Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-17518

[OCP 4.1] Not able to query jolokia on jboss images (doc updates

XMLWordPrintable

      We are not able to query jolokia on OCP 4.1 as we used to be on OCP 3.11. Here is what we did

      # Start EAP 
      oc import-image jboss-eap-7-tech-preview/eap-cd-openshift --from=registry.access.redhat.com/jboss-eap-7-tech-preview/eap-cd-openshift --confirm
      oc new-app eap-cd-openshift --name jolokia-reproducer
      oc expose svc/jolokia-reproducer
      
      # Query jolokia
      # Command contains pod name which has to be changed and token which you can get with `oc whoami -t`
      curl -v -k --oauth2-bearer GNOw3jTbgWu143pF21b8cSSG5Mksr_0t8_ZLG4zRrXI https://api.eap-qe-ocp41-cluster.eap-qe-ocp41-cluster.fw.rhcloud.com:6443/api/v1/namespaces/mchoma/pods/https:jolokia-reproducer-1-xnjrs:8778/proxy/jolokia/
      *   Trying 3.14.209.123...
      * TCP_NODELAY set
      * Connected to api.eap-qe-ocp41-cluster.eap-qe-ocp41-cluster.fw.rhcloud.com (3.14.209.123) port 6443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      * TLSv1.2 (IN), TLS handshake, Request CERT (13):
      * TLSv1.2 (IN), TLS handshake, Server finished (14):
      * TLSv1.2 (OUT), TLS handshake, Certificate (11):
      * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.2 (OUT), TLS handshake, Finished (20):
      * TLSv1.2 (IN), TLS handshake, Finished (20):
      * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=api.eap-qe-ocp41-cluster.eap-qe-ocp41-cluster.fw.rhcloud.com
      *  start date: May  2 06:49:44 2019 GMT
      *  expire date: Jun  1 06:49:45 2019 GMT
      *  issuer: OU=openshift; CN=kube-apiserver-lb-signer
      *  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Server auth using Bearer with user ''
      * Using Stream ID: 1 (easy handle 0x562191462590)
      > GET /api/v1/namespaces/mchoma/pods/https:jolokia-reproducer-1-xnjrs:8778/proxy/jolokia/ HTTP/2
      > Host: api.eap-qe-ocp41-cluster.eap-qe-ocp41-cluster.fw.rhcloud.com:6443
      > Authorization: Bearer GNOw3jTbgWu143pF21b8cSSG5Mksr_0t8_ZLG4zRrXI
      > User-Agent: curl/7.61.1
      > Accept: */*
      > 
      * Connection state changed (MAX_CONCURRENT_STREAMS == 2000)!
      < HTTP/2 401 
      < audit-id: e8a1815b-9901-4a87-910d-476e38ea8f5c
      < cache-control: no-store
      < date: Thu, 02 May 2019 11:34:23 GMT
      < www-authenticate: Basic realm="jolokia"
      < content-length: 0
      < 
      * Connection #0 to host api.eap-qe-ocp41-cluster.eap-qe-ocp41-cluster.fw.rhcloud.com left intact
      

      Problem is request is not authenticated. Similar command in OCP 3.11 authenticates and returns something

      curl -v -k --oauth2-bearer 10n_P-FK6ssm0RjY_1oJKDc3Yr9csThrLRJ9XP1viwA https://api.all-in-one-034.dynamic.xpaas:8443/api/v1/namespaces/mchoma/pods/https:eap-cd-openshift-1-j9dd5:8778/proxy/jolokia/
      *   Trying 10.0.76.171...
      * TCP_NODELAY set
      * Connected to api.all-in-one-034.dynamic.xpaas (10.0.76.171) port 8443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      * TLSv1.2 (IN), TLS handshake, Request CERT (13):
      * TLSv1.2 (IN), TLS handshake, Server finished (14):
      * TLSv1.2 (OUT), TLS handshake, Certificate (11):
      * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.2 (OUT), TLS handshake, Finished (20):
      * TLSv1.2 (IN), TLS handshake, Finished (20):
      * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=10.0.76.171
      *  start date: Apr 12 08:05:02 2019 GMT
      *  expire date: Apr 11 08:05:03 2021 GMT
      *  issuer: CN=openshift-signer@1555056302
      *  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Server auth using Bearer with user ''
      * Using Stream ID: 1 (easy handle 0x561c92508590)
      > GET /api/v1/namespaces/mchoma/pods/https:eap-cd-openshift-1-j9dd5:8778/proxy/jolokia/ HTTP/2
      > Host: api.all-in-one-034.dynamic.xpaas:8443
      > Authorization: Bearer 10n_P-FK6ssm0RjY_1oJKDc3Yr9csThrLRJ9XP1viwA
      > User-Agent: curl/7.61.1
      > Accept: */*
      > 
      * Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
      < HTTP/2 200 
      < cache-control: no-store
      < cache-control: no-cache
      < content-type: text/plain; charset=utf-8
      < date: Thu, 02 May 2019 11:26:47 GMT
      < expires: Thu, 02 May 2019 10:26:47 GMT
      < pragma: no-cache
      < content-length: 848
      < 
      * Connection #0 to host api.all-in-one-034.dynamic.xpaas left intact
      {"request":{"type":"version"},"value":{"agent":"1.5.0","protocol":"7.2","config":{"listenForHttpService":"true","maxCollectionSize":"0","authIgnoreCerts":"false","agentId":"10.128.1.52-490-6e0be858-jvm","agentType":"jvm","policyLocation":"classpath:\/jolokia-access.xml","agentContext":"\/jolokia","mimeType":"text\/plain","discoveryEnabled":"false","streaming":"true","password":"VXey5eTaxdKwhNozLqnUtSf5vCNcqw","historyMaxEntries":"10","allowDnsReverseLookup":"true","maxObjects":"0","debug":"false","serializeException":"false","maxDepth":"15","authMode":"basic","canonicalNaming":"true","allowErrorDetails":"true","realm":"jolokia","includeStackTrace":"true","user":"jolokia","useRestrictorService":"false","debugMaxEntries":"100"},"info":{"product":"JBoss EAP CD","vendor":"RedHat","version":"7.3.0.CD15"}},"timestamp":1556796407,"status":200}
      

      I have seen this also on amq image in tests.

              bobjohns@redhat.com Robert Johnson (Inactive)
              bobjohns@redhat.com Robert Johnson (Inactive)
              Miroslav Novak Miroslav Novak
              Miroslav Novak Miroslav Novak
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: