fabric8-platform icon indicating copy to clipboard operation
fabric8-platform copied to clipboard

Published 20 hours ago verified publisher icon fabric8io

fix up Che on fabric8 on minishift

Open jstrachan opened this issue 6 years ago • 25 comments

from @eivantsov:

  1. With secure route Che refuses to load
  2. Che needs a few additional envs in deployment config to be using fabric8io KC server
  3. Existing fabric8io client for KC is not public while it should be
  4. Che host route should be added to valid redirect uris in KC client settings

jstrachan avatar Sep 21 '17 17:09 jstrachan

ENVs to be added to Che deployment (either directly or through configmaps):

CHE_KEYCLOAK_AUTH__SERVER__URL=${KC_ROUTE}/auth
CHE_KEYCLOAK_REALM=${REALM}
CHE_KEYCLOAK_CLIENT__ID=${CLIENT_ID}

ghost avatar Sep 22 '17 04:09 ghost

@eivantsov many thanks! I guess the ${CLIENT_ID} is the ID of the main fabric8 client right? (which is currently fabric8-online-platform in keycloak?

Here's a PR that includes the above env vars and tries to fix up 1...4 above. https://github.com/fabric8io/fabric8-platform/pull/949

e.g. here's the env vars in the running che-starter pod:

CHE_KEYCLOAK_AUTH__SERVER__URL=http://keycloak.fabric8.192.168.64.2.nip.io/auth
CHE_KEYCLOAK_REALM=fabric8
CHE_KEYCLOAK_CLIENT__ID=fabric8-online-platform

I created a Codebase then if I try to reload the create page in the UI I get this

  {"GET":"/api/codebases/che/state","action":"CheState","ctrl":"CodebaseController","from":"192.168.64.1","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"info","msg":"request started","pkg":"log.LogRequest.func1","req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
    {"GET":"http://f8tenant:80/api/tenant","id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","level":"info","msg":"started","origin":"http://fabric8-fabric8.192.168.64.82.nip.io","req_id":"yp0dDreb","time":"2017-09-22 07:16:47"}
    {"fields.time":"8.484648ms","id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","level":"info","msg":"completed","origin":"http://fabric8-fabric8.192.168.64.82.nip.io","req_id":"yp0dDreb","status":200,"time":"2017-09-22 07:16:47"}
    {"err":"Status 400 Error Bad Request Message Bad Request Trace\norg.springframework.web.client.HttpClientErrorException: 400 Bad Request\n\tat org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)\n\tat org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)\n\tat org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)\n\tat org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)\n\tat org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getResponseBody(KeycloakClient.java:79)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getOpenShiftToken(KeycloakClient.java:55)\n\tat io.fabric8.che.starter.controller.CheServerController.getCheServerInfo(CheServerController.java:54)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)\n\tat org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:116)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)\n\tat org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963)\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:687)\n\tat org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)\n\tat org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:206)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:541)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)\n\tat org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1584)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1228)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)\n\tat org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:481)\n\tat org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1130)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.Server.handle(Server.java:564)\n\tat org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)\n\tat org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:112)\n\tat org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)\n\tat java.lang.Thread.run(Thread.java:748)\n","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/codebase/che/client.go","func":"github.com/fabric8-services/fabric8-wit/codebase/che.(*StarterClient).GetCheServerState","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":259,"msg":"failed to execute get che server state","pid":1,"pkg":"codebase/che","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
    {"err":"Bad Request","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/controller/codebase.go","func":"github.com/fabric8-services/fabric8-wit/controller.(*CodebaseController).CheState","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":324,"msg":"unable to get che server state","pid":1,"pkg":"controller","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
    {"err":"Bad Request","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/controller/codebase.go","func":"github.com/fabric8-services/fabric8-wit/controller.(*CodebaseController).CheState","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":328,"msg":"unable to get che server state: [Status 400 Error Bad Request Message Bad Request Trace\norg.springframework.web.client.HttpClientErrorException: 400 Bad Request\n\tat org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)\n\tat org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)\n\tat org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)\n\tat org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)\n\tat org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getResponseBody(KeycloakClient.java:79)\n\tat io.fabric8.che.starter.client.keycloak.KeycloakClient.getOpenShiftToken(KeycloakClient.java:55)\n\tat io.fabric8.che.starter.controller.CheServerController.getCheServerInfo(CheServerController.java:54)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)\n\tat org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:116)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)\n\tat org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963)\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:687)\n\tat org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)\n\tat org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:206)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)\n\tat org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:541)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)\n\tat org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1584)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1228)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)\n\tat org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:481)\n\tat org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1130)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat org.eclipse.jetty.server.Server.handle(Server.java:564)\n\tat org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)\n\tat org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:112)\n\tat org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)\n\tat java.lang.Thread.run(Thread.java:748)\n]","pid":1,"pkg":"controller","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
    {"err":"[exhfEqkX] 500 internal: Bad Request","error_message":"[exhfEqkX] 500 internal: Bad Request","file":"/home/jenkins/go/src/github.com/fabric8-services/fabric8-wit/jsonapi/jsonapi_utility.go","func":"github.com/fabric8-services/fabric8-wit/jsonapi.ErrorToJSONAPIError","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"error","line":39,"msg":"an error occurred in our api","pid":1,"pkg":"jsonapi","req_headers":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-GB,en-US;q=0.8,en;q=0.6"],"Authorization":"*****","Cache-Control":["no-cache"],"Content-Type":["application/json"],"Forwarded":["for=192.168.64.1;host=wit-fabric8.192.168.64.82.nip.io;proto=http"],"Origin":["http://fabric8-fabric8.192.168.64.82.nip.io"],"Pragma":["no-cache"],"Referer":["http://fabric8-fabric8.192.168.64.82.nip.io/developer/cheese/create"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"],"X-Forwarded-For":["192.168.64.1"],"X-Forwarded-Host":["wit-fabric8.192.168.64.82.nip.io"],"X-Forwarded-Port":["80"],"X-Forwarded-Proto":["http"],"X-Request-Id":["53ba2047-6b59-4c40-b371-9626dddf4cd4"]},"req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","time":"2017-09-22 07:16:47"}
    {"action":"CheState","bytes":119,"ctrl":"CodebaseController","duration":65.61798900000001,"duration_unit":"ms","identity_id":"e1ce1ff0-de8f-4c98-bdb6-cce68901c126","level":"info","msg":"completed","pkg":"log.LogRequest.func1","req_id":"53ba2047-6b59-4c40-b371-9626dddf4cd4","status":500,"time":"2017-09-22 07:16:47"}

