"unable to find valid certification path to requested target" when trying to edit a resource

[adietish]

This was reported in #521 (comment)
Steps:

1. ASSERT: have an openshift cluster running on a private certificate
2. ASSERT: make sure it's the current context
3. EXEC: in the plugin, open a resource (double click or "Edit.." in the ctx menu

Result:
Editor is opened but errors with the following details

PKIX path building failed: usn.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Adding the certificate under Settings -> Tools -> Server Certificates and also enabling "Accept non-trusted certificates automatically" doesn't help.

To reproduce this you can use our cluster bot:

Steps:

1. EXEC: using the clusterbot, launch a new instance (takes ~30min)
2. EXEC: log into the new cluster, copy the login command, paste it into bash/zsh and execute it

oc login --token=sha256~XXXXXXX --server=https://XXXXXXXX-east-1.amazonaws.com:6443

3. ASSERT: the command errors with the following that confirms that a private certificate is used:

error: tls: failed to verify certificate: x509: “kubernetes” certificate is not trusted

4. EXEC: add --insecure-skip-tls-verify=true to the command
5. ASSERT: login is successful
6. EXEC: edit the entry for the new cluster in ~/.kube/config: remove insecure-skip-tls-verify: true
7. EXEC: launch plugin (and maybe expand the Projects node)

Result:
The cluster is listed but not detected as OpenShift. Furthermore you cannot list any resources (expand nodes in the tree). They all error ("Error: Could not get ...")
In the IDEA log you discover the error:

Caused by: java.io.IOException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[adietish]

IDEA has settings for ssl certificates where the user can disable verification and add it's own certificates:

The IDE would also ask the user for confirmation if certificates that it is facing are not trusted.
In order to take advantage of these settings a plugin needs use the trust- and key-managers that the IDE offers.

Our fabric8 kubernetes-client on the other hand, has its own key- and trust managers, that it creates and feeds to it's underlying http client. This means that the kubernetes plugin currently wont react to the settings that you set in the IDE preferences.

[adietish]

Hi @tschut
I told our kubernetes-client to accept all certificates and disable hostname verification. If this quick hack works for you then we know that certificates handling in the kubernetes-client is the cause of it. We could then go ahead and find a way to plug the IDEA certificate handling into the client. Would be great if you could test it.
https://gist.github.com/adietish/3aa8bec832cee37fd9abc3e6dfa6b684#file-kubernetes-by-red-hat-0-8-2-snapshot-zip (revision 7)

[tschut]

Hi @adietish, didn't get around to testing it until now (was at springio 🥳)

It looks a lot better with this latest snapshot! I can login to the cluster, and when I open a resource.yaml in the editor I tested the "diff" and "pull" functions and both work correctly.

What doesn't work yet is the browser in the OpenShift toolbox window. It shows the cluster, but the only item in the dropdown is "Unable to get namespaces: An error has occurred.", which is correct, because my account doesn't have the appropriate rights for oc get namespaces. It does for oc get projects though.

[adietish]

@tschut hope you had lots of fun in Barcelona 🥳
Awesome news about my snapshot build. It confirms that the problem you are facing is caused by the certificate on your cluster. The tooling currently cannot handle it. the best I can offer on the quick run is to allow to accept all certificates regardless. Respecting certificates that you manually add would be something that I can fix later.
Regarding the problem with the openshift plugin, I created redhat-developer/intellij-openshift-connector#547. The OpenShift plugin is a different beast, it is using the oc command-line, not the fabric8 kubernetes-client that we're using here. Please correct my steps over there 😄

[tschut]

Thanks @adietish! Which functionality belongs to which plugin is in this case quite confusing I think, glad you have a better understanding of that. I'll try to help out with the other issue.

[adietish]

for my own documentation purposes:
I didnt succeed in having minikube run on a self-signed certificate. I managed it for CRC though:

Steps:

1. EXEC: create a self-signed certificate:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout domain.key -out domain.crt -subj "/CN=api.crc.testing" \
  -addext "subjectAltName=DNS:api.crc.testing,IP:127.0.0.1"

2. EXEC: proceed as in https://docs.openshift.com/container-platform/4.13/security/certificates/api-server.html#api-server-certificates

crc start
oc login -u kubeadmin -p <password> https://api.crc.testing:6443
oc config view --flatten > kubeconfig-newapi
oc create secret tls selfsigned \
     --cert=domain.crt \
     --key=domain.key \
     -n openshift-config
oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": ["api.crc.testing"], 
     "servingCertificate": {"name": "selfsigned"}}]}}}'

[adietish]

Hi @tschut,
I now impl'd support for the IDEA certificate manager. You can now add your private certificate or blindly accept untrusted certificates in the IDEA settings. It would be beyond awesome if you could test this build? https://gist.github.com/adietish/3aa8bec832cee37fd9abc3e6dfa6b684#file-kubernetes-by-red-hat-0-8-2-snapshot-zip
Would be greatly appreciated 😃

[tschut]

Hi @tschut, I now impl'd support for the IDEA certificate manager. You can now add your private certificate or blindly accept untrusted certificates in the IDEA settings. It would be beyond awesome if you could test this build? https://gist.github.com/adietish/3aa8bec832cee37fd9abc3e6dfa6b684#file-kubernetes-by-red-hat-0-8-2-snapshot-zip Would be greatly appreciated 😃

Nice work! I tried to validate the fix but since I already imported the certificates in my jdk I'd have to remove those first and I'm a bit busy atm :(

[adietish]

Hi @tschut, no problems, thanks for all the collab :)
We'll release a 1.0.0 with this enhancement very soon. Feel free to report back if you face problems.