Loading...

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 2.3.0.GA
Affects Version/s: 2.2.0.GA
Component/s: platform: jwtproxy, wsmaster, devfile spec, teams, security, sharing, factory api, monitoring
Labels:
None

Steps to Reproduce:
Hide

Start an OpenShift 4.4 cluster with proxy through cluster-bot using the following command:

launch 4.4 proxy

Apply the following `OperatorSource` to enable the 2.2.0 OperatorHub catalog:

apiVersion: operators.coreos.com/v1
kind: OperatorSource
metadata:
name: crw
namespace: openshift-marketplace
spec:
authorizationToken: {}
endpoint: 'https://quay.io/cnr'
registryNamespace: crw
type: appregistry

Wait for the Catalog to be installed in OperatorHub. When searching for "Workspaces", you should be proposed a 2.2.0 CRW operator

Install it

Search for the cluster instance of the config.openshift.io/Proxy kind in the OpenShift cluster. This will provide you with the cluster proxy settings.

Create a CheCluster custom resource, with the following fields in the spec.server section, in addition to the default values:

proxyURL: <status.httpProxy field of the proxy object, but without the credentiuals and ending before the port number>
proxyPort: <Port number found in the status.httpProxy field of the proxy object>
proxyUser: <first part of the credentials found in the status.httpProxy field of the proxy object>
proxyPassword: <second part of the credentials found in the status.httpProxy field of the proxy object>
nonProxyHosts: external URL of the Kubernetes API server

The beginning of the installation should start, but fail during the start of the codeready deployment with the error mentioned above.
Show
Start an OpenShift 4.4 cluster with proxy through cluster-bot using the following command: launch 4.4 proxy Apply the following `OperatorSource` to enable the 2.2.0 OperatorHub catalog: apiVersion: operators.coreos.com/v1 kind: OperatorSource metadata: name: crw namespace: openshift-marketplace spec: authorizationToken: {} endpoint: 'https://quay.io/cnr' registryNamespace: crw type: appregistry Wait for the Catalog to be installed in OperatorHub. When searching for "Workspaces", you should be proposed a 2.2.0 CRW operator Install it Search for the cluster instance of the config.openshift.io/Proxy kind in the OpenShift cluster. This will provide you with the cluster proxy settings. Create a CheCluster custom resource, with the following fields in the spec.server section, in addition to the default values: proxyURL: <status.httpProxy field of the proxy object, but without the credentiuals and ending before the port number> proxyPort: <Port number found in the status.httpProxy field of the proxy object> proxyUser: <first part of the credentials found in the status.httpProxy field of the proxy object> proxyPassword: <second part of the credentials found in the status.httpProxy field of the proxy object> nonProxyHosts: external URL of the Kubernetes API server The beginning of the installation should start, but fail during the start of the codeready deployment with the error mentioned above.

SFDC Cases Counter:
SFDC Cases Links:

Description

When installing CRW on a cluster configured with an authenticated proxy (with proxyUser and proxyPassword), the installation fails because the CRW server (wsmaster) cannot contact the Keycloak OIDC endpoint:

Caused by: java.lang.RuntimeException: Exception while retrieving OpenId configuration from endpoint: https://keycloak-dfestal-tests.apps.ci-ln-f38t0fk-d5d6b.origin-ci-int-aws.dev.rhcloud.com/auth/realms/codeready/.well-known/openid-configurationCaused by: java.lang.RuntimeException: Exception while retrieving OpenId configuration from endpoint: https://keycloak-dfestal-tests.apps.ci-ln-f38t0fk-d5d6b.origin-ci-int-aws.dev.rhcloud.com/auth/realms/codeready/.well-known/openid-configuration at org.eclipse.che.multiuser.keycloak.server.KeycloakSettings.<init>(KeycloakSettings.java:104) at org.eclipse.che.multiuser.keycloak.server.KeycloakSettings$$FastClassByGuice$$e0d0786b.newInstance(<generated>) at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
...
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required" at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2152) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268) at java.net.URL.openStream(URL.java:1068) at org.eclipse.che.multiuser.keycloak.server.KeycloakSettings.<init>(KeycloakSettings.java:97) ... 115 more

I checked in the Che config map, and in the Che server Java properties (through logs) and the proxyUser and proxyPassword properties seem to be correctly set

Part of the problem seems to be related to this issue: https://bugs.openjdk.java.net/browse/JDK-8197921

However when trying to apply the proposed solution, it doesn't seem sufficient to fix the issue. It might also require a code change to configure the default Authenticator, as suggested in https://blog.capsiel.fr/articles/bonnes-pratiques/java/java-proxy/

Cannot install CRW on a cluster configured with an authenticated proxy

Details

Description

Attachments

Activity

People

Dates