jstrachan avatar Sep 22 '17 07:09 jstrachan

@jstrachan yes, all the envs are ok. To check it, go to developer-che project and click on Che route. If you are redirected to a local KC page and can login using OpenShift v3 button, everything's ok.

As to errors with getting che-server state, it does not look like an issue with Che at all.

ghost avatar Sep 22 '17 07:09 ghost

ah, the che DeploymentConfig for minishift in developer-che was set to 0 replicas. I manually scaled it up for now. Then if I go to https://che-developer-che.192.168.64.82.nip.io/ I get a 403. Was it the route in the tenant namespace (developer-che on minishift) that you meant needed to be http rather than https?

also those env vars I mentioned above are in the che-starter right? Or did you mean in the che pod in developer-che?

jstrachan avatar Sep 22 '17 07:09 jstrachan

in the che pod in developer-che I get this when I try access https://che-developer-che.192.168.64.82.nip.io/ directly - I guess its due to my browser not being authenticated?

NFO: KeycloakSettings = {che.keycloak.disabled=false, che.keycloak.auth_server_url=https://sso.openshift.io/auth, che.keycloak.client_id=openshiftio-public, che.keycloak.realm=fabric8, che.keycloak.oso.endpoint=http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/broker/openshift-v3/token, che.keycloak.github.endpoint=http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/broker/github/token}
2017-09-22 07:32:36,418[nio-8080-exec-6]  [ERROR] [.k.t.p.u.KeycloakUserValidator 221]  - Exception while obtaining OSO token:
java.io.IOException: Failed access: http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/broker/openshift-v3/token?token, method: GET, response code: 400, message: {"errorMessage":"Invalid token."}
	at org.eclipse.che.api.core.rest.DefaultHttpJsonRequest.doRequest(DefaultHttpJsonRequest.java:262)
	at org.eclipse.che.api.core.rest.DefaultHttpJsonRequest.request(DefaultHttpJsonRequest.java:152)
	at com.redhat.che.keycloak.token.provider.service.KeycloakTokenProvider.getResponseBody(KeycloakTokenProvider.java:110)
	at com.redhat.che.keycloak.token.provider.service.KeycloakTokenProvider.obtainOsoToken(KeycloakTokenProvider.java:91)
	at com.redhat.che.keycloak.token.provider.util.KeycloakUserValidator$TokenLoader.load(KeycloakUserValidator.java:213)
	at com.redhat.che.keycloak.token.provider.util.KeycloakUserValidator$TokenLoader.load(KeycloakUserValidator.java:207)

jstrachan avatar Sep 22 '17 07:09 jstrachan

ah ;) wrong keycloak URL there ;)

jstrachan avatar Sep 22 '17 07:09 jstrachan

All the envs are in Che itself (developer-che namespace). Nothing related to che-starter in my comment.

