Add troubleshooting documentation to the broker #479
Conversation
openshift-ci-robot
added
the
size/L
djzager
added
needs-review
and removed
size/L
docs/troubleshooting.md
Outdated
|
|
||
| The purpose of this document is to provide troubleshooting steps for different | ||
| scenarios. Where possible sections and sub-section should be created to | ||
| classify different types of troubles. |
There was a problem hiding this comment.
Where possible, sections and sub-sections ...
docs/troubleshooting.md
Outdated
| scenarios. Where possible sections and sub-section should be created to | ||
| classify different types of troubles. | ||
|
|
||
| ## Errors related to Service Catalog communicating with the Broker |
There was a problem hiding this comment.
Service Catalog and Broker communication issues
docs/troubleshooting.md
Outdated
| ## Errors related to Service Catalog communicating with the Broker | ||
|
|
||
| ### Certificate Authority | ||
|
|
There was a problem hiding this comment.
Let's add a little more intro to the sections. Something like:
Sometimes the service-catalog is unable to communicate with the broker because of an unknown certificate authority.
Looking at the output below, we see the broker is running but there is a certificate signed by unknown authority preventing the service-catalog from connecting.
docs/troubleshooting.md
Outdated
| --------- -------- ----- ---- ------------- -------- ------ ------- | ||
| 6s 6s 1 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Get https://asb.ansible-service-broker.svc:1338/ansible-service-broker/v2/catalog: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) | ||
| 6s 2s 9 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Get https://asb.ansible-service-broker.svc:1338/ansible-service-broker/v2/catalog: x509: certificate signed by unknown authority | ||
| ``` |
There was a problem hiding this comment.
I found the entire output confusing. I looked over it 3 times trying to find the error and finally had to scroll to the right to see the certificate error.
Consider doing the following:
-
add more to the intro paragraph: The Status field of the description output will show the
certificate signed by unknown authorityerror. -
then trim down the output to show the important piece we are focusing on.
$ oc describe servicebroker
Name: ansible-service-broker
Namespace:
Labels: <none>
Annotations: openshift.io/generated-by=OpenShiftNewApp
API Version: servicecatalog.k8s.io/v1alpha1
Kind: ServiceBroker
...
Status:
Conditions:
Last Transition Time: 2017-10-05T17:22:01Z
Message: Error fetching catalog. Error getting broker catalog for broker "ansible-service-broker": Get https://asb.ansible-service-broker.svc:1338/ansible-service-broker/v2/catalog: x509: certificate signed by unknown authority
Reason: ErrorFetchingCatalog
Status: False
Type: Ready
Operation Start Time: 2017-10-05T17:22:02Z
Reconciled Generation: 0
...
docs/troubleshooting.md
Outdated
|
|
||
| #### Resolution: Provide caBundle to service-catalog | ||
|
|
||
| We can get the caBundle with the following command: |
There was a problem hiding this comment.
We need to provide the service-catalog with the caBundle so that it can validate the certificate signing chain. We can get the caBundle with the following command:
docs/troubleshooting.md
Outdated
| 38m 38m 1 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Get https://asb.ansible-service-broker.svc:1338/ansible-service-broker/v2/catalog: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) | ||
| 38m 10m 107 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Get https://asb.ansible-service-broker.svc:1338/ansible-service-broker/v2/catalog: x509: certificate signed by unknown authority | ||
| 10m 17s 34 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Status: 401; ErrorMessage: <nil>; Description: invalid credentials, corrupt header; ResponseError: <nil> | ||
| ``` |
There was a problem hiding this comment.
Like with the previous error, I would only show the relevant pieces of the log:
$ oc describe servicebroker
Name: ansible-service-broker
...
Spec:
Auth Info:
Bearer:
Secret Ref:
Kind: Secret
Name: ansibleservicebroker-client
Namespace: ansible-service-broker
Ca Bundle: LS0t...
...
Status:
Conditions:
Last Transition Time: 2017-10-05T17:22:01Z
Message: Error fetching catalog. Error getting broker catalog for broker "ansible-service-broker": Status: 401; ErrorMessage: <nil>; Description: invalid credentials, corrupt header; ResponseError: <nil>
Reason: ErrorFetchingCatalog
Status: False
Type: Ready
Operation Start Time: 2017-10-05T17:22:02Z
Reconciled Generation: 0
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
38m 38m 1 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Get https://asb.ansible-service-broker.svc:1338/ansible-service-broker/v2/catalog: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
38m 10m 107 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Get https://asb.ansible-service-broker.svc:1338/ansible-service-broker/v2/catalog: x509: certificate signed by unknown authority
10m 17s 34 service-catalog-controller-manager Warning ErrorFetchingCatalog Error getting broker catalog for broker "ansible-service-broker": Status: 401; ErrorMessage: <nil>; Description: invalid credentials, corrupt header; ResponseError: <nil>
docs/troubleshooting.md
Outdated
|
|
||
| What you may notice in the output of `oc describe servicebroker` is that the service-catalog is being configured to use token based authentication | ||
| to communicate with the Ansible Service Broker. However, because of [this bug](https://bugzilla.redhat.com/show_bug.cgi?id=1498992), the broker | ||
| is configured to use basic auth by default. All that we need to do is 1) update the broker's configmap and 2) redeploy the broker. |
There was a problem hiding this comment.
The Spec: section shows that the service-catalog is configured to use token based authentication to communicate with the broker. However, because of this bug, the broker is configured to use basic auth by default.
All that we need to do is 1) update the broker's configmap and 2) redeploy the broker.
docs/troubleshooting.md
Outdated
| $ oc edit configmap broker-config | ||
| ``` | ||
|
|
||
| Modifying the configuration like what you see below: |
There was a problem hiding this comment.
Disable the basic auth by setting the enabled: entry to false like the example below:
docs/troubleshooting.md
Outdated
| to communicate with the Ansible Service Broker. However, because of [this bug](https://bugzilla.redhat.com/show_bug.cgi?id=1498992), the broker | ||
| is configured to use basic auth by default. All that we need to do is 1) update the broker's configmap and 2) redeploy the broker. | ||
|
|
||
| ##### Update Broker's ConfigMap |
There was a problem hiding this comment.
You might be able to make this a plain bullet
- Update Broker's ConfigMap
docs/troubleshooting.md
Outdated
| - enabled: true | ||
| ``` | ||
|
|
||
| ##### Redeploy the Broker |
There was a problem hiding this comment.
Then you could also make this bullet:
- Redeploy the Broker
|
@djzager great information, just a few tweaks to hopefully make it easier to consume. |
openshift-ci-robot
added
the
size/L
Describe what this PR does and why we need it:
Documentation for troubles users/developers may see.