Getting error "src" is null when browsing tree #726
Comments
|
copied over from #717 (comment)
|
|
copied over from #717 (comment)
|
|
@deejonz: would it be possible for you to provide a redacted version of your configs in kube config so that we can try to reproduce this? It looks as if there's a problem with the OIDC authentication. The bug occurrs when the client library tries to refresh the token. We'd love to try to replicate this 😃 |
|
@adietish sure, this is my config file, I hope this is what you were looking for: |
|
@deejonz thanks for that snippet. According to @rohanKanojia this is related to your local certificates. Here's his question to you:
|
|
sorry but I don't know how this is configured in the organization. |
|
@deejonz I think that @rohanKanojia is talking about the certificates that you have locally. I think that he's guessing from the stacktrace that the certificates is null and he is thus wondering if you can confirm/refute that the local certificates are all ok. If those weren't you should fail to talk to the cluster using |
|
if I do |
|
@deejonz : Could you please open an issue on Fabric8 Kubernetes Client (with the ~/.kube/config and location of certificate file) |
|
I'm doing the issue |
|
@deejonz : I see that your certificate file is a relative path |
|
@deejonz, @rohanKanojia: I created fabric8io/kubernetes-client#5817 |
|
If confirmed that fabric8io/kubernetes-client#4960 was the same problem then the fix would be as simple as upgrading our client-library 6.4.0 to >= 6.5.1, crossing fingers 😃 |
|
@deejonz I could try to make a binary build for you that you can test if you'd agree? Would take a bit longer though because of API breakages this bump may imply. |
|
sure @adietish, I can test that np. |
|
@deejonz : Is it possible for you to run this reproducer project on your machine? In fabric8io/kubernetes-client#4960 we default to Could you please run |
|
|
probably you needed this: |
|
@deejonz : oh, I see in your case I think we should update OpenIDConnectionUtils to consider both |
|
@deejonz : I have created a PR that might fix this issue. Is it possible for you to try it out and confirm if you still get NPE?
<fabric8.version>6.11-SNAPSHOT</fabric8.version>
|
|
|
@deejonz : Okay, so we're getting past NPE. I wasn't encoding the read cert file contents, this seems to throw exception when pemString is decoded later. I've pushed an update to my branch. Is it possible for you to give it a try again 🙏 ? |
|
sure, there you go: |
|
@deejonz : Hmm, now we don't seem to get any exception but maybe token isn't getting refreshed 🤔 . Not sure whether it's due to some misconfiguration from our side or we still need to update something in KubernetesClient. Load the reproducer project in IntelliJ as a maven project. Is it possible for you to set a breakpoint in OpenIDConnectionUtils#resolveOIDCTokenFromAuthConfig and observe what's happening? |
|
@deejonz: I "kinda" can replicate it. I have an EKS cluster with keycloak OIDC (@sabre1041 set it up for me, kudos!). I created some deployment, fiddled around an had all the tree items erroring after a few minuntes: java.lang.NullPointerException
at java.base/java.util.Base64$Decoder.decode(Base64.java:561)
at io.fabric8.kubernetes.client.utils.OpenIDConnectionUtils.getDefaultHttpClientWithPemCert(OpenIDConnectionUtils.java:292)
at io.fabric8.kubernetes.client.utils.OpenIDConnectionUtils.getOIDCProviderTokenEndpointAndRefreshToken(OpenIDConnectionUtils.java:330)
at io.fabric8.kubernetes.client.utils.OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtils.java:86)
at io.fabric8.kubernetes.client.utils.TokenRefreshInterceptor.extractNewAccessTokenFrom(TokenRefreshInterceptor.java:83)
at io.fabric8.kubernetes.client.utils.TokenRefreshInterceptor.refreshToken(TokenRefreshInterceptor.java:76)
at io.fabric8.kubernetes.client.utils.TokenRefreshInterceptor.before(TokenRefreshInterceptor.java:58)
at io.fabric8.kubernetes.client.http.StandardHttpClient.consumeBytes(StandardHttpClient.java:65)
at io.fabric8.kubernetes.client.http.SendAsyncUtils.bytes(SendAsyncUtils.java:51)
at io.fabric8.kubernetes.client.http.HttpResponse$SupportedResponses.sendAsync(HttpResponse.java:105)
at io.fabric8.kubernetes.client.http.StandardHttpClient.sendAsync(StandardHttpClient.java:52)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.retryWithExponentialBackoff(OperationSupport.java:604)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handleResponse(OperationSupport.java:581)
