A few more exceptions encountered in trying out the change above include:
1) Caused by: java.lang.IllegalStateException: Expected the service ZKGarbageCollector [FAILED] to be RUNNING, but the service has FAILED
at com.google.common.util.concurrent.AbstractService.checkCurrentState(AbstractService.java:366)
at com.google.common.util.concurrent.AbstractService.awaitRunning(AbstractService.java:302)
at io.pravega.controller.store.stream.PravegaTablesStreamMetadataStore.<init>(PravegaTablesStreamMetadataStore.java:77)
at io.pravega.controller.store.stream.PravegaTablesStreamMetadataStore.<init>(PravegaTablesStreamMetadataStore.java:67)
at io.pravega.controller.store.stream.StreamStoreFactory.createStore(StreamStoreFactory.java:37)
at io.pravega.controller.server.ControllerServiceStarter.startUp(ControllerServiceStarter.java:230)
at com.google.common.util.con
2) Caused by: java.security.cert.CertificateException: found no certificates in input stream
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:98)
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:64)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:1071)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:180)
3) java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at io.pravega.segmentstore.storage.impl.bookkeeper.ZooKeeperServiceRunner.getTrustManager(ZooKeeperServiceRunner.java:220)
at io.pravega.segmentstore.storage.impl.bookkeeper.ZooKeeperServiceRunner.waitForSSLServerUp(ZooKeeperServiceRunner.java:185)
at io.pravega.segmentstore.storage.impl.bookkeeper.ZooKeeperServiceRunner.waitForServerUp(ZooKeeperServiceRunner.java:164)
at io.pravega.segmentstore.storage.impl.bookkeeper.ZooKeeperServiceRunner.start(ZooKeeperServiceRunner.java:109)
at io.pravega.local.InProcPravegaCluster.startLocalZK(InProcPravegaCluster.java:210)
at io.pravega.local.InProcPravegaCluster.start(InProcPravegaCluster.java:182)
at io.pravega.local.LocalPravegaEmulator.start(LocalPravegaEmulator.java:153)
at io.pravega.local.LocalPravegaEmulator.main(LocalPravegaEmulator.java:128)
And the options tried out included:
-Djavax.net.ssl.trustStore=/etc/secret-volume/client1.truststore.jks
-Djavax.net.ssl.trustStorePassword=password
Finally, a set of working files were mounted with and deployed with the operator as an option:
$ kubectl create secret generic controller-tls \
--from-file=./controller01.pem \
--from-file=./ca-cert \
--from-file=./controller01.key.pem \
--from-file=./controller01.jks \
--from-file=./password
$ helm install pravega charts/pravega --set zookeeperUri=zookeeper-client:2181 --set bookkeeperUri=bookkeeper-bookie-headless:3181 --set storage.longtermStorage.filesystem.pvc=pravega-tier2 --set controller.security.tls.enable=true --set controller.security.tls.server.certificate.location=/etc/secret-volume/controller01.pem --set controller.security.tls.server.privateKey.location=/etc/secret-volume/controller01.key.pem --set pravegaservice.security.tls.enable=true --set pravegaservice.security.tls.server.certificate.location=/etc/secret-volume/segmentStore01.pem --set pravegaservice.security.tls.server.privateKey.location=/etc/secret-volume/segmentStore01.key.pem --set tls.secret.controller=controller-tls --set tls.secret.segmentStore=segmentstore-tls
Wonderful blog posting!!! thanks for sharing your great information..
ReplyDeleteGermany VPS Server Hosting