search

redhat-na-ssa / himss_2022_scm_integration

SCM Integration Demo
1 stars 2 forks source link

Deployment of himss_2022_scm_integration on FIPS Enabled Cluster #8

Closed superky13 closed 2 years ago

superky13 commented 2 years ago

Fails when trying to spin up the 'amq-streams-cluster-operator' pod

Auto-detected KUBERNETES_SERVICE_DNS_DOMAIN: cluster.local+ export MALLOC_ARENA_MAX=2+ MALLOC_ARENA_MAX=2+ JAVA_OPTS=' -Dlog4j2.configurationFile=file:/opt/strimzi/custom-config/log4j2.properties -Dvertx.cacheDirBase=/tmp/vertx-cache -Djava.security.egd=file:/dev/./urandom'++ get_gc_opts++ '[' '' == true ']'++ echo ''+ JAVA_OPTS=' -Dlog4j2.configurationFile=file:/opt/strimzi/custom-config/log4j2.properties -Dvertx.cacheDirBase=/tmp/vertx-cache -Djava.security.egd=file:/dev/./urandom '+ JAVA_OPTS=' -Dlog4j2.configurationFile=file:/opt/strimzi/custom-config/log4j2.properties -Dvertx.cacheDirBase=/tmp/vertx-cache -Djava.security.egd=file:/dev/./urandom  --illegal-access=deny'+ exec /usr/bin/tini -w -e 143 -- java -Dlog4j2.configurationFile=file:/opt/strimzi/custom-config/log4j2.properties -Dvertx.cacheDirBase=/tmp/vertx-cache -Djava.security.egd=file:/dev/./urandom --illegal-access=deny -classpath lib/io.strimzi.cluster-operator-0.26.0.redhat-00008.jar:lib/io.netty.netty-resolver-dns-4.1.72.Final-redhat-00001.jar:lib/io.fabric8.openshift-model-operatorhub-5.8.1.redhat-00001.jar:lib/io.fabric8.openshift-model-5.8.1.redhat-00001.jar:lib/org.lz4.lz4-java-1.7.1.redhat-00003.jar:lib/org.apache.logging.log4j.log4j-api-2.17.1.redhat-00002.jar:lib/org.hdrhistogram.HdrHistogram-2.1.12.redhat-00001.jar:lib/com.squareup.okhttp3.okhttp-3.12.2.redhat-00001.jar:lib/io.fabric8.openshift-model-tuned-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-node-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-discovery-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-flowcontrol-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-rbac-5.8.1.redhat-00001.jar:lib/com.fasterxml.jackson.core.jackson-core-2.11.3.redhat-00001.jar:lib/io.fabric8.kubernetes-model-batch-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-admissionregistration-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-scheduling-5.8.1.redhat-00001.jar:lib/io.micrometer.micrometer-core-1.3.9.redhat-00001.jar:lib/io.netty.netty-handler-4.1.72.Final-redhat-00001.jar:lib/io.fabric8.kubernetes-model-extensions-5.8.1.redhat-00001.jar:lib/io.netty.netty-transport-native-epoll-4.1.72.Final-redhat-00001-linux-x86_64.jar:lib/io.fabric8.kubernetes-model-coordination-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-storageclass-5.8.1.redhat-00001.jar:lib/org.apache.zookeeper.zookeeper-3.6.3.redhat-00003.jar:lib/io.fabric8.kubernetes-model-apps-5.8.1.redhat-00001.jar:lib/org.apache.logging.log4j.log4j-slf4j-impl-2.17.1.redhat-00002.jar:lib/io.fabric8.openshift-model-clusterautoscaling-5.8.1.redhat-00001.jar:lib/io.netty.netty-common-4.1.72.Final-redhat-00001.jar:lib/com.squareup.okhttp3.logging-interceptor-3.12.2.redhat-00001.jar:lib/org.yaml.snakeyaml-1.26.0.redhat-00002.jar:lib/io.netty.netty-codec-http2-4.1.72.Final-redhat-00001.jar:lib/io.fabric8.kubernetes-model-metrics-5.8.1.redhat-00001.jar:lib/io.fabric8.openshift-model-operator-5.8.1.redhat-00001.jar:lib/io.fabric8.openshift-client-5.8.1.redhat-00001.jar:lib/io.fabric8.openshift-model-machine-5.8.1.redhat-00001.jar:lib/com.fasterxml.jackson.datatype.jackson-datatype-jsr310-2.11.2.redhat-00002.jar:lib/io.fabric8.kubernetes-model-common-5.8.1.redhat-00001.jar:lib/io.vertx.vertx-micrometer-metrics-4.1.5.redhat-00001.jar:lib/io.fabric8.zjsonpatch-0.3.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-autoscaling-5.8.1.redhat-00001.jar:lib/org.apache.kafka.kafka-clients-3.0.0.redhat-00008.jar:lib/io.netty.netty-transport-classes-epoll-4.1.72.Final-redhat-00001.jar:lib/io.netty.netty-transport-4.1.72.Final-redhat-00001.jar:lib/com.fasterxml.jackson.core.jackson-databind-2.11.3.redhat-00001.jar:lib/io.fabric8.openshift-model-machineconfig-5.8.1.redhat-00001.jar:lib/org.apache.logging.log4j.log4j-core-2.17.1.redhat-00002.jar:lib/io.fabric8.openshift-model-monitoring-5.8.1.redhat-00001.jar:lib/com.fasterxml.jackson.core.jackson-annotations-2.11.3.redhat-00001.jar:lib/io.strimzi.kafka-oauth-common-0.8.1.redhat-00004.jar:lib/io.fabric8.kubernetes-model-certificates-5.8.1.redhat-00001.jar:lib/com.nimbusds.nimbus-jose-jwt-9.10.0.redhat-00002.jar:lib/io.netty.netty-resolver-4.1.72.Final-redhat-00001.jar:lib/io.fabric8.kubernetes-model-core-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-networking-5.8.1.redhat-00001.jar:lib/com.jayway.jsonpath.json-path-2.6.0.redhat-00002.jar:lib/io.netty.netty-codec-4.1.72.Final-redhat-00001.jar:lib/dk.brics.automaton.automaton-1.11.8.redhat-1.jar:lib/net.minidev.json-smart-2.4.7.redhat-00001.jar:lib/io.fabric8.openshift-model-storageversionmigrator-5.8.1.redhat-00001.jar:lib/net.minidev.accessors-smart-2.4.7.redhat-00001.jar:lib/io.strimzi.kafka-oauth-server-plain-0.8.1.redhat-00004.jar:lib/io.vertx.vertx-core-4.1.5.redhat-00001.jar:lib/io.fabric8.kubernetes-model-apiextensions-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-model-events-5.8.1.redhat-00001.jar:lib/org.latencyutils.LatencyUtils-2.0.3.redhat-00001.jar:lib/com.github.luben.zstd-jni-1.5.0.2-redhat-00003.jar:lib/io.netty.netty-tcnative-classes-2.0.46.Final-redhat-00001.jar:lib/io.strimzi.crd-annotations-0.26.0.redhat-00008.jar:lib/io.fabric8.kubernetes-model-policy-5.8.1.redhat-00001.jar:lib/io.netty.netty-codec-http-4.1.72.Final-redhat-00001.jar:lib/io.strimzi.operator-common-0.26.0.redhat-00008.jar:lib/io.netty.netty-buffer-4.1.72.Final-redhat-00001.jar:lib/io.fabric8.openshift-model-console-5.8.1.redhat-00001.jar:lib/io.strimzi.config-model-0.26.0.redhat-00008.jar:lib/com.fasterxml.jackson.dataformat.jackson-dataformat-yaml-2.11.3.redhat-00001.jar:lib/org.quartz-scheduler.quartz-2.3.2.redhat-00007.jar:lib/io.prometheus.simpleclient-0.7.0.redhat-00001.jar:lib/com.github.mifmif.generex-1.0.2.redhat-1.jar:lib/com.github.stephenc.jcip.jcip-annotations-1.0.1.redhat-00001.jar:lib/io.prometheus.simpleclient_common-0.7.0.redhat-00001.jar:lib/org.xerial.snappy.snappy-java-1.1.8.4-redhat-00002.jar:lib/org.slf4j.slf4j-api-1.7.30.redhat-00003.jar:lib/org.apache.yetus.audience-annotations-0.5.0.redhat-00002.jar:lib/io.fabric8.openshift-model-whereabouts-5.8.1.redhat-00001.jar:lib/io.fabric8.kubernetes-client-5.8.1.redhat-00001.jar:lib/io.strimzi.kafka-oauth-server-0.8.1.redhat-00004.jar:lib/io.fabric8.openshift-model-miscellaneous-5.8.1.redhat-00001.jar:lib/io.strimzi.certificate-manager-0.26.0.redhat-00008.jar:lib/org.apache.zookeeper.zookeeper-jute-3.6.3.redhat-00003.jar:lib/io.strimzi.kafka-oauth-client-0.8.1.redhat-00004.jar:lib/io.micrometer.micrometer-registry-prometheus-1.3.9.redhat-00001.jar:lib/io.netty.netty-transport-native-epoll-4.1.72.Final-redhat-00001.jar:lib/io.netty.netty-codec-socks-4.1.72.Final-redhat-00001.jar:lib/io.strimzi.api-0.26.0.redhat-00008.jar:lib/com.squareup.okio.okio-1.15.0.redhat-00001.jar:lib/io.netty.netty-handler-proxy-4.1.72.Final-redhat-00001.jar:lib/io.netty.netty-transport-native-unix-common-4.1.72.Final-redhat-00001.jar:lib/io.netty.netty-codec-dns-4.1.72.Final-redhat-00001.jar io.strimzi.operator.cluster.Main2022-02-26 00:01:53 INFO  Main:60 - ClusterOperator 0.26.0.redhat-00008 is starting2022-02-26 00:01:53 INFO  Main:62 - Cluster Operator configuration is ClusterOperatorConfig(namespaces=[user1-himss2022-scm],reconciliationIntervalMs=120000,operationTimeoutMs=300000,connectBuildTimeoutMs=300000,createClusterRoles=false,networkPolicyGeneration=true,versions=versions{2.8.0={proto: 2.8 msg: 2.8 kafka-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439 connect-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439 mirrormaker-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439 mirrormaker2-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439}, 3.0.0={proto: 3.0 msg: 3.0 kafka-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5 connect-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5 mirrormaker-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5 mirrormaker2-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5}},imagePullPolicy=null,imagePullSecrets=null,operatorNamespace=user1-himss2022-scm,operatorNamespaceLabels=null,rbacScope=CLUSTER,customResourceSelector=null,featureGates=FeatureGates(controlPlaneListener=false,ServiceAccountPatching=false))Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: An error has occurred.              at io.fabric8.kubernetes.client.KubernetesClientException.launderThrowable(KubernetesClientException.java:103)              at io.fabric8.kubernetes.client.KubernetesClientException.launderThrowable(KubernetesClientException.java:97)              at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:234)              at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:66)              at io.fabric8.kubernetes.client.BaseClient.(BaseClient.java:51)              at io.fabric8.kubernetes.client.BaseClient.(BaseClient.java:43)              at io.fabric8.kubernetes.client.BaseKubernetesClient.(BaseKubernetesClient.java:146)              at io.fabric8.kubernetes.client.DefaultKubernetesClient.(DefaultKubernetesClient.java:32)              at io.strimzi.operator.cluster.Main.main(Main.java:75)Caused by: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY              at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1049)              at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetCertificateEntry(P11KeyStore.java:515)              at java.base/java.security.KeyStore.setCertificateEntry(KeyStore.java:1235)              at io.fabric8.kubernetes.client.internal.CertUtils.createTrustStore(CertUtils.java:100)              at io.fabric8.kubernetes.client.internal.CertUtils.createTrustStore(CertUtils.java:74)              at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:115)              at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:94)              at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:128)              ... 6 moreCaused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY              at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)              at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$FIPSPKCS11.C_CreateObject(PKCS11.java:1950)              at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storeCert(P11KeyStore.java:1567)              at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1045)              ... 13 moreReplyForward Ritchie, Kyle W. (Cognosante, MVH, LLC.) Ritchie, Kyle W. (Cognosante, MVH, LLC.) 7:07 PM (0 minutes ago)     to me to me   ReplyForward  
Ritchie, Kyle W. (Cognosante, MVH, LLC.) Ritchie, Kyle W. (Cognosante, MVH, LLC.) 7:07 PM (0 minutes ago)    

Ritchie, Kyle W. (Cognosante, MVH, LLC.) to me | to me to me   | ReplyForward


Ritchie, Kyle W. (Cognosante, MVH, LLC.) 7:07 PM (0 minutes ago) to me

Auto-detected KUBERNETES_SERVICE_DNS_DOMAIN: cluster.local

++ get_gc_opts

++ '[' '' == true ']'

++ echo ''

2022-02-26 00:01:53 INFO Main:60 - ClusterOperator 0.26.0.redhat-00008 is starting

2022-02-26 00:01:53 INFO Main:62 - Cluster Operator configuration is ClusterOperatorConfig(namespaces=[user1-himss2022-scm],reconciliationIntervalMs=120000,operationTimeoutMs=300000,connectBuildTimeoutMs=300000,createClusterRoles=false,networkPolicyGeneration=true,versions=versions{2.8.0={proto: 2.8 msg: 2.8 kafka-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439 connect-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439 mirrormaker-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439 mirrormaker2-image: registry.redhat.io/amq7/amq-streams-kafka-28-rhel8@sha256:88e88a2f98249ee36410271365c4dd793906df03fdbdb996052d8139875a2439}, 3.0.0={proto: 3.0 msg: 3.0 kafka-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5 connect-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5 mirrormaker-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5 mirrormaker2-image: registry.redhat.io/amq7/amq-streams-kafka-30-rhel8@sha256:b540f4bed36eb46d6ccec7827fd99e12eeaae5d3ebc031bdace0d647c130ceb5}},imagePullPolicy=null,imagePullSecrets=null,operatorNamespace=user1-himss2022-scm,operatorNamespaceLabels=null,rbacScope=CLUSTER,customResourceSelector=null,featureGates=FeatureGates(controlPlaneListener=false,ServiceAccountPatching=false))

Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: An error has occurred.

          at io.fabric8.kubernetes.client.KubernetesClientException.launderThrowable(KubernetesClientException.java:103)

          at io.fabric8.kubernetes.client.KubernetesClientException.launderThrowable(KubernetesClientException.java:97)

          at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:234)

          at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:66)

          at io.fabric8.kubernetes.client.BaseClient.<init>(BaseClient.java:51)

          at io.fabric8.kubernetes.client.BaseClient.<init>(BaseClient.java:43)

          at io.fabric8.kubernetes.client.BaseKubernetesClient.<init>(BaseKubernetesClient.java:146)

          at io.fabric8.kubernetes.client.DefaultKubernetesClient.<init>(DefaultKubernetesClient.java:32)

          at io.strimzi.operator.cluster.Main.main(Main.java:75)

Caused by: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY

          at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1049)

          at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetCertificateEntry(P11KeyStore.java:515)

          at java.base/java.security.KeyStore.setCertificateEntry(KeyStore.java:1235)

          at io.fabric8.kubernetes.client.internal.CertUtils.createTrustStore(CertUtils.java:100)

          at io.fabric8.kubernetes.client.internal.CertUtils.createTrustStore(CertUtils.java:74)

          at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:115)

          at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:94)

          at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:128)

          ... 6 more

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY

          at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)

          at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$FIPSPKCS11.C_CreateObject(PKCS11.java:1950)

          at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storeCert(P11KeyStore.java:1567)

          at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1045)

          ... 13 more
jkeam commented 2 years ago

Great work by @jbride and @gbengataylor!

The fix involved https://access.redhat.com/solutions/6696711. The exact changes can be viewed in this PR: https://github.com/redhat-naps-da/himss_2022_scm_integration/pull/9

Closing this as I've tested and verified it works.