fabric8-platform
fabric8-platform copied to clipboard
fix up Che on fabric8 on minishift
from @eivantsov:
- With secure route Che refuses to load
- Che needs a few additional envs in deployment config to be using fabric8io KC server
- Existing fabric8io client for KC is not public while it should be
- Che host route should be added to valid redirect uris in KC client settings
ENVs to be added to Che deployment (either directly or through configmaps):
CHE_KEYCLOAK_AUTH__SERVER__URL=${KC_ROUTE}/auth
CHE_KEYCLOAK_REALM=${REALM}
CHE_KEYCLOAK_CLIENT__ID=${CLIENT_ID}
@eivantsov many thanks! I guess the ${CLIENT_ID}
is the ID of the main fabric8 client right? (which is currently fabric8-online-platform
in keycloak?
Here's a PR that includes the above env vars and tries to fix up 1...4 above. https://github.com/fabric8io/fabric8-platform/pull/949
e.g. here's the env vars in the running che-starter pod:
CHE_KEYCLOAK_AUTH__SERVER__URL=http://keycloak.fabric8.192.168.64.2.nip.io/auth
CHE_KEYCLOAK_REALM=fabric8
CHE_KEYCLOAK_CLIENT__ID=fabric8-online-platform
I created a Codebase then if I try to reload the create page in the UI I get this
{"GET":"/api/codebases/che/state","action":"CheState","ctrl":"CodebaseController","from":"192.168.64.1","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"info","msg":"request started","pkg":"log.LogRequest.func1","req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
{"GET":"http://f8tenant:80/api/tenant","id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","level":"info","msg":"started","origin":"http://fabric8-fabric8.192.168.64.82.nip.io","req_id":"yp0dDreb","time":"2017-09-22 07:16:47"}
{"fields.time":"8.484648ms","id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","level":"info","msg":"completed","origin":"http://fabric8-fabric8.192.168.64.82.nip.io","req_id":"yp0dDreb","status":200,"time":"2017-09-22 07:16:47"}
{"err":"Status 400 Error Bad Request Message Bad Request Trace\norg.springframework.web.client.HttpClientErrorException: 400 Bad Request\n\tat org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)\n\tat org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)\n\tat org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)\n\tat org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)\n\tat org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getResponseBody(KeycloakClient.java:79)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getOpenShiftToken(KeycloakClient.java:55)\n\tat io.fabric8.che.starter.controller.CheServerController.getCheServerInfo(CheServerController.java:54)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)\n\tat org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:116)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)\n\tat org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963)\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:687)\n\tat org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)\n\tat org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:206)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:541)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)\n\tat org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1584)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1228)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)\n\tat org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:481)\n\tat org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1130)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.Server.handle(Server.java:564)\n\tat org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)\n\tat org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:112)\n\tat org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)\n\tat java.lang.Thread.run(Thread.java:748)\n","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/codebase/che/client.go","func":"github.com/fabric8-services/fabric8-wit/codebase/che.(*StarterClient).GetCheServerState","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":259,"msg":"failed to execute get che server state","pid":1,"pkg":"codebase/che","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
{"err":"Bad Request","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/controller/codebase.go","func":"github.com/fabric8-services/fabric8-wit/controller.(*CodebaseController).CheState","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":324,"msg":"unable to get che server state","pid":1,"pkg":"controller","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
{"err":"Bad Request","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/controller/codebase.go","func":"github.com/fabric8-services/fabric8-wit/controller.(*CodebaseController).CheState","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":328,"msg":"unable to get che server state: [Status 400 Error Bad Request Message Bad Request Trace\norg.springframework.web.client.HttpClientErrorException: 400 Bad Request\n\tat org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)\n\tat org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)\n\tat org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)\n\tat org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)\n\tat org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getResponseBody(KeycloakClient.java:79)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getOpenShiftToken(KeycloakClient.java:55)\n\tat io.fabric8.che.starter.controller.CheServerController.getCheServerInfo(CheServerController.java:54)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)\n\tat org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:116)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)\n\tat org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963)\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:687)\n\tat org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)\n\tat org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:206)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:541)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)\n\tat org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1584)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1228)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)\n\tat org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:481)\n\tat org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1130)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.Server.handle(Server.java:564)\n\tat org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)\n\tat org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:112)\n\tat org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)\n\tat java.lang.Thread.run(Thread.java:748)\n]","pid":1,"pkg":"controller","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
{"err":"[exhfEqkX] 500 internal: Bad Request","error_message":"[exhfEqkX] 500 internal: Bad Request","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/jsonapi/jsonapi_utility.go","func":"github.com/fabric8-services/fabric8-wit/jsonapi.ErrorToJSONAPIError","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":39,"msg":"an error occurred in our api","pid":1,"pkg":"jsonapi","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
{"action":"CheState","bytes":119,"ctrl":"CodebaseController","duration":65.61798900000001,"duration_unit":"ms","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"info","msg":"completed","pkg":"log.LogRequest.func1","req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","status":500,"time":"2017-09-22 07:16:47"}
@jstrachan yes, all the envs are ok. To check it, go to developer-che project and click on Che route. If you are redirected to a local KC page and can login using OpenShift v3 button, everything's ok.
