Watcher does not have correct authentication information in Openshift environment.

[visavis2k]

Running the Watcher on PersistentVolumes in the openshift environment will result in authentication errors.

        client.persistentVolumes().watch(new Watcher<PersistentVolume>() {

            @Override
            public void eventReceived(final Action action, final PersistentVolume resource) {
            }

            @Override
            public void onClose(final KubernetesClientException cause) {
            }
        });

The openShiftClient object has the admin privilege, but the following error occurs:

2018-07-26 12:11:10.658  WARN 368 --- [.local:8443/...] i.f.k.c.d.i.WatchConnectionManager       : Exec Failure: HTTP 403, Status: 403 - 
persistentvolumes is forbidden: User "system:anonymous" cannot watch persistentvolumes at the cluster scope: 
User "system:anonymous" cannot watch all persistentvolumes in the cluster

java.net.ProtocolException: Expected HTTP 101 response but was '403 Forbidden'
    at okhttp3.internal.ws.RealWebSocket.checkResponse(RealWebSocket.java:219)
    at okhttp3.internal.ws.RealWebSocket$2.onResponse(RealWebSocket.java:186)
    at okhttp3.RealCall$AsyncCall.execute(RealCall.java:153)
    at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

2018-07-26 12:11:10.659 ERROR 368 --- [           main] com.tipa.gsmp.osh.OpenShiftWatcher       : VolumeWatcher: onClose

This problem did not occur in version 3.1.10. However, it will appear from 3.1.11.

It is estimated that the problem is caused by modifying the WatchConnectionManager at #1042. In my opinion, the HttpClientUtils.createHttpClient() method does not give proper OpenShift authentication information.

I modified the code to use clonedClient as in the previous version, and the problem is gone.

//        Config requestConfig = new ConfigBuilder(baseOperation.getConfig()).withRequestTimeout((int)this.websocketTimeout).build();
//        this.okhttpClient = HttpClientUtils.createHttpClient(requestConfig);
        this.okhttpClient = client.newBuilder().readTimeout(this.websocketTimeout, TimeUnit.MILLISECONDS).build();

Thank you for reading.

[rohanKanojia]

@visavis2k: Looks like that's a regression from my fix :( . That fix was intended to fix connection leaks that were reported at that time. But certainly, we don't want missing authentication. This seems like a quick fix, would you like to send a PR to fix this issue?

[visavis2k]

@rohanKanojia Yes I will.