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.submitList(BaseOperation.java:414)
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:427)
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:392)
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:93)
at com.redhat.devtools.intellij.kubernetes.model.resource.NamespacedResourceOperator.loadAllResources(NamespacedResourceOperator.kt:68)
at com.redhat.devtools.intellij.kubernetes.model.resource.NamespacedResourceOperator.getAllResources(NamespacedResourceOperator.kt:54)
at com.redhat.devtools.intellij.kubernetes.model.resource.NamespacedResourceOperator.getAllResources(NamespacedResourceOperator.kt:36)
at com.redhat.devtools.intellij.kubernetes.model.context.ActiveContext.getAllResources(ActiveContext.kt:148)
at com.redhat.devtools.intellij.kubernetes.model.ResourceModel.getAllResources(ResourceModel.kt:122)
at com.redhat.devtools.intellij.kubernetes.model.ResourceModel.getAllResources$default(ResourceModel.kt:121)
at com.redhat.devtools.intellij.kubernetes.model.FilterableResources.list(ResourceModelQuery.kt:63)
at com.redhat.devtools.intellij.kubernetes.tree.KubernetesStructure$createWorkloadElements$14$3.invoke(KubernetesStructure.kt:307)
at com.redhat.devtools.intellij.kubernetes.tree.KubernetesStructure$createWorkloadElements$14$3.invoke(KubernetesStructure.kt:304)
at com.redhat.devtools.intellij.kubernetes.tree.AbstractTreeStructureContribution$ElementNode.getChildElements(AbstractTreeStructureContribution.kt:97)
at com.redhat.devtools.intellij.kubernetes.tree.AbstractTreeStructureContribution.getChildElements(AbstractTreeStructureContribution.kt:28)
at com.redhat.devtools.intellij.kubernetes.tree.TreeStructure.getChildElements(TreeStructure.kt:71)
at com.redhat.devtools.intellij.kubernetes.tree.TreeStructure.getChildElements(TreeStructure.kt:64)
at com.intellij.ui.tree.StructureTreeModel.getValidChildren(StructureTreeModel.java:383)
at com.intellij.ui.tree.StructureTreeModel.validateChildren(StructureTreeModel.java:299)
at com.intellij.ui.tree.StructureTreeModel.getNode(StructureTreeModel.java:293)
at com.intellij.ui.tree.StructureTreeModel.getChildren(StructureTreeModel.java:313)
at com.intellij.ui.tree.AsyncTreeModel$CmdGetChildren.getNode(AsyncTreeModel.java:545)
at com.intellij.ui.tree.AsyncTreeModel$Command.get(AsyncTreeModel.java:440)
at com.intellij.ui.tree.AsyncTreeModel$Command.get(AsyncTreeModel.java:406)
at com.intellij.util.concurrency.Invoker$Task.run(Invoker.java:314)
at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$runProcess$2(CoreProgressManager.java:189)
at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$executeProcessUnderProgress$12(CoreProgressManager.java:608)
at com.intellij.openapi.progress.impl.CoreProgressManager.registerIndicatorAndRun(CoreProgressManager.java:683)
at com.intellij.openapi.progress.impl.CoreProgressManager.computeUnderProgress(CoreProgressManager.java:639)
at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:607)
at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:60)
at com.intellij.openapi.progress.impl.CoreProgressManager.runProcess(CoreProgressManager.java:176)
at com.intellij.util.concurrency.Invoker.invokeSafely(Invoker.java:201)
at com.intellij.util.concurrency.Invoker.lambda$offerSafely$0(Invoker.java:181)
at com.intellij.util.concurrency.Invoker$Background.lambda$offer$0(Invoker.java:481)
at com.intellij.util.concurrency.BoundedTaskExecutor.doRun(BoundedTaskExecutor.java:241)
at com.intellij.util.concurrency.BoundedTaskExecutor.access$200(BoundedTaskExecutor.java:31)
at com.intellij.util.concurrency.BoundedTaskExecutor$1.execute(BoundedTaskExecutor.java:214)
at com.intellij.util.ConcurrencyUtil.runUnderThreadName(ConcurrencyUtil.java:212)
at com.intellij.util.concurrency.BoundedTaskExecutor$1.run(BoundedTaskExecutor.java:203)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:668)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:665)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1.run(Executors.java:665)
at java.base/java.lang.Thread.run(Thread.java:829)I'll now try with the updated client that i should build manually. |
|
@deejonz: Using the fixed client mentioned in #726 (comment) I dont face the issue any more. What about me making you a binary build of the plugin and kindly asking you to test it? ps. I found other non-related issues though. Refresh causes the plugin to break. Changing the current namespace also breaks it. Will file those. |
|
sure np I can do it, but after tuesday. Thanks for your effort. |
|
