Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Che-server fails to start on OpenShift with FIPS mode enabled #20991

Closed
skabashnyuk opened this issue Jan 10, 2022 · 4 comments
Closed

Che-server fails to start on OpenShift with FIPS mode enabled #20991

skabashnyuk opened this issue Jan 10, 2022 · 4 comments
Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system. status/blocked Issue that can’t be moved forward. Must include a comment on the reason for the blockage.

Comments

@skabashnyuk
Copy link
Contributor

skabashnyuk commented Jan 10, 2022
edited
Loading

Is your task related to a problem? Please describe

Che-server fails to start on OpenShift with FIPS mode enabled.

Describe the solution you'd like

Che-server should be able to successfully start and establish a connection to the underlying k8s/openshift cluster

Describe alternatives you've considered

No response

Additional context

Caused by: AssertionError
	at HttpClientUtils.createHttpClient(HttpClientUtils.java:141)
	at HttpClientUtils.createHttpClient(HttpClientUtils.java:66)
	at KubernetesClientFactory.<init>(KubernetesClientFactory.java:72)
	at CheServerKubernetesClientFactory.<init>(CheServerKubernetesClientFactory.java:43)
	at HttpClientUtils.createHttpClient(HttpClientUtils.java:66)
	at KubernetesClientFactory.<init>(KubernetesClientFactory.java:72)
	at OpenShiftClientFactory.<init>(OpenShiftClientFactory.java:74)
	at OpenShiftClientFactory$$FastClassByGuice$$166068897.GUICE$TRAMPOLINE(<generated>)
	at OpenShiftClientFactory$$FastClassByGuice$$166068897.apply(<generated>)
	at DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
	at ConstructorInjector.provision(ConstructorInjector.java:114)
	at ConstructorInjector.construct(ConstructorInjector.java:91)
	at ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
	at ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
	at SingletonScope$1.get(SingletonScope.java:169)

Could be related fabric8io/kubernetes-client#3582
Openshift fips mode - https://docs.openshift.com/container-platform/4.6/installing/installing-fips.html
Downstream issue https://issues.redhat.com/browse/CRW-2606
@skabashnyuk skabashnyuk added kind/task Internal things, technical debt, and to-do tasks to be performed. area/che-server kind/bug Outline of a bug - must adhere to the bug report template. team/platform and removed kind/task Internal things, technical debt, and to-do tasks to be performed. labels Jan 10, 2022
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jan 10, 2022
@skabashnyuk
Copy link
Contributor Author

After small modification of HttpClientUtils I was able to get the real Exception

Caused by: KubernetesClientException: An error has occurred.                                                                                                                                                 │
│     at KubernetesClientException.launderThrowable(KubernetesClientException.java:103)                                                                                                                        │
│     at KubernetesClientException.launderThrowable(KubernetesClientException.java:97)                                                                                                                         │
│     at HttpClientUtils.createHttpClient(HttpClientUtils.java:160)                                                                                                                                            │
│     at HttpClientUtils.createHttpClient(HttpClientUtils.java:85)                                                                                                                                             │
│     at KubernetesClientFactory.<init>(KubernetesClientFactory.java:77)                                                                                                                                       │
│     at OpenShiftClientFactory.<init>(OpenShiftClientFactory.java:72)                                                                                                                                         │
│     at OpenShiftClientFactory$$FastClassByGuice$$171156543.GUICE$TRAMPOLINE(<generated>)                                                                                                                     │
│     at OpenShiftClientFactory$$FastClassByGuice$$171156543.apply(<generated>)                                                                                                                                │
│     at java.base/NativeMethodAccessorImpl.invoke0(Native Method)                                                                                                                                             │
│     at java.base/NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)                                                                                                                           │
│     at java.base/DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)                                                                                                                   │
│     at java.base/Method.invoke(Method.java:566)                                                                                                                                                              │
│     at Bootstrap.start(Bootstrap.java:345)                                                                                                                                                                   │
│     at Bootstrap.main(Bootstrap.java:476)                                                                                                                                                                    │
│ Caused by: KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used                                                                                                                         │
│     at java.base/SSLContextImpl.chooseTrustManager(SSLContextImpl.java:133)                                                                                                                                  │
│     at java.base/SSLContextImpl.engineInit(SSLContextImpl.java:95)                                                                                                                                           │
│     at java.base/SSLContext.init(SSLContext.java:297)                                                                                                                                                        │
│     at SSLUtils.sslContext(SSLUtils.java:86)                                                                                                                                                                 │
│     at HttpClientUtils.createHttpClient(HttpClientUtils.java:157)                                                                                                                                            │
│     ... 60 more

@svor svor added severity/P2 Has a minor but important impact to the usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jan 10, 2022
This was referenced Jan 12, 2022
Closed
Closed
@skabashnyuk skabashnyuk added the status/blocked Issue that can’t be moved forward. Must include a comment on the reason for the blockage. label Feb 4, 2022
@skabashnyuk
Copy link
Contributor Author

Blocked by this fabric8io/kubernetes-client#3582 .

@che-bot
Copy link
Contributor

che-bot commented Aug 3, 2022

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 3, 2022
@che-bot che-bot closed this as completed Aug 10, 2022
@dayglo
Copy link

dayglo commented Feb 20, 2023
edited
Loading

We've hit this issue while using Openshift dev spaces. Is Che supported on FIPS-enabled ciusters? If not, is there a way to turn this feature off?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system. status/blocked Issue that can’t be moved forward. Must include a comment on the reason for the blockage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dayglo @svor @skabashnyuk @che-bot