Network error after deploying TheIA Cloud on-premise

[CarlosIVI]

Describe the bug

Hello,

I'm currently using EC2 Instances to emulate a Bare-Metal Installation of K8S with TheIA-Cloud on top.

What I have done:

• Install K8S in a two machine cluster (Ubuntu 20.04)
• Use Flannel as CNI, Docker as CRI
• Install Cert-manager, metric-server and nginx-ingress controller
• TheIA cloud with helm

If you are interested on this, you can find all the process documented on the following link (For now, I just have the bootstrap cluster process, I'll update this shortly) (https://github.com/TrustworthyComputing/theia-T2)

After deploying with Helm Theia cloud and setting up in my /etc/host to reach the default Domain Name, when I try to connect to the landing page (https://theia.cloud.192.168.39.173.nip.io) I'm getting theIA logo and two messages:

Please wait until we get your Theia session ready...

1 Second after it display:

Error: network error

Expected behavior

I'm expecting getting a Sessions and be able to reach TheIA-IDE

Cluster provider

On-premise (Ubuntu 20.04)

Version

No response

Additional information

No response

[jfaltermeier]

Hi, could you please check whether a session object gets created? kubectl -n theiacloud get sessions --watch (you might have to adjust the namespace)

If no session is created at all, I think the post call sent from the landing page to the rest service fails (this might then be the network error). You can check the network calls the landing page makes using your browser's debugging tools.

Usually the ping endpoint should look similar to this. You may check if this is reachable from your browser. https://service.192.168.59.169.nip.io/service/ping or https://192.168.59.170.nip.io/servicex/service/ping

[CarlosIVI]

Hello, thanks for the quick answer

I have some findings:

There are not sessions, after trying to reach both services via browser, I'm getting connection timeout

On the browser console I'm seeing:

Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID. https://service.192.168.39.173.nip.io/service

I'm not sure if this is directly related to Ingress-nginx or TheIA-Cloud itself, on /doc/docs/Install.md there is a section that refers to Global Certificates, but talks about using TheIA cloud with "/"

I'm not sure if TheIA cloud uses Cert-manager to auto provision their certs and putting those on thier ingresses, if that's the case, I would like to know how can I sign those to avoid this error.

Details of the certificate that is being used:

Issued by and Issued to:

Common Name (CN): Kubernetes Ingress Controller Fake Certificate Organization (O): Acme Co Organizational Unit (OU):

Update:

Already looked into ingresses and find out that are using k8s secrets that are not created:

Ingress landing-page:

tls:
  - hosts:
    - theia.cloud.192.168.39.173.nip.io
    secretName: landing-page-cert-secret

There are no Issuers (Cert-manager resource) but there is one ClusterIssuer that apparently is not working in order to add tls secrets missing

Cluster Issuer:

NAME                            READY   AGE
theia-cloud-selfsigned-issuer   True    13h

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    meta.helm.sh/release-name: theia-cloud-base
    meta.helm.sh/release-namespace: default
  creationTimestamp: "2023-07-25T06:08:46Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: theia-cloud-selfsigned-issuer
  resourceVersion: "7381"
  uid: c56497f0-d6fb-4b58-96d7-dee0f4ceb61b
spec:
  selfSigned: {}
status:
  conditions:
  - lastTransitionTime: "2023-07-25T06:08:46Z"
    observedGeneration: 1
    reason: IsReady
    status: "True"
    type: Ready

[jfaltermeier]

Our theia-cloud-base helm chart should ship with two ClusterIssuers: https://github.com/eclipsesource/theia-cloud-helm/blob/main/charts/theia.cloud-base/templates/clusterissuer-selfsigned.yaml (self signed for development; need to be manually accepted in the browser to gain trust) https://github.com/eclipsesource/theia-cloud-helm/blob/main/charts/theia.cloud-base/templates/clusterissuer-production.yaml (let's encrypt) However you may also add you own: https://cert-manager.io/docs/configuration/ https://cert-manager.io/docs/concepts/issuer/ https://systemweakness.com/create-internal-ssl-certificates-with-cert-manager-851fc886628e

You can then specify the name of the cluster issuer to use via this helm value: https://github.com/eclipsesource/theia-cloud-helm/blob/1ad6bd6982bb3e327b88a0d2b10966b553d1f0c9/charts/theia.cloud/values.yaml#L208

Basically this name will be written in the ingress as an annotation:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod

Could you check if this is set on your serivce ingress and which value it has?

Besides that you can have a look at this: https://cert-manager.io/docs/troubleshooting/ and check the related kubernetes cert-manager resources for any hints:

kubectl -n theiacloud get certificates
kubectl -n theiacloud get certificaterequest
kubectl -n theiacloud get orders
...

[CarlosIVI]

That's what I need, thank you