And yes, Che route should be http.

ghost avatar Sep 22 '17 07:09 ghost

the redirect URL in KeyCloak should that be for che-starter or for the che pod in the developer-che namespace?

jstrachan avatar Sep 22 '17 07:09 jstrachan

che-pod

ghost avatar Sep 22 '17 07:09 ghost

ah ok, so we're gonna have to get fabric8-tenant to register a new KeyCloak redirectURI for each new tenant (since each tenant gets its own che pod)

jstrachan avatar Sep 22 '17 07:09 jstrachan

Is it maybe possible to solve it with * in the URL?

By the time Che is multi tenant, this problem's gone

ghost avatar Sep 22 '17 07:09 ghost

KC doesn't support wildcards in the host name part of the URL; only in the path - we faced a similar issue with Jenkins on Kubernetes. Each Che pod has its own host name; so needs to be added explicitly as a redirect URL. Though I've no idea how openshift.io can be working :) They must have some trick in the KeyCloak configuration - will try find out from Alexey / Aslak when they wake up

jstrachan avatar Sep 22 '17 07:09 jstrachan

@jstrachan I was going to ask how it works on OSIO :)

ghost avatar Sep 22 '17 08:09 ghost

so I tried doing the above manually on my minishift; so these env vars are inside the che pod in developer-che

CHE_KEYCLOAK_AUTH__SERVER__URL=http://keycloak-fabric8.192.168.64.82.nip.io/auth
CHE_KEYCLOAK_REALM=fabric8
CHE_KEYCLOAK_CLIENT__ID=fabric8-online-platform

then KeyCloak has the redirect URL of http://che-developer-che.192.168.64.82.nip.io/*

I updated the che route to be HTTP based

apiVersion: v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
  labels:
    app: che
    group: io.fabric8.tenant.apps
    provider: fabric8
    version: 2.0.17
  name: che
spec:
  host: che-developer-che.192.168.64.82.nip.io
  to:
    kind: Service
    name: che-host
    weight: 100
  wildcardPolicy: None

if I open http://che-developer-che.192.168.64.82.nip.io then the UI correctly redirects to KeyCloak; I login then it redirects and I get a 403 http://che-developer-che.192.168.64.82.nip.io/?state=5%2F4a62e09d-d3fc-4cea-9fdd-a848dfcd25c1&code=uss.9xmd6Cc4ICpy0SNr7753Cp9AvQb_8KJdwzrh-t7xAsQ.ddfc5a6e-835c-45f9-a3ba-f9b903ad34d4.2811ffa6-c446-4230-8c92-02f7b38ae01c

with this in the log:

ERROR: status from server: 400
Sep 22, 2017 8:08:03 AM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR:    {"error":"unauthorized_client","error_description":"Client secret not provided in request"}

any ideas?

jstrachan avatar Sep 22 '17 08:09 jstrachan

@jstrachan it is because the client is not public

BTW, I failed to make it public in KC UI.. so ended up registering a new one.

ghost avatar Sep 22 '17 08:09 ghost

ah - the "Access Type" of the fabric8-online-platform client in KeyCloak has to be setup as public right? The KeyCloak admin UI won't let me set that :) will try figure out how/why

jstrachan avatar Sep 22 '17 08:09 jstrachan

yes, exactly, not letting make it public in the UI. A new client solved the problem for me :)

ghost avatar Sep 22 '17 08:09 ghost

ah gotcha - so we can just make a new client for che right? Lets do that ;)

jstrachan avatar Sep 22 '17 08:09 jstrachan

@eivantsov huge thanks - I've now got Che working!!! :)

Now I can try figure out how to get this changes into the distro...

jstrachan avatar Sep 22 '17 08:09 jstrachan

whoah - using just * in the redirect URI seemed to work for the che client. Not terribly secure but not a bad workaround for now ;)

jstrachan avatar Sep 22 '17 08:09 jstrachan

though looks like I get a CORS issue; the che dashboard app starts up and stays blank (thought it was just taking a while to load on my slow wifi), the JavaScript console shows this:

XMLHttpRequest cannot load http://keycloak-fabric8.192.168.64.82.nip.io/auth/realms/fabric8/protocol/openid-connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://che-developer-che.192.168.64.82.nip.io' is therefore not allowed access.

jstrachan avatar Sep 22 '17 08:09 jstrachan

Did you make Che route http?

ghost avatar Sep 22 '17 08:09 ghost

yeah

jstrachan avatar Sep 22 '17 08:09 jstrachan

hm.. I have a running Che on my fabric8io...

ghost avatar Sep 22 '17 10:09 ghost

@jstrachan you are probably missing this in your new client in KC. Web origin wildcard:

image

ghost avatar Sep 23 '17 06:09 ghost