Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin broker should respect cluster CA certificates #17552

Closed
mmorhun opened this issue Aug 3, 2020 · 1 comment
Closed

Plugin broker should respect cluster CA certificates #17552

mmorhun opened this issue Aug 3, 2020 · 1 comment
Assignees
@mmorhun
Labels
area/plugin-broker kind/bug Outline of a bug - must adhere to the bug report template. new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes severity/P1 Has a major impact to usage or development of the system.

Comments

@mmorhun
Copy link
Contributor

mmorhun commented Aug 3, 2020

Describe the bug

Che Workspaces failed to start due to plugin broker failure to reach a resource.
This happens when a resource is secured by different than Che server TLS certificate. This is the case when a proxy with SSL Bump is used.

Plugin broker logs:

2020/08/03 12:59:17 Broker configuration
2020/08/03 12:59:17   Push endpoint: wss://che-che.apps.user.devcluster.openshift.com/api/websocket
2020/08/03 12:59:17   Auth enabled: true
2020/08/03 12:59:17   Runtime ID:
2020/08/03 12:59:17     Workspace: workspace80pduq4q87wwoc9i
2020/08/03 12:59:17     Environment: default
2020/08/03 12:59:17     OwnerId: da658300-64b7-4700-96d9-8affd00484ff
2020/08/03 12:59:17   Self signed certificate /tmp/che/secret/ca.crt
2020/08/03 12:59:18 Couldn't connect to endpoint 'wss://che-che.apps.user.devcluster.openshift.com/api/websocket', due to error 'x509: certificate signed by unknown authority'

Workspace start logs:

Successfully assigned myusername-che/workspace80pduq4q87wwoc9i.che-plugin-broker to ip-10-0-159-97.us-east-2.compute.internal
Successfully assigned myusername-che/workspace80pduq4q87wwoc9i.che-plugin-broker to ip-10-0-159-97.us-east-2.compute.internal
Successfully assigned myusername-che/workspace80pduq4q87wwoc9i.che-plugin-broker to ip-10-0-159-97.us-east-2.compute.internal
Successfully assigned myusername-che/workspace80pduq4q87wwoc9i.che-plugin-broker to ip-10-0-159-97.us-east-2.compute.internal
Pulling image "quay.io/eclipse/che-plugin-metadata-broker:v3.2.0"
Successfully pulled image "quay.io/eclipse/che-plugin-metadata-broker:v3.2.0"
Created container che-plugin-metadata-broker-v3-2-0
Started container che-plugin-metadata-broker-v3-2-0
Error: Failed to run the workspace: "Plugins installation process timed out"

Che version

nightly

Steps to reproduce

Before trying to reproduce special environment should be setup.

  1. Start a cluster with Openshift 4.
  2. Setup a public proxy with SSL Bump (authorization is not mandatory).
  3. Make Openshift cluster use the proxy.
  4. Deploy Eclispe Che
  5. Try to start worksace, see the error.

Some pitfalls:

  1. To be able to deploy Che sometimes it is needed to add noProxy: api.user.devcluster.openshift.com,localhost into cluster proxy config.
  2. If proxy do not support websockets (or not configured to proxy websocket connection) add into Eclispe Che CR:
spec:
  server:
    nonProxyHosts: devcluster.openshift.com

Expected behavior

Plugin broker trusts cluster CA certificates.
(Should be mounted into /public-certs, see #17407).

Runtime

Openshift
Client Version: 4.3.1
Server Version: 4.4.6

Installation method

chectl
chectl server:start --platform=openshift --os-oauth

Environment

Tested on Amazon, but should be reproducible on others if all requirements are met.

Additional context
@mmorhun mmorhun added kind/bug Outline of a bug - must adhere to the bug report template. area/plugin-broker labels Aug 3, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Aug 3, 2020
@vparfonov vparfonov added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Aug 3, 2020
@tolusha tolusha added the area/install Issues related to installation, including offline/air gap and initial setup label Aug 4, 2020
@mmorhun mmorhun self-assigned this Aug 4, 2020
@tolusha tolusha mentioned this issue Aug 4, 2020
Closed
42 tasks
@l0rd l0rd added the new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes label Aug 11, 2020
This was referenced Aug 13, 2020
Merged
Merged
@l0rd l0rd mentioned this issue Aug 17, 2020
Closed
@mmorhun mmorhun mentioned this issue Aug 18, 2020
Merged
@tolusha tolusha removed the area/install Issues related to installation, including offline/air gap and initial setup label Aug 19, 2020
@tolusha tolusha mentioned this issue Aug 19, 2020
Closed
58 tasks
@mmorhun
Copy link
Contributor Author

mmorhun commented Aug 19, 2020

Done

@mmorhun mmorhun closed this as completed Aug 19, 2020
This was referenced Aug 20, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmorhun mmorhun

Labels
area/plugin-broker kind/bug Outline of a bug - must adhere to the bug report template. new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@l0rd @vparfonov @tolusha @mmorhun @che-bot