Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GlobalConf is empty on first install #2536

Open
cruznick opened this issue Jan 16, 2025 · 4 comments
Open

GlobalConf is empty on first install #2536

cruznick opened this issue Jan 16, 2025 · 4 comments
Labels
question Further information is requested

Comments

@cruznick
Copy link

Hi sorry to bother you with this but I'm not able to make the sidecar work (again) in EKS:

I need to configure a Secure Server to consume a Gov service and around August last year I made it work with these configurations:

Working env (dev)

Deployment 
apiVersion: apps/v1
kind: Deployment
metadata:
name: gcba
namespace: gcba
labels:
  app: gcba
spec:
replicas: 1
selector:
  matchLabels:
    app: gcba
template:
  metadata:
    labels:
      app: gcba
  spec:
    volumes:
      - name: xroad-persistent-storage
        persistentVolumeClaim:
          claimName: gcba-lib
      - name: xroad-etc-storage
        persistentVolumeClaim:
          claimName: gcba-etc
      - name: xroad-config
        configMap:
          name: gcba-environment
          defaultMode: 420
      - name: xroad-secrets
        secret:
          secretName: gcba
          defaultMode: 420
      - name: ssh-key-secret
        secret:
          secretName: gcba-ssh-key
          items:
            - key: SSH_PUBLIC_KEY
              path: id_rsa.pub
              mode: 420
          defaultMode: 420
    containers:
      - name: app
        image: niis/xroad-security-server-sidecar:7.5.0-slim
        ports:
          - containerPort: 8443
            protocol: TCP
          - containerPort: 4000
            protocol: TCP
          - containerPort: 5500
            protocol: TCP
          - containerPort: 5577
            protocol: TCP
          - containerPort: 5588
            protocol: TCP
          - containerPort: 22
            protocol: TCP
        envFrom:
          - configMapRef:
              name: gcba-environment
          - secretRef:
              name: gcba
        resources:
          limits:
            cpu: '2'
            memory: 3Gi
          requests:
            cpu: '2'
            memory: 3Gi
        volumeMounts:
          - name: xroad-persistent-storage
            mountPath: /var/lib/xroad
          - name: xroad-config
            mountPath: /etc/xroad/config
          - name: xroad-secrets
            mountPath: /etc/xroad/secrets
          - name: xroad-etc-storage
            mountPath: /etc/xroad
          - name: ssh-key-secret
            mountPath: /etc/.ssh/
        livenessProbe:
          httpGet:
            path: /
            port: 8080
            scheme: HTTP
          timeoutSeconds: 1
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /
            port: 8080
            scheme: HTTP
          timeoutSeconds: 6
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 1
        startupProbe:
          httpGet:
            path: /
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 20
          timeoutSeconds: 1
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 60
        imagePullPolicy: Always
        securityContext:
          capabilities:
            add:
              - NET_BIND_SERVICE
              - SYS_ADMIN
            drop:
              - ALL
          privileged: true
          runAsUser: 0
          runAsNonRoot: false
    restartPolicy: Always
    terminationGracePeriodSeconds: 30
    dnsPolicy: ClusterFirst
    serviceAccountName: gcba
    securityContext:
      fsGroup: 1000
    schedulerName: default-scheduler
strategy:
  type: RollingUpdate
  rollingUpdate:
    maxUnavailable: 25%
    maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
Service 
apiVersion: v1
kind: Service
metadata:
name: gcba
namespace: gcba
labels:
  app: gcba
spec:
ports:
  - name: http
    protocol: TCP
    port: 8443
    targetPort: 8443
  - name: service1
    protocol: TCP
    port: 8080
    targetPort: 4000
  - name: service2
    protocol: TCP
    port: 5500
    targetPort: 5500
  - name: service3
    protocol: TCP
    port: 5577
    targetPort: 5577
selector:
  app: gcba
sessionAffinity: None
ipFamilies:
  - IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster
Ingress 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gcba
namespace: gcba
annotations:
  nginx.ingress.kubernetes.io/backend-protocol: https
  nginx.ingress.kubernetes.io/configuration-snippet: set $auth_mode "not-required";
  nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
  nginx.ingress.kubernetes.io/proxy-send-timeout: '600'
spec:
ingressClassName: nginx-internal
tls:
  - hosts:
      - gcba.dev.kavak.io
rules:
  - host: gcba.dev.kavak.io
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: gcba
              port:
                number: 8443

That was working until today but it looks like the gov certs expired, I use Pulumi to manage the infrastructure but when trying that config to create the production deployment I get the following errors:

Instance Identifier error 
[qtp1918144733-54] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/global │
│ java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier<details>
Missing Anchor file 
[QuartzScheduler_Worker-1[] e.r.x.c.c.g.ConfigurationClient - Cannot download configuration, anchor file /etc/xroad/configuration-anchor.xml does not exist
2025-01-16T09:41:18.352Z ERROR [xroad-confclient-service[] [QuartzScheduler_Worker-1[] o.n.xroad.schedule.RetryingQuartzJob - Error executing job.
java.io.FileNotFoundException: /etc/xroad/configuration-anchor.xml
Full Log 
2025-01-16T09:41:08+00:00 INFO [entrypoint[] Starting X-Road Security Server version 7.5.0-1.ubuntu24.04
2025-01-16T09:41:08+00:00 INFO [entrypoint[] Creating admin user with user-supplied credentials
2025-01-16T09:41:08+00:00 WARN [entrypoint[] Current configuration version not known
2025-01-16T09:41:08+00:00 INFO [entrypoint[] Migrating configuration from none to 7.5.0-1.ubuntu24.04
cp: warning: behavior of -n is non-portable and may change in future; use --update=none instead
cp: warning: behavior of -n is non-portable and may change in future; use --update=none instead
cp: warning: behavior of -n is non-portable and may change in future; use --update=none instead
2025-01-16T09:41:09+00:00 INFO [entrypoint[] Generating new internal TLS key and certificate
  .+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+...+.........+..+.+...+......+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+.+.....+...+.+......+......+.....+.......+........+...+..........+......+...............+...+...+........+.+...+.....+......+...............+............+...+.+...+......+..+.........+...+.+......+...+.....+.+.....+.+...........+....+...+......+......+........+...+..........+..+..........+...........+.......+..+.+.................+....+......+........+....+...+...+.....+......+..........+.....+...+.......+.....+.............+...+...+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+....+.....+......+.+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.+...............+..............+....+..+......+.......+...............+..+....+.........+...+.................+.......+.......................+......+.......+...+..+...................+........+......+....+...+........+.+....................+...+...+...+....+...+..+......+......+....+...........+.+..+............+...+...+...+.+...+...........+.+...+...........+.+.....+.........+.........+...+.............+.........+...+...+..+....+...+....................+......+.........+......+.........+.+..+.........+.+.....+...+.+...+......+.........+........+.......+........+...+....+......+..+...+.+.....+.+..+............+.+...+..+.......+..+......+.........+.+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  -----
2025-01-16T09:41:09+00:00 INFO [entrypoint[] Generating new SSL key and certificate for the admin UI
 .............+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+...................+.....+...+.+.....+....+.....+.............+..+.+............+...+......+...+...........+.+...........+...+.......+.........+..............+.......+.....+....+.....+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 ......+.....+...+.+.....+.........+....+........+...+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+.+...+......+..+...+.........+...+............+.+..+....+...+.....+...+.............+..............+......+....+.....+..........+......+..+...............+....+...............+...............+......+........+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.....+...+.+.....+.+...+..............+.+..+.......+..+......+....+.........+..+...+......+.+..+...+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 -----
2025-01-16T09:41:09+00:00 INFO [entrypoint[] Creating serverconf database and properties file
2025-01-16T09:41:09+00:00 INFO [entrypoint[] Using remote database gcba.cluster-cjc75zqispya.us-west-2.rds.amazonaws.com:5432
2025-01-16T09:41:09+00:00 INFO [entrypoint[] Waiting for the database to become available...
2025-01-16T09:41:09+00:00 INFO [entrypoint[] Reconfiguring packages
  client-fastest-connecting-ssl-use-uri-cache not present in local.ini, use default value
  Configuring groups
  Liquibase Home: /usr/share/xroad/db
  Starting Liquibase at 09:41:12 (version 4.19.0 #6648 built at 2023-01-17 15:02+0000)
  Running Changeset: serverconf/000-baseline.xml::000-baseline::niis
  Running Changeset: serverconf/001-apikeys.xml::001-apikeys::niis
  Running Changeset: serverconf/002-drop-securitycategories.xml::002-drop-securitycategories::niis
  Running Changeset: serverconf-changelog.xml::separate-admin-user::niis
  Liquibase: Update has been successful.
2025-01-16T09:41:14+00:00 INFO [entrypoint[] Generating internal gRPC TLS keys and certificate
Generating 256 bit EC (secp256r1) key pair and self-signed certificate (SHA256withECDSA) with a validity of 3,650 days
  for: CN=127.0.0.1
2025-01-16 09:41:14,809 INFO Included extra file "/etc/supervisor/conf.d/xroad.conf" during parsing
2025-01-16 09:41:14,809 INFO Set uid to user 0 succeeded
2025-01-16 09:41:14,813 INFO RPC interface 'supervisor' initialized
2025-01-16 09:41:14,813 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2025-01-16 09:41:14,813 INFO supervisord started with pid 1
2025-01-16 09:41:15,815 INFO spawned: 'xroad-confclient' with pid 342
2025-01-16 09:41:15,816 INFO spawned: 'xroad-signer' with pid 343
2025-01-16 09:41:15,818 INFO spawned: 'cron' with pid 344