As to errors with getting che-server state, it does not look like an issue with Che at all.
ah, the che DeploymentConfig
for minishift in developer-che
was set to 0 replicas. I manually scaled it up for now. Then if I go to https://che-developer-che.192.168.64.82.nip.io/ I get a 403. Was it the route in the tenant namespace (developer-che
on minishift) that you meant needed to be http rather than https?
also those env vars I mentioned above are in the che-starter right? Or did you mean in the che pod in developer-che
?
in the che pod in developer-che I get this when I try access https://che-developer-che.192.168.64.82.nip.io/ directly - I guess its due to my browser not being authenticated?
NFO: KeycloakSettings = {che.keycloak.disabled=false, che.keycloak.auth_server_url=https://sso.openshift.io/auth, che.keycloak.client_id=openshiftio-public, che.keycloak.realm=fabric8, che.keycloak.oso.endpoint=http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/broker/openshift-v3/token, che.keycloak.github.endpoint=http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/broker/github/token}
2017-09-22 07:32:36,418[nio-8080-exec-6] [ERROR] [.k.t.p.u.KeycloakUserValidator 221] - Exception while obtaining OSO token:
java.io.IOException: Failed access: http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/broker/openshift-v3/token?token, method: GET, response code: 400, message: {"errorMessage":"Invalid token."}
at org.eclipse.che.api.core.rest.DefaultHttpJsonRequest.doRequest(DefaultHttpJsonRequest.java:262)
at org.eclipse.che.api.core.rest.DefaultHttpJsonRequest.request(DefaultHttpJsonRequest.java:152)
at com.redhat.che.keycloak.token.provider.service.KeycloakTokenProvider.getResponseBody(KeycloakTokenProvider.java:110)
at com.redhat.che.keycloak.token.provider.service.KeycloakTokenProvider.obtainOsoToken(KeycloakTokenProvider.java:91)
at com.redhat.che.keycloak.token.provider.util.KeycloakUserValidator$TokenLoader.load(KeycloakUserValidator.java:213)
at com.redhat.che.keycloak.token.provider.util.KeycloakUserValidator$TokenLoader.load(KeycloakUserValidator.java:207)
ah ;) wrong keycloak URL there ;)
All the envs are in Che itself (developer-che namespace). Nothing related to che-starter in my comment.
And yes, Che route should be http.
the redirect URL in KeyCloak should that be for che-starter or for the che pod in the developer-che namespace?
che-pod
ah ok, so we're gonna have to get fabric8-tenant to register a new KeyCloak redirectURI for each new tenant (since each tenant gets its own che pod)
Is it maybe possible to solve it with *
in the URL?
By the time Che is multi tenant, this problem's gone
KC doesn't support wildcards in the host name part of the URL; only in the path - we faced a similar issue with Jenkins on Kubernetes. Each Che pod has its own host name; so needs to be added explicitly as a redirect URL. Though I've no idea how openshift.io can be working :) They must have some trick in the KeyCloak configuration - will try find out from Alexey / Aslak when they wake up
@jstrachan I was going to ask how it works on OSIO :)
so I tried doing the above manually on my minishift; so these env vars are inside the che
pod in developer-che
CHE_KEYCLOAK_AUTH__SERVER__URL=http://keycloak-fabric8.192.168.64.82.nip.io/auth
CHE_KEYCLOAK_REALM=fabric8
CHE_KEYCLOAK_CLIENT__ID=fabric8-online-platform
then KeyCloak has the redirect URL of http://che-developer-che.192.168.64.82.nip.io/*
I updated the che route to be HTTP based
apiVersion: v1
kind: Route
metadata:
annotations:
openshift.io/host.generated: "true"
labels:
app: che
group: io.fabric8.tenant.apps
provider: fabric8
version: 2.0.17
name: che
spec:
host: che-developer-che.192.168.64.82.nip.io
to:
kind: Service
name: che-host
weight: 100
wildcardPolicy: None
if I open http://che-developer-che.192.168.64.82.nip.io then the UI correctly redirects to KeyCloak; I login then it redirects and I get a 403 http://che-developer-che.192.168.64.82.nip.io/?state=5%2F4a62e09d-d3fc-4cea-9fdd-a848dfcd25c1&code=uss.9xmd6Cc4ICpy0SNr7753Cp9AvQb_8KJdwzrh-t7xAsQ.ddfc5a6e-835c-45f9-a3ba-f9b903ad34d4.2811ffa6-c446-4230-8c92-02f7b38ae01c
with this in the log:
ERROR: status from server: 400
Sep 22, 2017 8:08:03 AM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: {"error":"unauthorized_client","error_description":"Client secret not provided in request"}
any ideas?
@jstrachan it is because the client is not public
BTW, I failed to make it public in KC UI.. so ended up registering a new one.
ah - the "Access Type" of the fabric8-online-platform
client in KeyCloak has to be setup as public
right? The KeyCloak admin UI won't let me set that :) will try figure out how/why
yes, exactly, not letting make it public in the UI. A new client solved the problem for me :)
ah gotcha - so we can just make a new client for che right? Lets do that ;)
@eivantsov huge thanks - I've now got Che working!!! :)
Now I can try figure out how to get this changes into the distro...
whoah - using just *
in the redirect URI seemed to work for the che client. Not terribly secure but not a bad workaround for now ;)
though looks like I get a CORS issue; the che dashboard app starts up and stays blank (thought it was just taking a while to load on my slow wifi), the JavaScript console shows this:
XMLHttpRequest cannot load http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/protocol/openid-connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://che-developer-che.192.168.64.82.nip.io' is therefore not allowed access.
Did you make Che route http?
yeah
hm.. I have a running Che on my fabric8io...
@jstrachan you are probably missing this in your new client in KC. Web origin wildcard: