Connecting on DG 8 CLI inside OCP 4 pod/terminal
Environment
- Red hat OpenShift Container Platform (OCP)
- 4.x
- Red Hat Data Grid (RHDG)
- 8.x
Issue
- How to connect to DG 8 (operator) inside OCP 4 pod?
- IllegalStateException: No SSL TrustStore configuration on DG 8 OCP terminal connection
Resolution
This solution explains the process of connection via $RHDG/bin/cli.sh inside the pod terminal - accessed via oc rsh or POD's console terminal.
The solution is relevant for cache creation, or cli command usage like DG 8 server report
About credentials on DG 8 Operator
See about credentials here: DG 8 Operator Guide - Retrieving credentails
Process of connection
Note that if you have security disabled, you can connect directly - see above about disabling it:
-
Get the pods:
$ oc get pod NAME READY STATUS RESTARTS AGE dg-cluster-lon-0 1/1 Running 0 88m dg-cluster-lon-config-listener-67565c6779-6l56f 1/1 Running 0 88m dg-cluster-lon-router-77d8c45b59-qc8fh 1/1 Running 0 89m infinispan-operator-controller-manager-6bf99bc45b-pkn9r 1/1 Running 0 89m -
Connect on the pod:
$ oc rsh dg-cluster-lon-0 -
Connect on cli.sh:
sh-4.4$ cd /opt/infinispan/bin/
sh-4.4$ ./cli.sh -c -
[dg-cluster-lon-0-6446@//containers/default]>
### execute command - example below is server report:
..dg-cluster-lon-0-6446@//containers/default]> server report
Downloaded file 'red-hat-data-grid-dg-cluster-lon-0-6446-20220810031034-report.tar.gz'
Issues
What user to use on the cli connection
Scenario 1 - Given cluster with the following properties (users verification disabled):
security:
endpointAuthentication: false
endpointEncryption:
type: None
No need for user, the connection will be automatic
Scenario 2 - The cluster has verification enabled
Use localhost or route and then use the credentials to login
IllegalStateException: No SSL TrustStore configuration
If the problem is IllegalStateException: No SSL TrustStore configuration as below, the problem there is no TLS set on the configuration and the cli command is telling the user not to use https:
./cli.sh -c https://localhost:11222/
IllegalStateException: No SSL TrustStore configuration
To solve this do http connection instead:
sh-4.4$ ./cli.sh -c http://localhost:11222/
[dg-cluster-8718-0-49719@//containers/default]>
Or then one can do this to solve in two steps: cli.sh and then connect with the http://$IP:$PORT
## given inside the pod
h-4.4$ ./cli.sh
[disconnected]> connect http://localhost:11222/
[dg-cluster-8718-0-49719@//containers/default]>
Exception: Input not an X.509 certificate
Creation of truststore.jks file from tls.crt fails with Exception: Input not an X.509 certificate:
keytool -importcert -keystore truststore.jks -alias server -file tls.crt
Enter keystore password:
Re-enter new password:
keytool error: java.lang.Exception: Input not an X.509 certificate
Verify if the tls.crt file is from the infinispan cluster and not from the operator.
TLS connection
For TLS/SSL connection details, including --trustall see solution Connect to Data Grid 8 using CLI generates Exception when enables SSL. Note: the --trustall is an option on the ./cli.sh script so must be passed on the same line -example: ./cli.sh -c https://$IP:$PORT --trustall .
Localhost connection
One can connect via localhost as above if using DG Operator 8.3.x, otherwise might need to export a service:
- oc get service
- oc expose svc/$service
- oc get route
- use the route to connect (use the route as $IP for connect http://$IP:$PORT/
Options for connection
And the options are those - given the user is already on $RDHG/bin:
| Command | What it does |
|---|---|
| /opt/infinispan/bin/cli.sh -c https://127.0.0.1:11222 | http connect to localhost (127.0.0.1) port 11222 |
| /opt/infinispan/bin/cli.sh -c https://127.0.0.1:11222 --trustall | https connect to localhost (127.0.0.1) port 11222 trustall |
| /opt/infinispan/bin/cli.sh -c http://localhost:11222 | http connect to localhost port 11222 |
| /opt/infinispan/bin/cli.sh -c http://route | http connect to route (oc get route) |
| /opt/infinispan/bin/cli.sh -c - | http connect to localhost default port - is abreviation of localhost |
| ./cli.sh -c https://$IP:$PORT --trustall | TLS/https connect to $IP port $PORT - where we added the trustall for authentication - --trustall is an option on the ./cli.sh. |
| ./cli.sh - then do connect http://$IP:$PORT OR https://$IP:$PORT | connect via http or https according to the $IP/$PORT given |
Root Cause
There will be two credentials generated by the operator:
| Secret/Credential | user |
|---|---|
| infinispan-generated-secret | developer |
| infinispan-generated-operator-secret | operator |
When the Infinispan Cr has spec.security.endpointEncryption.type == None, so then the Infinispan cluster won't have secret - only the operator will have secret
spec:
...
container:
memory: 1Gi
security:
endpointAuthentication: false
endpointEncryption:
type: None
This is explained on Data Grid 8.3 Operator Guide
Helm Charts
The default Helm Deployment will create two default users: developer and monitor. They are set on /etc/security/identities-batch on the environment variable $IDENTITIES_BATCH.
To fetch the user and passcode:
oc get secret infinispan-generated-secret -o jsonpath="{.data.identities-batch}" | base64 --decode
Proto file commands on DG 8.x
See about protofile commands on the solution Proto file commands on DG 8.x
Diagnostic Steps
Related solutions
| Purpose | Solutions |
|---|---|
| Metaspace settings (via Subscription) | Can you customize Metaspace and MaxMetaspace in DG as JVM argument in DG Operator? |
| Setting DG Operator pod settings | Customizing resource on DG Operator pod itself in OCP 4 |
| Print DG Operand configuration | How to print the configuration used by DG Operator at startup? |
| DG 8 connection via CLI | Connecting on DG 8 CLI inside OCP 4 pod/terminal |
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.