2025-01-16 09:41:15,819 INFO spawned: 'xroad-autologin' with pid 345
2025-01-16 09:41:15,820 INFO spawned: 'xroad-proxy' with pid 346
2025-01-16 09:41:15,821 INFO spawned: 'xroad-proxy-ui-api' with pid 348
2025-01-16 09:41:16,830 INFO success: xroad-confclient entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-01-16 09:41:16,830 INFO success: xroad-signer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-01-16 09:41:16,830 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-01-16 09:41:16,831 INFO success: xroad-autologin entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-01-16 09:41:16,831 INFO success: xroad-proxy entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-01-16 09:41:16,831 INFO success: xroad-proxy-ui-api entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-01-16T09:41:17.051Z INFO [xroad-proxy[] [main[] ee.ria.xroad.common.Version - xroad-proxy 7.5.0 (OpenJDK Runtime Environment 17 17.0.12+7-Ubuntu-1ubuntu224.04)
2025-01-16T09:41:17.053Z INFO [xroad-proxy[] [main[] ee.ria.xroad.proxy.ProxyMain - Starting proxy (7.5.0)...
2025-01-16T09:41:17.334Z INFO [xroad-confclient-service[] [main[] ee.ria.xroad.common.Version - xroad-confclient 7.5.0 (OpenJDK Runtime Environment 17 17.0.12+7-Ubuntu-1ubuntu224.04)
2025-01-16T09:41:17.633Z INFO [xroad-signer[] [main[] ee.ria.xroad.common.Version - xroad-signer 7.5.0 (OpenJDK Runtime Environment 17 17.0.12+7-Ubuntu-1ubuntu224.04)
2025-01-16T09:41:17.635Z INFO [xroad-signer[] [main[] ee.ria.xroad.signer.SignerMain - Starting Signer on port 5558...
2025-01-16T09:41:17.847Z INFO [xroad-confclient-service[] [main[] ee.ria.xroad.common.util.AdminPort - Started AdminPort on port 5675
09:41:17.854 [main[] INFO ee.ria.xroad.common.Version -- xroad-proxy-ui-api 7.5.0 (OpenJDK Runtime Environment 17 17.0.12+7-Ubuntu-1ubuntu224.04)
2025-01-16T09:41:18.341Z INFO [xroad-confclient-service[] [main[] ee.ria.xroad.common.util.JobManager - Starting scheduled job ProxyConfigurationBackupJob with a schedule [0 15 3 * * ?]. Next execution: Fri Jan 17 03:15:00 UTC 2025
2025-01-16T09:41:18.344Z INFO [xroad-confclient-service[] [main[] e.r.x.c.c.g.ConfigurationClientMain - Configuration client started
2025-01-16T09:41:18.351Z WARN [xroad-confclient-service[] [QuartzScheduler_Worker-1[] e.r.x.c.c.g.ConfigurationClient - Cannot download configuration, anchor file /etc/xroad/configuration-anchor.xml does not exist
2025-01-16T09:41:18.352Z ERROR [xroad-confclient-service[] [QuartzScheduler_Worker-1[] o.n.xroad.schedule.RetryingQuartzJob - Error executing job.
java.io.FileNotFoundException: /etc/xroad/configuration-anchor.xml
  at ee.ria.xroad.common.conf.globalconf.ConfigurationClient.initConfigurationAnchor(ConfigurationClient.java:106)
  at ee.ria.xroad.common.conf.globalconf.ConfigurationClient.execute(ConfigurationClient.java:80)
  at ee.ria.xroad.common.conf.globalconf.ConfigurationClientJob.executeWithRetry(ConfigurationClientJob.java:62)
Wrapped by: org.quartz.JobExecutionException: java.io.FileNotFoundException: /etc/xroad/configuration-anchor.xml
  at ee.ria.xroad.common.conf.globalconf.ConfigurationClientJob.executeWithRetry(ConfigurationClientJob.java:76)
  at org.niis.xroad.schedule.RetryingQuartzJob.execute(RetryingQuartzJob.java:59)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
2025-01-16T09:41:18.353Z INFO [xroad-confclient-service[] [QuartzScheduler_Worker-1[] e.r.x.c.c.g.ConfigurationClientMain$ConfigurationClientJobListener - job was executed result=DiagnosticsStatus(returnCode=125, prevUpdate=2025-01-16T09:41:18.351922Z, nextUpdate=2025-01-16T09:42:18.351953Z, description=null)
(re)trying to enter PIN
spawn /usr/share/xroad/autologin/signer-console login-token 0
2025-01-16T09:41:19.637Z INFO [xroad-signer[] [main[] e.r.x.s.t.m.AbstractModuleManager - Initializing module worker of instance DefaultModuleManagerImpl
2025-01-16T09:41:22.354Z INFO [xroad-signer[] [main[] ee.ria.xroad.common.util.AdminPort - Started AdminPort on port 5559
2025-01-16T09:41:23.237Z ERROR [xroad-proxy[] [QuartzScheduler_Worker-2[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:23.243Z ERROR [xroad-proxy[] [QuartzScheduler_Worker-2[] e.r.x.c.c.g.GlobalConfUpdater - Error updating globalconf
ee.ria.xroad.common.CodedException: MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
PIN:
2025-01-16T09:41:25.249Z INFO [xroad-signer[] [main[] ee.ria.xroad.signer.SignerRpcConfig - Registering KeyService RPC service.
2025-01-16T09:41:25.260Z INFO [xroad-signer[] [main[] ee.ria.xroad.signer.SignerRpcConfig - Registering OcspService RPC service.
2025-01-16T09:41:25.333Z INFO [xroad-signer[] [main[] ee.ria.xroad.signer.SignerRpcConfig - Registering CertificateService RPC service.
2025-01-16T09:41:25.340Z INFO [xroad-signer[] [main[] ee.ria.xroad.signer.SignerRpcConfig - Registering TokensService RPC service.
2025-01-16T09:41:25.732Z INFO [xroad-signer[] [main[] ee.ria.xroad.signer.SignerMain - Signer has been initialized in 8190 ms.
2025-01-16T09:41:25.839Z ERROR [xroad-signer[] [taskScheduler-1[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:25.852Z ERROR [xroad-signer[] [taskScheduler-1[] o.s.s.s.TaskUtils$LoggingErrorHandler - Unexpected error occurred in scheduled task
ee.ria.xroad.common.CodedException: MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
2025-01-16T09:41:26.647Z INFO [xroad-signer[] [taskScheduler-1[] e.r.x.s.certmanager.OcspClientWorker - OCSP-response refresh cycle started
2025-01-16T09:41:26.648Z ERROR [xroad-signer[] [taskScheduler-1[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:26.649Z ERROR [xroad-signer[] [taskScheduler-1[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:26.649Z ERROR [xroad-signer[] [taskScheduler-1[] e.r.x.c.c.g.GlobalConfExtensions - Exception while fetching ocsp fetch interval configuration
ee.ria.xroad.common.CodedException: MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
2025-01-16T09:41:26.649Z ERROR [xroad-signer[] [taskScheduler-1[] o.s.s.s.TaskUtils$LoggingErrorHandler - Unexpected error occurred in scheduled task
ee.ria.xroad.common.CodedException: MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
2025-01-16T09:41:26.930Z WARN [xroad-proxy[] [main[] org.hibernate.orm.deprecation - HHH90000028: Support for `<hibernate-mappings/>` is deprecated [RESOURCE : serverconf.hbm.xml[]; migrate to orm.xml or mapping.xml, or enable `hibernate.transform_hbm_xml.enabled` for on the fly transformation
2025-01-16T09:41:26.937Z WARN [xroad-proxy[] [main[] org.hibernate.orm.deprecation - HHH90000028: Support for `<hibernate-mappings/>` is deprecated [RESOURCE : identifiers.hbm.xml[]; migrate to orm.xml or mapping.xml, or enable `hibernate.transform_hbm_xml.enabled` for on the fly transformation
2025-01-16T09:41:27.156Z ERROR [xroad-signer[] [ForkJoinPool.commonPool-worker-1[] e.r.x.s.t.token.SoftwareTokenWorker - Software token not initialized
java.io.FileNotFoundException: /etc/xroad/signer/softtoken/.softtoken.p12 (No such file or directory)
  at java.base/java.io.FileInputStream.open0(Native Method)
  at java.base/java.io.FileInputStream.open(FileInputStream.java:216)
  at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
2025-01-16T09:41:27.157Z ERROR [xroad-signer[] [ForkJoinPool.commonPool-worker-1[] e.r.x.s.t.token.AbstractTokenWorker - Failed to activate token 'softToken': TokenNotInitialized: Token '0' not initialized
2025-01-16T09:41:27.562Z WARN [xroad-proxy[] [main[] org.hibernate.orm.deprecation - HHH90000026: CustomPostgreSQLDialect has been deprecated; use org.hibernate.dialect.PostgreSQLDialect instead
Signer.TokenNotInitialized: Token '0' not initialized
Signer.TokenNotInitialized: Token '0' not initialized
  at ee.ria.xroad.common.CodedException.tr(CodedException.java:158)
  at org.niis.xroad.common.rpc.client.RpcClient.handleGenericStatusRuntimeException(RpcClient.java:140)
  at org.niis.xroad.common.rpc.client.RpcClient.execute(RpcClient.java:129)
  at ee.ria.xroad.signer.protocol.RpcSignerClient.execute(RpcSignerClient.java:95)
  at ee.ria.xroad.signer.SignerProxy.activateToken(SignerProxy.java:155)
  at ee.ria.xroad.signer.console.SignerCLI.loginToken(SignerCLI.java:481)
  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.base/java.lang.reflect.Method.invoke(Method.java:569)
  at asg.cliche.ShellCommand.invoke(ShellCommand.java:69)
  at asg.cliche.Shell.processCommand(Shell.java:294)
  at asg.cliche.Shell.processLine(Shell.java:276)
  at ee.ria.xroad.signer.console.SignerCLI.processCommandAndExit(SignerCLI.java:827)
  at ee.ria.xroad.signer.console.SignerCLI.main(SignerCLI.java:807)
2025-01-16T09:41:27.946Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.951Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.951Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.952Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.952Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.952Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.952Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.953Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.953Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.953Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.953Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:27.953Z WARN [xroad-proxy[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16 09:41:28,954 INFO reaped unknown pid 443 (exit status 0)
2025-01-16T09:41:31.081Z WARN [xroad-proxy[] [main[] e.r.x.proxy.ProxyMessageLogConfig - Failed to get members from server configuration
ee.ria.xroad.common.CodedException: MalformedServerConf: Server conf is not initialized!
  at ee.ria.xroad.common.conf.serverconf.dao.ServerConfDAOImpl.getConf(ServerConfDAOImpl.java:71)
  at ee.ria.xroad.common.conf.serverconf.ServerConfImpl.getConf(ServerConfImpl.java:382)
  at ee.ria.xroad.common.conf.serverconf.ServerConfImpl.lambda$getMembers$16(ServerConfImpl.java:248)
2025-01-16T09:41:31.354Z INFO [xroad-proxy[] [main[] e.r.x.c.u.h.HealthCheckPort - Started HealthCheckPort on port 5588
2025-01-16T09:41:31.436Z INFO [xroad-proxy[] [main[] ee.ria.xroad.common.util.AdminPort - Started AdminPort on port 5566
2025-01-16 09:41:31,530 INFO exited: xroad-autologin (exit status 0; expected)
2025-01-16T09:41:31.767Z INFO [xroad-proxy[] [main[] e.r.x.proxy.clientproxy.ClientProxy - Client HTTP connector created (0.0.0.0:8080)
2025-01-16T09:41:31.774Z INFO [xroad-proxy[] [main[] e.r.x.proxy.clientproxy.ClientProxy - Client HTTPS connector created (0.0.0.0:8443)
2025-01-16T09:41:32.164Z INFO [xroad-proxy[] [main[] e.r.x.p.s.HttpClientCreator - SSL context successfully created
2025-01-16T09:41:32.171Z INFO [xroad-proxy[] [main[] e.r.x.proxy.serverproxy.ServerProxy - ClientProxy AntiDosConnector created (0.0.0.0:5500)
2025-01-16T09:41:32.250Z WARN [xroad-proxy-ui-api[] [main[] o.s.c.s.PostProcessorRegistrationDelegate$BeanPostProcessorChecker - Bean 'rollbackCheckedTransactionManagementConfiguration' of type [org.niis.xroad.securityserver.restapi.config.RollbackCheckedTransactionManagementConfiguration$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor[]? Check the corresponding BeanPostProcessor declaration and its dependencies.
