below.
Expected behavior
Che pod to successfully start after connecting to Keycloak endpoint.
Runtime
Kubernetes:
Installation method
chectl -platform=k8s --installer=operator
, see above for more info.Environment
Ubuntu 18.04 LTS server
Eclipse Che Logs
ZIP of
/tmp/chectl-logs/1583510159056
chectl-logs.zip
The text was updated successfully, but these errors were encountered: