search

neuvector / neuvector-helm

HELM chart to install NeuVector container cluster
Apache License 2.0
121 stars 116 forks source link

NeuVector Manager pod error / Web UI unavailable (chart 2.8.0) #442

Open tjmullicani opened 1 month ago

tjmullicani commented 1 month ago

Environment Platform: Azure AKS Kubernetes/Platform Version(s): 1.30.3

Describe the bug

neuvector-manager-pod error and NeuVector web UI is unavailable.

To Reproduce

Verify Kubernetes worker node is running in FIPS mode.

root [ / ]# cat /proc/sys/crypto/fips_enabled
1

I am using NeuVector helm chart version 2.8.0.

helm repo add neuvector https://neuvector.github.io/neuvector-helm/
helm repo update
helm install \
  -n neuvector \
  --create-namespace \
  --version 2.8.0 \
  neuvector-core \
  neuvector/core

neuvector-manager-pod logs (helm chart version 2.8.0)

Exception in thread "main" java.lang.ExceptionInInitializerError
    at com.neu.web.Rest.main(Rest.scala)
Caused by: java.security.ProviderException: Could not initialize NSS
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:260)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:144)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:141)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:141)
    at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:251)
    at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:242)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:242)
    at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:222)
    at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
    at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:379)
    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
    at java.base/java.security.Security.getImpl(Security.java:733)
    at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:178)
    at com.neu.core.Md5$.hash(AuthenticationManager.scala:199)
    at com.neu.web.StaticResources$class.$init$(StaticResources.scala:46)
    at com.neu.web.Rest$.<init>(Rest.scala:6)
    at com.neu.web.Rest$.<clinit>(Rest.scala)
    ... 1 more
Caused by: java.io.IOException: configDir must be a directory: /etc/pki/nssdb
    at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:218)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:255)
    ... 19 more

Expected behavior

The Neuvector web UI should be accessible.

neuvector-manager-pod logs (helm chart version 2.7.9)

2024-09-22 19:15:30,373|INFO |MANAGER|com.neu.web.Rest$(sslContext:31): Import manager's certificate and private key to manager's keystore
2024-09-22 19:15:30,380|INFO |MANAGER|com.neu.web.Rest$(sslContext:65): PKCS#1 private key is being used

Additional context I believe this is due to my Kubernetes nodes running in FIPS mode (which blocks MD5 algorithm use). Helm chart version 2.7.9 works fine.

tjmullicani commented 1 month ago

https://github.com/neuvector/neuvector/issues/1573