Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1503931

Summary: hawkular-metrics pod throws out java.io.IOException continuously if /var/run/secrets/kubernetes.io/serviceaccount/ca.crt containes spaces
Product: OpenShift Container Platform Reporter: Junqi Zhao <juzhao>
Component: HawkularAssignee: Juraci Paixão Kröhling <jcosta>
Status: CLOSED WONTFIX QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.6.1CC: aos-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-19 07:47:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
hawkular metrics pod log none

Description Junqi Zhao 2017-10-19 05:55:13 UTC 
Created attachment 1340547 [details]
hawkular metrics pod log

Description of problem:
This defect is found when testing https://bugzilla.redhat.com/show_bug.cgi?id=1500471
/etc/origin/master/ca-bundle.crt file, after add spaces to the end of "-----BEGIN CERTIFICATE-----" and restart server and deploy metrics 3.6.
hawkular-metrics pod throws out java.io.IOException continuously, details please see the attached file.

Although this exception, it does not affect metrics' function, metrics sanity testing passed
********************************************************************************
 [org.openshift.ping.common.stream.TokenStreamProvider] (thread-2,ee,hawkular-metrics-n15zd) Could not create trust manager for /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Illegal header: -----BEGIN CERTIFICATE-----  
	at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:110)
	at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
	at org.openshift.ping.common.stream.TokenStreamProvider.configureCaCert(TokenStreamProvider.java:73)
	at org.openshift.ping.common.stream.TokenStreamProvider.getSSLSocketFactory(TokenStreamProvider.java:106)
	at org.openshift.ping.common.stream.TokenStreamProvider.openStream(TokenStreamProvider.java:49)
	at org.openshift.ping.common.stream.OpenStream.call(OpenStream.java:25)
	at org.openshift.ping.common.stream.OpenStream.call(OpenStream.java:7)
	at org.openshift.ping.common.Utils.execute(Utils.java:210)
	at org.openshift.ping.common.Utils.openStream(Utils.java:50)
	at org.openshift.ping.kube.Client.getNode(Client.java:84)
	at org.openshift.ping.kube.Client.getPods(Client.java:90)
	at org.openshift.ping.kube.KubePing.doReadAll(KubePing.java:196)
	at org.openshift.ping.common.OpenshiftPing.readAll(OpenshiftPing.java:249)
	at org.openshift.ping.common.OpenshiftPing.sendMcastDiscoveryRequest(OpenshiftPing.java:201)
	at org.jgroups.protocols.PING.sendDiscoveryRequest(PING.java:62)
	at org.jgroups.protocols.PING.findMembers(PING.java:32)
	at org.jgroups.protocols.Discovery.findMembers(Discovery.java:244)
	at org.jgroups.protocols.Discovery.down(Discovery.java:388)
	at org.openshift.ping.common.OpenshiftPing.down(OpenshiftPing.java:196)
	at org.jgroups.protocols.MERGE3$InfoSender.run(MERGE3.java:381)
	at org.jgroups.util.TimeScheduler3$Task.run(TimeScheduler3.java:291)
	at org.jgroups.util.TimeScheduler3$RecurringTask.run(TimeScheduler3.java:325)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Illegal header: -----BEGIN CERTIFICATE-----  
	at sun.security.provider.X509Factory.checkHeaderFooter(X509Factory.java:646)
	at sun.security.provider.X509Factory.readOneBlock(X509Factory.java:636)
	at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:96) 
************************************************************************


Version-Release number of selected component (if applicable):
metrics-hawkular-metrics:v3.6.173.0.56-1

# openshift version
openshift v3.6.173.0.56
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

How reproducible:
Always

Steps to Reproduce:
1. Change to "-----BEGIN CERTIFICATE-----  "(two spaces in the end) of /etc/origin/master/ca-bundle.crt.
2. Restart server and deploy metrics 3.6
3.

Actual results:
hawkular-metrics pod throws out java.io.IOException continuously

Expected results:
There should not be exception in hawkular-metrics pod log

Additional info:
Comment 1 Juraci Paixão Kröhling 2017-10-19 07:47:10 UTC 
This is an issue on an external component: https://github.com/jboss-openshift/openshift-ping

Similar issues will occur (BZ 1503462) on other components that are using Java's cert facilities. Unless we face a situation where a customer can't fix the cert, we won't be fixing the whole stack.