2025-01-16T09:41:32.262Z ERROR [xroad-proxy[] [main[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:32.357Z INFO [xroad-proxy[] [main[] ee.ria.xroad.proxy.ProxyMain - Proxy started in 15314 ms
09:41:33,215 |-INFO in ch.qos.logback.access.tomcat.LogbackValve[null[] - Could NOT find configuration file [/tmp/tomcat.4000.17697550073556231284/logback-access.xml] using property "catalina.base"
09:41:33,215 |-INFO in ch.qos.logback.access.tomcat.LogbackValve[null[] - Could NOT find configuration file [/tmp/tomcat.4000.17697550073556231284/logback-access.xml] using property "catalina.home"
09:41:33,215 |-INFO in ch.qos.logback.access.tomcat.LogbackValve[null[] - Found [logback-access.xml[] as a resource.
09:41:33,216 |-INFO in ch.qos.logback.core.joran.spi.ConfigurationWatchList@49f2646 - URL [jar:nested:/usr/share/xroad/jlib/proxy-ui-api-1.0.jar/!BOOT-INF/classes/!/logback-access.xml] is not of type file
09:41:33,236 |-INFO in ch.qos.logback.access.model.processor.ConfigurationModelHandler - debug attribute not set
09:41:33,236 |-INFO in ch.qos.logback.core.model.processor.AppenderModelHandler - Processing appender named [ACCESS_FILE[]
09:41:33,236 |-INFO in ch.qos.logback.core.model.processor.AppenderModelHandler - About to instantiate appender of type [ch.qos.logback.core.rolling.RollingFileAppender[]
09:41:33,251 |-INFO in c.q.l.core.rolling.TimeBasedRollingPolicy@78646617 - Will use zip compression
09:41:33,253 |-INFO in c.q.l.core.rolling.TimeBasedRollingPolicy@78646617 - Will use the pattern /var/log/xroad/proxy_ui_api_access.%d{yyyy-MM-dd}.%i.log for the active file
09:41:33,255 |-INFO in ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP@7c048b30 - The date pattern is 'yyyy-MM-dd' from file name pattern '/var/log/xroad/proxy_ui_api_access.%d{yyyy-MM-dd}.%i.log.zip'.
09:41:33,255 |-INFO in ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP@7c048b30 - Roll-over at midnight.
09:41:33,256 |-INFO in ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP@7c048b30 - Setting initial period to 2025-01-16T09:41:33.256Z
09:41:33,257 |-WARN in ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP@7c048b30 - SizeAndTimeBasedFNATP is deprecated. Use SizeAndTimeBasedRollingPolicy instead
09:41:33,257 |-WARN in ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP@7c048b30 - For more information see http://logback.qos.ch/manual/appenders.html#SizeAndTimeBasedRollingPolicy
09:41:33,259 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.access.PatternLayoutEncoder[] for [encoder[] property
09:41:33,267 |-INFO in ch.qos.logback.core.rolling.RollingFileAppender[ACCESS_FILE[] - Active log file name: /var/log/xroad/proxy_ui_api_access.log
09:41:33,268 |-INFO in ch.qos.logback.core.rolling.RollingFileAppender[ACCESS_FILE[] - File property is set to [/var/log/xroad/proxy_ui_api_access.log]
09:41:33,269 |-INFO in ch.qos.logback.core.model.processor.AppenderRefModelHandler - Attaching appender named [ACCESS_FILE[] to ch.qos.logback.access.tomcat.LogbackValve[null[]
09:41:33,269 |-INFO in ch.qos.logback.core.model.processor.DefaultProcessor@309cf657 - End of configuration.
09:41:33,269 |-INFO in ch.qos.logback.access.joran.JoranConfigurator@4d4c4b14 - Registering current configuration as safe fallback point
09:41:33,269 |-INFO in ch.qos.logback.access.tomcat.LogbackValve[null[] - Done configuring
2025-01-16T09:41:35.267Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.deprecation - HHH90000028: Support for `<hibernate-mappings/>` is deprecated [INPUT_STREAM : jar:nested:/usr/share/xroad/jlib/proxy-ui-api-1.0.jar/!BOOT-INF/lib/common-admin-api-1.0-plain.jar!/apikey.hbm.xml]; migrate to orm.xml or mapping.xml, or enable `hibernate.transform_hbm_xml.enabled` for on the fly transformation
2025-01-16T09:41:35.282Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.deprecation - HHH90000028: Support for `<hibernate-mappings/>` is deprecated [INPUT_STREAM : jar:nested:/usr/share/xroad/jlib/proxy-ui-api-1.0.jar/!BOOT-INF/lib/serverconf-1.0.jar!/serverconf.hbm.xml]; migrate to orm.xml or mapping.xml, or enable `hibernate.transform_hbm_xml.enabled` for on the fly transformation
2025-01-16T09:41:35.286Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.deprecation - HHH90000028: Support for `<hibernate-mappings/>` is deprecated [INPUT_STREAM : jar:nested:/usr/share/xroad/jlib/proxy-ui-api-1.0.jar/!BOOT-INF/lib/serverconf-1.0.jar!/identifiers.hbm.xml]; migrate to orm.xml or mapping.xml, or enable `hibernate.transform_hbm_xml.enabled` for on the fly transformation
2025-01-16T09:41:35.774Z INFO [xroad-proxy[] [qtp1918144733-48[] e.r.x.p.c.AbstractClientProxyHandler - Received request from 10.30.237.11
2025-01-16T09:41:35.863Z ERROR [xroad-proxy[] [qtp1918144733-48[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:35.864Z ERROR [xroad-proxy[] [qtp1918144733-48[] e.r.x.p.c.AbstractClientProxyHandler - Request processing error (4d9fefa8-dc3a-4883-902e-d05717aace55)
ee.ria.xroad.common.CodedException: Server.ClientProxy.MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
2025-01-16T09:41:35.931Z INFO [xroad-proxy[] [qtp1918144733-39[] e.r.x.p.c.AbstractClientProxyHandler - Received request from 10.30.237.11
2025-01-16T09:41:35.931Z ERROR [xroad-proxy[] [qtp1918144733-39[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:35.932Z ERROR [xroad-proxy[] [qtp1918144733-39[] e.r.x.p.c.AbstractClientProxyHandler - Request processing error (d8221020-0b42-49ce-b29f-bff334ddc3ed)
ee.ria.xroad.common.CodedException: Server.ClientProxy.MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
2025-01-16T09:41:35.943Z INFO [xroad-proxy[] [qtp1918144733-39[] e.r.x.proxy.clientproxy.RequestLog - 10.30.237.11 - - [16/Jan/2025:09:41:35 +0000] "GET / HTTP/1.1" 200 474 "-" "kube-probe/1.29+" "-"
2025-01-16T09:41:35.944Z INFO [xroad-proxy[] [qtp1918144733-48[] e.r.x.proxy.clientproxy.RequestLog - 10.30.237.11 - - [16/Jan/2025:09:41:35 +0000] "GET / HTTP/1.1" 200 474 "-" "kube-probe/1.29+" "-"
2025-01-16T09:41:36.250Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.deprecation - HHH90000026: CustomPostgreSQLDialect has been deprecated; use org.hibernate.dialect.PostgreSQLDialect instead
2025-01-16T09:41:36.489Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.498Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.499Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.499Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.499Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.499Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.500Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.530Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.530Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.531Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.531Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.532Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:36.532Z WARN [xroad-proxy-ui-api[] [main[] org.hibernate.orm.incubating - HHH90006001: Encountered incubating setting [hibernate.id.db_structure_naming_strategy[].  See javadoc on corresponding `org.hibernate.cfg.AvailableSettings` constant for details.
2025-01-16T09:41:39.435Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties.eab-credentials
2025-01-16T09:41:39.436Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties$EabCredentials.certificate-authorities
2025-01-16T09:41:39.436Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties$CA.mac-key-base64-encoded
2025-01-16T09:41:39.436Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties$Credentials.mac-key
2025-01-16T09:41:39.436Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties$Credentials.auth-mac-key
2025-01-16T09:41:39.436Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties$Credentials.sign-mac-key
2025-01-16T09:41:39.436Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties$Credentials.auth-kid
2025-01-16T09:41:39.437Z WARN [xroad-proxy-ui-api[] [main[] org.yaml.snakeyaml.introspector - Failed to find field for org.niis.xroad.securityserver.restapi.config.AcmeProperties$Credentials.sign-kid
2025-01-16T09:41:39.438Z WARN [xroad-proxy-ui-api[] [main[] o.n.x.s.restapi.config.AcmeConfig - Failed to load yaml configuration from file [/etc/xroad/conf.d/acme.yml]
java.nio.file.NoSuchFileException: /etc/xroad/conf.d/acme.yml
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:40.667Z WARN [xroad-proxy-ui-api[] [main[] o.s.s.c.a.web.builders.WebSecurity - You are asking Spring Security to ignore Deferred [Mvc [pattern='/api/v1/openapi.yaml'], Ant [pattern='/api/v1/openapi.yaml']]. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2025-01-16T09:41:45.729Z INFO [xroad-proxy[] [qtp1918144733-58[] e.r.x.p.c.AbstractClientProxyHandler - Received request from 10.30.237.11
2025-01-16T09:41:45.729Z INFO [xroad-proxy[] [qtp1918144733-57[] e.r.x.p.c.AbstractClientProxyHandler - Received request from 10.30.237.11
2025-01-16T09:41:45.729Z ERROR [xroad-proxy[] [qtp1918144733-58[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:45.729Z ERROR [xroad-proxy[] [qtp1918144733-58[] e.r.x.p.c.AbstractClientProxyHandler - Request processing error (dda95d98-fe21-432e-b187-1061d60ab4fc)
ee.ria.xroad.common.CodedException: Server.ClientProxy.MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
2025-01-16T09:41:45.729Z ERROR [xroad-proxy[] [qtp1918144733-57[] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
  at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
  at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2025-01-16T09:41:45.730Z ERROR [xroad-proxy[] [qtp1918144733-57[] e.r.x.p.c.AbstractClientProxyHandler - Request processing error (b1f24eb1-b776-48a8-8cc9-a2780360c2a3)
ee.ria.xroad.common.CodedException: Server.ClientProxy.MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:393)
  at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.<init>(VersionedConfigurationDirectory.java:92)
  at ee.ria.xroad.common.conf.globalconf.GlobalConfImpl.<init>(GlobalConfImpl.java:80)
2025-01-16T09:41:45.730Z INFO [xroad-proxy[] [qtp1918144733-58[] e.r.x.proxy.clientproxy.RequestLog - 10.30.237.11 - - [16/Jan/2025:09:41:45 +0000] "GET / HTTP/1.1" 200 474 "-" "kube-probe/1.29+" "-"
2025-01-16T09:41:45.730Z INFO [xroad-proxy[] [qtp1918144733-57[] e.r.x.proxy.clientproxy.RequestLog - 10.30.237.11 - - [16/Jan/2025:09:41:45 +0000] "GET / HTTP/1.1" 200 474 "-" "kube-probe/1.29+" "-"
SOAP 
<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>
Server.ClientProxy.MalformedGlobalConf.InternalError
</faultcode>
<faultstring>
Could not read instance identifier of this security server
</faultstring>
<faultactor/>
<detail>
<faultDetail>9e4a4de0-fb3f-4152-ad66-51e54a6d1a2d</faultDetail>
</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

And the config is the same:

Non Working (prd)

Deployment 
apiVersion: apps/v1
kind: Deployment
metadata:
name: gcba
namespace: gcba
labels:
  app: gcba
spec:
replicas: 1
selector:
  matchLabels:
    app: gcba
template:
  metadata:
    labels:
      app: gcba
  spec:
    volumes:
      - name: xroad-persistent-storage
        persistentVolumeClaim:
          claimName: gcba-lib
      - name: xroad-etc-storage
        persistentVolumeClaim:
          claimName: gcba-etc
      - name: xroad-config
        configMap:
          name: gcba-environment
          defaultMode: 420
      - name: xroad-secrets
        secret:
          secretName: gcba
          defaultMode: 420
      - name: ssh-key-secret
        secret:
          secretName: gcba-ssh-key
          items:
            - key: SSH_PUBLIC_KEY
              path: id_rsa.pub
              mode: 420
          defaultMode: 420
    containers:
      - name: app
        image: niis/xroad-security-server-sidecar:7.5.0-slim
        ports:
          - containerPort: 8443
            protocol: TCP
          - containerPort: 4000
            protocol: TCP
          - containerPort: 5500
            protocol: TCP
          - containerPort: 5577
            protocol: TCP
          - containerPort: 5588
            protocol: TCP
          - containerPort: 22
            protocol: TCP
        envFrom:
          - configMapRef:
              name: gcba-environment
          - secretRef:
              name: gcba
        resources:
          limits:
            cpu: '2'
            memory: 3Gi
          requests:
            cpu: '2'
            memory: 3Gi
        volumeMounts:
          - name: xroad-persistent-storage
            mountPath: /var/lib/xroad
          - name: xroad-config
            mountPath: /etc/xroad/config
          - name: xroad-secrets
            mountPath: /etc/xroad/secrets
          - name: xroad-etc-storage
            mountPath: /etc/xroad
          - name: ssh-key-secret
            mountPath: /etc/.ssh/
        livenessProbe:
          httpGet:
            path: /
            port: 8080
            scheme: HTTP
          timeoutSeconds: 1
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /
            port: 8080
            scheme: HTTP
          timeoutSeconds: 6
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 1
        startupProbe:
          httpGet:
            path: /
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 20
          timeoutSeconds: 1
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 60
        imagePullPolicy: Always
        securityContext:
          capabilities:
            add:
              - NET_BIND_SERVICE
              - SYS_ADMIN
            drop:
              - ALL
          privileged: true
          runAsUser: 0
          runAsNonRoot: false
    restartPolicy: Always
    terminationGracePeriodSeconds: 30
    dnsPolicy: ClusterFirst
    serviceAccountName: gcba
    securityContext:
      fsGroup: 1000
    schedulerName: default-scheduler
strategy:
  type: RollingUpdate
  rollingUpdate:
    maxUnavailable: 25%
    maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
Service 
apiVersion: v1
kind: Service
metadata:
name: gcba
namespace: gcba
labels:
  app: gcba
spec:
ports:
  - name: http
    protocol: TCP
    port: 8443
    targetPort: 8443
  - name: service1
    protocol: TCP
    port: 8080
    targetPort: 4000
  - name: service2
    protocol: TCP
    port: 5500
    targetPort: 5500
  - name: service3
    protocol: TCP
    port: 5577
    targetPort: 5577
selector:
  app: gcba
type: ClusterIP
sessionAffinity: None
ipFamilies:
  - IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster
Ingress 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gcba
namespace: gcba
annotations:
  nginx.ingress.kubernetes.io/backend-protocol: https
  nginx.ingress.kubernetes.io/configuration-snippet: set $auth_mode "not-required";
  nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
  nginx.ingress.kubernetes.io/proxy-send-timeout: '600'
spec:
ingressClassName: nginx-internal
tls:
  - hosts:
      - gcba.prd.kavak.io
rules:
  - host: gcba.prd.kavak.io
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: gcba
              port:
                number: 8443
@petkivim
Copy link
Contributor

Hi @cruznick! The logs look normal for a new Security Server deployment. The errors related to the missing instance identifier and anchor file are expected since the Security Server hasn't been initialised yet.

However, since you're using volumes, the configuration data should be persisted and it shouldn't be lost when recreating the containers. Did you keep the previously created volumes when recreating the stack?

The following configuration directories should be persisted to volumes:

  • /etc/xroad
  • /var/lib/xroad

Also, do you use a local or remote database? If you use a local database, the db's data directory (/var/lib/postgresql/16/main) must be persisted to a volume too. That seems to be missing from your configuration (not an issue if you use a remote database).

@cruznick
Copy link
Author

HI, both are persisted as volumes on an efs and the db is an rds aurora pg 16 and its config is loaded as env vars the problem is that I'm not being able to see the admin UI to initialize the setup so the Gov instance can see my server,

@cruznick
Copy link
Author

Here is the code snippet that bounds the volumes:

import * as k8s from '@pulumi/kubernetes';
import * as configMap from './configmap';
import * as secret from './secret';
import { productName, kubernetesStack, config } from '../base';
import { serviceAccount } from './serviceAccount';
import { pvcLib, pvcEtc } from './persistentVolumeClaim';

new k8s.apps.v1.Deployment(
  productName,
  {
    metadata: {
      name: productName,
      namespace: productName,
      labels: {
        app: productName,
        type: `app`,
      },
    },
    spec: {
      replicas: 1,
      selector: {
        matchLabels: {
          app: productName,
          type: `app`,
        },
      },
      template: {
        metadata: {
          labels: {
            app: productName,
            type: `app`,
          },
        },
        spec: {
          serviceAccountName: serviceAccount.metadata.name,
          securityContext: {
            fsGroup: 1000,
          },
          volumes: [
            {
              name: 'xroad-persistent-storage',
              persistentVolumeClaim: {
                claimName: pvcLib.metadata.name,
              },
            },
            {
              name: 'xroad-etc-storage',
              persistentVolumeClaim: {
                claimName: pvcEtc.metadata.name,
              },
            },
            {
              name: 'xroad-config',
              configMap: {
                name: configMap.gcbaEnv.metadata.name,
              },
            },
            // {
            //   name: 'xroad-properties',
            //   configMap: {
            //     name: configMap.xroadConfig.metadata.name,
            //   },
            // },
            // {
            //   name: 'xroad-db-properties',
            //   configMap: {
            //     name: configMap.xroadDbProperties.metadata.name,
            //   },
            // },
            {
              name: 'xroad-secrets',
              secret: {
                secretName: secret.gcbaSecret.metadata.name,
              },
            },
            {
              name: 'ssh-key-secret',
              secret: {
                secretName: secret.sshKeySecret.metadata.name,
                items: [
                  {
                    key: 'SSH_PUBLIC_KEY',
                    path: 'id_rsa.pub',
                    mode: 0o644, // Ensure read permissions
                  },
                ],
              },
            },
          ],
          containers: [
            {
              name: 'app',
              imagePullPolicy: 'Always',
              image: `niis/xroad-security-server-sidecar:${config.require('imageTag')}`,
              volumeMounts: [
                {
                  name: 'xroad-persistent-storage',
                  mountPath: '/var/lib/xroad',
                },
                {
                  name: 'xroad-config',
                  mountPath: '/etc/xroad/config',
                },
                {
                  name: 'xroad-secrets',
                  mountPath: '/etc/xroad/secrets',
                },
                {
                  name: 'ssh-key-secret',
                  mountPath: '/etc/.ssh/',
                },
              ],
              envFrom: [
                { configMapRef: { name: configMap.gcbaEnv.metadata.name } },
                { secretRef: { name: secret.gcbaSecret.metadata.name } },
              ],
              startupProbe: {
                httpGet: {
                  path: '/',
                  port: 8080,
                },
                periodSeconds: 10,
                failureThreshold: 60,
                initialDelaySeconds: 20,
              },
              livenessProbe: {
                httpGet: {
                  path: '/',
                  port: 8080,
                },
                periodSeconds: 10,
                successThreshold: 1,
                failureThreshold: 5,
              },
              readinessProbe: {
                httpGet: {
                  path: '/',
                  port: 8080,
                },
                periodSeconds: 10,
                timeoutSeconds: 6,
                failureThreshold: 1,
              },
              ports: [
                { containerPort: 8443 },
                { containerPort: 4000 },
                { containerPort: 5588 },
                { containerPort: 22 },
              ],
              securityContext: {
                runAsNonRoot: false,
                runAsUser: 0,
                privileged: true,
                capabilities: {
                  drop: ['ALL'],
                  add: ['NET_BIND_SERVICE', 'SYS_ADMIN'],
                },
              },
              resources: {
                requests: {
                  cpu: '2', // 2 CPU cores
                  memory: '3Gi', // 3 GiB of memory
                },
                limits: {
                  cpu: '2', // 2 CPU cores
                  memory: '3Gi', // 3 GiB of memory
                },
              },
            },
          ],
        },
      },
    },
  },
  {
    provider: kubernetesStack.provider,
  },
);

The commented part is that I was attempting to write directrly /etc/xroad/db.properties and /etc/xroad.config it made no difference

Rigth know im trying to directly bound all ports but the issue is mostly the same:

service:

import { productName, kubernetesStack } from '../base';
import * as k8s from '@pulumi/kubernetes';

export const service = new k8s.core.v1.Service(
  productName,
  {
    metadata: {
      name: productName,
      namespace: productName,
    },
    spec: {
      selector: {
        app: productName,
      },
      ports: [
        {
          protocol: 'TCP',
          port: 8443,
          targetPort: 8443,
          name: 'consumer-info', // Main service
        },
        {
          protocol: 'TCP',
          port: 4000,
          targetPort: 4000,
          name: 'admin', // Admin interface
        },
        {
          protocol: 'TCP',
          port: 5588,
          targetPort: 5588,
          name: 'healthcheck', // Health check
        },
      ],
    },
  },
  {
    provider: kubernetesStack.provider,
  },
);

Ingress:

import * as k8s from '@pulumi/kubernetes';
import * as pulumi from '@pulumi/pulumi';
import * as service from './service';
import { productName, kubernetesStack, hostedZoneStack } from '../base';

export const serviceUrl = pulumi.interpolate`${productName}.${hostedZoneStack.default.name}`;

new k8s.networking.v1.Ingress(
  productName,
  {
    metadata: {
      name: productName,
      namespace: productName,
      annotations: {
        'nginx.ingress.kubernetes.io/configuration-snippet': 'set $auth_mode "not-required";',
        'nginx.ingress.kubernetes.io/proxy-read-timeout': '600',
        'nginx.ingress.kubernetes.io/proxy-send-timeout': '600',
        'nginx.ingress.kubernetes.io/backend-protocol': 'https',
      },
    },
    spec: {
      ingressClassName: 'nginx-internal',
      tls: [
        {
          hosts: [serviceUrl],
        },
      ],
      rules: [
        {
          host: serviceUrl,
          http: {
            paths: [
              {
                path: '/',
                pathType: 'Prefix',
                backend: {
                  service: {
                    name: service.service.metadata.name,
                    port: {
                      number: 8443, // Main service
                    },
                  },
                },
              },
              {
                path: '/admin',
                pathType: 'Prefix',
                backend: {
                  service: {
                    name: service.service.metadata.name,
                    port: {
                      number: 4000, // Admin interface
                    },
                  },
                },
              }
            ],
          },
        },
      ],
    },
  },
  {
    provider: kubernetesStack.provider,
  },
);

But the results are mostly the same :
https://gcba.prd.kavak.io/login ( as you can see i can reach the login path but nothing more)

<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>Server.ClientProxy.OutdatedGlobalConf</faultcode>
<faultstring>Global configuration is expired</faultstring>
<faultactor/>
<detail>
<faultDetail>385c85df-3cbf-473d-94ef-9c3fd0d9fa53</faultDetail>
</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

@petkivim
Copy link
Contributor

petkivim commented Jan 16, 2025
edited
Loading

Based on the error message, the URL https://gcba.prd.kavak.io/login is currently routing to port 8443 while it should be routing to port 4000. The error message is returned by the Security Server's messaging interface running on port 8443.

In the above configuration that you shared, the path /admin seems to be routing to port 4000. Have you tried to access the URL https://gcba.prd.kavak.io/admin?

@raits raits added the question Further information is requested label Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cruznick @petkivim @raits