[jira] [Work logged] (ARTEMIS-5219) The KubernetesClientImpl doesn't load all the certificates from OpenShift correctly leading to tls issues while requesting a token review

ASF GitHub Bot (Jira) Thu, 19 Dec 2024 00:21:26 -0800


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-5219?focusedWorklogId=949111&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-949111
 ]


ASF GitHub Bot logged work on ARTEMIS-5219:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Dec/24 08:19
            Start Date: 19/Dec/24 08:19
    Worklog Time Spent: 10m 
      Work Description: lavocatt commented on code in PR #5407:
URL: https://github.com/apache/activemq-artemis/pull/5407#discussion_r1891328526


##########
artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/TokenReview.java:
##########
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.activemq.artemis.cli.commands;
+
+import 
org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.client.KubernetesClient;
+import 
org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.client.KubernetesClientImpl;
+import picocli.CommandLine;
+
[email protected](name = "token-review", description = "Perform a 
kubernetes token review")
+public class TokenReview extends InputAbstract {
+
+   @CommandLine.Option(names = "--kube-host", description = "hostname for 
kubernetes api server")
+   protected String host;
+
+   @CommandLine.Option(names = "--kube-port", description = "port for 
kubernetes api server")
+   protected String port;
+
+   @CommandLine.Option(names = "--token-path", description = "path to the 
token to access the kubernetes api server with access to token reviews")
+   protected String tokenPath;
+
+   @CommandLine.Option(names = "--ca-path", description = "path to the 
kubernetes api server trusted CAs")
+   protected String caPath;
+
+   @CommandLine.Option(names = "--token", description = "token to review")
+   protected String token;
+
+   @Override
+   public Object execute(ActionContext context) throws Exception {
+      super.execute(context);
+
+      context.out.println();
+      if (host == null) {
+         host = input("--kube-host", "What is the cluster host?", 
System.getProperty(KubernetesClientImpl.KUBERNETES_HOST));
+      }
+      if (port == null) {
+         port = input("--kube-port", "What is the cluster port?", 
System.getProperty(KubernetesClientImpl.KUBERNETES_PORT));
+      }
+      if (tokenPath == null) {
+         tokenPath = input("--token-path", "What is the token path?", 
System.getProperty(KubernetesClientImpl.KUBERNETES_TOKEN_PATH));
+      }
+      if (caPath == null) {
+         caPath = input("--ca-path", "What is the ca path?", 
System.getProperty(KubernetesClientImpl.KUBERNETES_CA_PATH));
+      }
+      if (token == null) {
+         token = input("--token", "What is the token?", "");
+      }

Review Comment:
   > I actually only meant ask for the token by input if not specified via 
option. The rest all have defaults right? How likely is it someone will 
actually be changing the value, i.e should they have to manually 
provide/confirm all of them if not set by option, or are those underlying 
defaults likely to be used and so be useful here if not specified?
   
   It had value for debugging, since we could also tap into another 
endpoint/port combo. But yea, getting the default value for the parameter makes 
sense. I'll be in favor of letting the user able to override the value if 
needed but only require the token as you suggest.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 949111)
    Time Spent: 2h  (was: 1h 50m)

> The KubernetesClientImpl doesn't load all the certificates from OpenShift 
> correctly leading to tls issues while requesting a token review
> -----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-5219
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-5219
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: JAAS
>            Reporter: Thomas Lavocat
>            Assignee: Thomas Lavocat
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 2h
>  Remaining Estimate: 0h
>
> Requesting a token review from within a pod in OpenShift is throwing a TLS 
> error (see the exception below).
> The fix consists in loading all cert certificates from the `ca.crt` file 
> OpenShift is providing instead of only one of cert available certs from the 
> file.
> {quote}oad of: 
> PropsFile=/amq/extra/secrets/custom-jaas-config/k8s-roles.properties loaded 
> roles: {kubeadmin=[admin]} Loading client authentication token from 
> /var/run/secrets/kubernetes.io/serviceaccount/token Loaded client 
> authentication token from /var/run/secrets/kubernetes.io/serviceaccount/token 
> Submit TokenReview request to Kubernetes API Unable to request ReviewToken 
> javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target at 
> java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:579)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:123)
>  ~[?:?] at 
> org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.client.KubernetesClientImpl.getTokenReview(KubernetesClientImpl.java:117)
>  ~[artemis-server-2.38.0.jar:2.38.0] at 
> org.apache.activemq.artemis.spi.core.security.jaas.KubernetesLoginModule.login(KubernetesLoginModule.java:102)
>  ~[artemis-server-2.38.0.jar:2.38.0] at 
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
>  ~[?:?] at 
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679) 
> ~[?:?] at 
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677) 
> ~[?:?] at 
> java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
>  [?:?] at 
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
>  [?:?] at 
> java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587) 
> [?:?] at io.hawt.system.JaasAuthenticator.login(JaasAuthenticator.java:108) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> io.hawt.system.JaasAuthenticator.doAuthenticate(JaasAuthenticator.java:82) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> io.hawt.system.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:72)
>  [hawtio-system-2.17.7.jar:2.17.7] at 
> io.hawt.system.AuthenticationManager.authenticate(AuthenticationManager.java:43)
>  [hawtio-system-2.17.7.jar:2.17.7] at 
> io.hawt.web.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:79) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:46) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> io.hawt.web.auth.SessionExpiryFilter.process(SessionExpiryFilter.java:107) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> io.hawt.web.auth.SessionExpiryFilter.doFilter(SessionExpiryFilter.java:60) 
> [hawtio-system-2.17.7.jar:2.17.7] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.apache.activemq.artemis.component.JolokiaFilter.doFilter(JolokiaFilter.java:50)
>  [artemis-web-2.38.0.jar:2.38.0] at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
>  [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) 
> [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:598) 
> [jetty-security-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) 
> [jetty-servlet-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) 
> [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51) 
> [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.Server.handle(Server.java:563) 
> [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
>  [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753) 
> [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501) 
> [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287) 
> [jetty-server-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
>  [jetty-io-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) 
> [jetty-io-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
>  [jetty-io-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
>  [jetty-util-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
>  [jetty-util-10.0.24.jar:10.0.24] at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
>  [jetty-util-10.0.24.jar:10.0.24] at 
> java.base/java.lang.Thread.run(Thread.java:840) [?:?] Caused by: 
> javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target at 
> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?] at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383) 
> ~[?:?] at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) 
> ~[?:?] at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) 
> ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?] 
> at 
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
>  ~[?:?] at 
> java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
>  [?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
>  ~[?:?] at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) ~[?:?] 
> at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1132)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:158)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1127)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1093)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:498)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:282)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:205)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(SequentialScheduler.java:347)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:151)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:230)
>  ~[?:?] at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
>  ~[?:?] at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
>  ~[?:?] ... 1 more Caused by: sun.security.validator.ValidatorException: PKIX 
> path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target at 
> java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
>  ~[?:?] at 
> java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
>  ~[?:?] at 
> java.base/sun.security.validator.Validator.validate(Validator.java:264) 
> ~[?:?] at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
>  ~[?:?] at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?] 
> at 
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
>  ~[?:?] at 
> java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
>  ~[?:?] at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) ~[?:?] 
> at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1132)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:158)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1127)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1093)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:498)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:282)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:205)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(SequentialScheduler.java:347)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:151)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:230)
>  ~[?:?] at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
>  ~[?:?] at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
>  ~[?:?] ... 1 more Caused by: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target at 
> java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
>  ~[?:?] at 
> java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
>  ~[?:?] at 
> java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) 
> ~[?:?] at 
> java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
>  ~[?:?] at 
> java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
>  ~[?:?] at 
> java.base/sun.security.validator.Validator.validate(Validator.java:264) 
> ~[?:?] at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
>  ~[?:?] at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
>  ~[?:?] at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?] 
> at 
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
>  ~[?:?] at 
> java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
>  ~[?:?] at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
>  ~[?:?] at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) ~[?:?] 
> at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1132)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:158)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1127)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1093)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:498)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:282)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:205)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(SequentialScheduler.java:347)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:151)
>  ~[?:?] at 
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:230)
>  ~[?:?] at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
>  ~[?:?] at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
>  ~[?:?] ... 1 more{quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

[jira] [Work logged] (ARTEMIS-5219) The KubernetesClientImpl doesn't load all the certificates from OpenShift correctly leading to tls issues while requesting a token review

Reply via email to