Network error after deploying TheIA Cloud on-premise
Closed this issue · 4 comments
Describe the bug
Hello,
I'm currently using EC2 Instances to emulate a Bare-Metal Installation of K8S with TheIA-Cloud on top.
What I have done:
- Install K8S in a two machine cluster (Ubuntu 20.04)
- Use Flannel as CNI, Docker as CRI
- Install Cert-manager, metric-server and nginx-ingress controller
- TheIA cloud with helm
If you are interested on this, you can find all the process documented on the following link (For now, I just have the bootstrap cluster process, I'll update this shortly) (https://github.com/TrustworthyComputing/theia-T2)
After deploying with Helm Theia cloud and setting up in my /etc/host to reach the default Domain Name, when I try to connect to the landing page (https://theia.cloud.192.168.39.173.nip.io) I'm getting theIA logo and two messages:
Please wait until we get your Theia session ready...
1 Second after it display:
Error: network error
Expected behavior
I'm expecting getting a Sessions and be able to reach TheIA-IDE
Cluster provider
On-premise (Ubuntu 20.04)
Version
No response
Additional information
No response
Hi, could you please check whether a session object gets created?
kubectl -n theiacloud get sessions --watch
(you might have to adjust the namespace)
If no session is created at all, I think the post call sent from the landing page to the rest service fails (this might then be the network error).
You can check the network calls the landing page makes using your browser's debugging tools.
Usually the ping endpoint should look similar to this. You may check if this is reachable from your browser.
https://service.192.168.59.169.nip.io/service/ping
or
https://192.168.59.170.nip.io/servicex/service/ping
Hello, thanks for the quick answer
I have some findings:
There are not sessions, after trying to reach both services via browser, I'm getting connection timeout
On the browser console I'm seeing:
Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID. https://service.192.168.39.173.nip.io/service
I'm not sure if this is directly related to Ingress-nginx or TheIA-Cloud itself, on /doc/docs/Install.md there is a section that refers to Global Certificates, but talks about using TheIA cloud with "/"
I'm not sure if TheIA cloud uses Cert-manager to auto provision their certs and putting those on thier ingresses, if that's the case, I would like to know how can I sign those to avoid this error.
Details of the certificate that is being used:
Issued by and Issued to:
Common Name (CN): Kubernetes Ingress Controller Fake Certificate
Organization (O): Acme Co
Organizational Unit (OU):
Update:
Already looked into ingresses and find out that are using k8s secrets that are not created:
Ingress landing-page:
tls:
- hosts:
- theia.cloud.192.168.39.173.nip.io
secretName: landing-page-cert-secret
There are no Issuers (Cert-manager resource) but there is one ClusterIssuer that apparently is not working in order to add tls secrets missing
Cluster Issuer:
NAME READY AGE
theia-cloud-selfsigned-issuer True 13h
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
meta.helm.sh/release-name: theia-cloud-base
meta.helm.sh/release-namespace: default
creationTimestamp: "2023-07-25T06:08:46Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: theia-cloud-selfsigned-issuer
resourceVersion: "7381"
uid: c56497f0-d6fb-4b58-96d7-dee0f4ceb61b
spec:
selfSigned: {}
status:
conditions:
- lastTransitionTime: "2023-07-25T06:08:46Z"
observedGeneration: 1
reason: IsReady
status: "True"
type: Ready
Our theia-cloud-base helm chart should ship with two ClusterIssuers:
https://github.com/eclipsesource/theia-cloud-helm/blob/main/charts/theia.cloud-base/templates/clusterissuer-selfsigned.yaml (self signed for development; need to be manually accepted in the browser to gain trust)
https://github.com/eclipsesource/theia-cloud-helm/blob/main/charts/theia.cloud-base/templates/clusterissuer-production.yaml (let's encrypt)
However you may also add you own:
https://cert-manager.io/docs/configuration/
https://cert-manager.io/docs/concepts/issuer/
https://systemweakness.com/create-internal-ssl-certificates-with-cert-manager-851fc886628e
You can then specify the name of the cluster issuer to use via this helm value:
https://github.com/eclipsesource/theia-cloud-helm/blob/1ad6bd6982bb3e327b88a0d2b10966b553d1f0c9/charts/theia.cloud/values.yaml#L208
Basically this name will be written in the ingress as an annotation:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
Could you check if this is set on your serivce ingress and which value it has?
Besides that you can have a look at this: https://cert-manager.io/docs/troubleshooting/
and check the related kubernetes cert-manager resources for any hints:
kubectl -n theiacloud get certificates
kubectl -n theiacloud get certificaterequest
kubectl -n theiacloud get orders
...
That's what I need, thank you