search

eclipse-che / che

Kubernetes based Cloud Development Environments for Enterprise Teams
http://eclipse.org/che
Eclipse Public License 2.0
6.98k stars 1.19k forks source link

Volume created but the secret with the self-signed cert is not #13433

Closed skabashnyuk closed 5 years ago

skabashnyuk commented 5 years ago

Description

  1. Failed to start a Che 7 workspace if Che deployment is configured to use self signed cert
2019-02-07 18:23:32,549[aceSharedPool-1]  [WARN ] [.i.k.KubernetesInternalRuntime 249]  - 
Failed to start Kubernetes runtime of workspace workspaceq1ys0pxhpfgzgmu8. 
Cause: Plugins installation process failed. Error: Unrecoverable event occurred: 
'FailedMount', 'MountVolume.SetUp failed for volume "che-self-signed-cert" : secret 
"che-self-signed-cert" not found', 'workspaceq1ys0pxhpfgzgmu8.che-plugin-broker'

A secret with cert body isn't created but che-plugin-broker pod is configured to use it

Follow up of https://github.com/eclipse/che/issues/12634#issuecomment-491847421

sleshchenko commented 5 years ago

The issue that Che Plugin Broker is run in a different way than k8s/os internal runtime. The solution is add 

   for (Secret secret : brokerEnvironment.getSecrets().values()) {
      namespace.secrets().create(secret);
    }

here https://github.com/eclipse/che/blob/1263f069450801142270051a309734a1dfa37ea8/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/wsplugins/brokerphases/DeployBroker.java#L87-L86

The same is done for K8s/OS runtime here https://github.com/eclipse/che/blob/78976298b0a2e9dcc82f68c89886499eeb10e1b7/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInternalRuntime.java#L670-L675

dmytro-ndp commented 5 years ago

Looks like the issue had affected OpenShift oAuth integration in Eclipse Che being deployed to OKD using the command:

bash ${WORKSPACE}/deploy/openshift/ocp.sh --run-ocp --deploy-che --multiuser --setup-ocp-oauth

org eclipse che selenium site ocpoauth LoginExistedUserWithOpenShiftOAuthTest checkExistedCheUserOcpProjectCreationAndRemoval_time-1560454933251-millis

https://ci.codenvycorp.com/view/qa-nightly/job/che-multiuser-master-ocp-oauth-test/389/Selenium_20tests_20report/screenshots/org.eclipse.che.selenium.site.ocpoauth.LoginExistedUserWithOpenShiftOAuthTest.checkExistedCheUserOcpProjectCreationAndRemoval_time-1560454933251-millis.png

sleshchenko commented 5 years ago

@dmytro-ndp Thanks for reporting your case, actually the error is the same but the cause is different:

  1. Che deployment is configured to use self-signed cert: Che Server does not create secret for Che 7 on plugin broker phase of workspace start.
  2. (Your case) Che Server is deployed with ocp.sh, OpenShift OAuth is configured but self-signed cert is not: issues during workspace start is caused by ocp.sh server + Che Server templates inconsistency. I think that my PR does not solve your case: please create a separate issue if it still actual.