@deejonz awesomeness. Thanks for reporting and testing, highly appreciated. |
|
for my own documentation, here's how to set up the whole thing:
curl \
-d "grant_type=password" \
-d "scope=openid" \
-d "client_id=kubernetes" \
-d "client_secret=<shared secret> \
-d "username=<myuser>" \
-d "password=<mypassword>" \
https://<keycloak-host>/auth/realms/eks/protocol/openid-connect/token | jq .you get the following output: {
"access_token": "eyJhbGciOiJSUzI1...0zojav4wbx3gg",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAi...P2W0Gy6VTiQHD1fLRJSDDmHm0",
"token_type": "Bearer",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5...DxDnqo31mVmmBMhn11w",
"not-before-policy": 0,
"session_state": "44d1f4...bb3ffaa7",
"scope": "openid email profile"
}
kubectl config set-credentials eks \
"--auth-provider=oidc" \
"--auth-provider-arg=idp-issuer-url=https://<keycloak-host>/auth/realms/eks" \
"--auth-provider-arg=client-id=kubernetes" \
"--auth-provider-arg=client-secret=<same shared-secret>" \
"--auth-provider-arg=refresh-token=<refresh-token>" \
"--auth-provider-arg=id-token=<id-token>" |
|
Good morning @adietish can I have the binary build to try? |
|
Hi @deejonz, sure, sorry for being late. Here it is: https://drive.google.com/file/d/190iiADA7SEmbchyXq2PihYEAc_wVy1ZC/view?usp=sharing ps. you'd have to uninstall the other custom build with the same version first. I now have a EKS cluster with external OIDC authentication. Still, I'm not using the AWS OIDC service but keycloack running on our infrastructure. It is close, not identical. Crossing fingers it's close enough. |
|
it looks much better now 👍 |
|
Good morning @adietish same problem this morning with updated plugin: and after clicking refresh: then I've restarted intellij and I've got this: |
|
@deejonz : I'm not sure whether somehow IntelliJ is reverting to stable build of plugin or whether it's actually a problem in KubernetesClient. Is it possible for you to run the BasicPodListTest in the reproducer project I had shared tomorrow morning when your token expires fabric8io/kubernetes-client#5817 (comment)? |
|
the plugin version is still 6.11-SNAPSHOT in the plugin folder.. |
|
@deejonz: @rohanKanojia could replicate it with the binary build while showing that the client library by itself didnt have the issue. I'm digging into it to see what is happensing here |
|
@adietish hello, same issue this morning, so I run the unit test and it passed. After that the plugin automatically refreshed and it started to work so no need to restart intellij to make it working. |
|
@deejonz : When you ran the test, KubernetesClient refreshed the token and persisted it in kubeconfig. Plugin picked up that updated token and started working. |
|
Hi @deejonz, |
|
Hi @adietish sure I will test it, thanks for the update. |
|
For my own documentation, our code was preventing the OIDC token from being refreshed: In https://github.com/fabric8io/kubernetes-client/blob/a400d760fc966f660cd687d8d773dc1be04bbb85/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/utils/TokenRefreshInterceptor.java#L138 a refresh of the token is only attempted if the kube config has an OIDC auth provider. protected boolean useRemoteRefresh(Config newestConfig) {
// TODO: in a hard failure scenario, should we skip the expired check
return isAuthProviderOidc(newestConfig) && OpenIDConnectionUtils.idTokenExpired(newestConfig);
} private static boolean isAuthProviderOidc(Config newestConfig) {
return newestConfig.getAuthProvider() != null && newestConfig.getAuthProvider().getName().equalsIgnoreCase("oidc");
}Our code was erroneously thinking that the cluster was an OpenShift cluster. The config in the OpenShift client hides the auth provider (that exists in the Kubernetes client) and thus prevents tokens from being refreshed. Correcting redhat-developer/intellij-common#216 therefore causes tokens to be refreshed if the kube config is configured with an OIDC auth provider. |
|
Good, this morning it is working fine! Thanks for the fix! |
|
@deejonz wohoo, great news. Very happy that all this work came to fruition 🕺 Thanks a lot for all the testing! |
|
The PR for this can be reviewed and merged once we have a new release of kubernetes-client. fabric8/kubernetes-client is planning one for very soon. Once merged we'll release a 1.3 of our plugin. |
|
fixed by #713. Closing. |
I get the following stacktrace when browsing the kubernates tree in many places, I can see the pods item well BTW:
The text was updated successfully, but these errors were encountered: