Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NeuVector Manager pod error / Web UI unavailable (chart 2.8.0) #442

Open
tjmullicani opened this issue Sep 23, 2024 · 2 comments
Open

NeuVector Manager pod error / Web UI unavailable (chart 2.8.0) #442

tjmullicani opened this issue Sep 23, 2024 · 2 comments

Comments

@tjmullicani
Copy link

Environment
Platform: Azure AKS
Kubernetes/Platform Version(s): 1.30.3

Describe the bug

neuvector-manager-pod error and NeuVector web UI is unavailable.

To Reproduce

Verify Kubernetes worker node is running in FIPS mode.

root [ / ]# cat /proc/sys/crypto/fips_enabled
1

I am using NeuVector helm chart version 2.8.0.

helm repo add neuvector https://neuvector.github.io/neuvector-helm/
helm repo update
helm install \
  -n neuvector \
  --create-namespace \
  --version 2.8.0 \
  neuvector-core \
  neuvector/core

neuvector-manager-pod logs (helm chart version 2.8.0)

Exception in thread "main" java.lang.ExceptionInInitializerError
	at com.neu.web.Rest.main(Rest.scala)
Caused by: java.security.ProviderException: Could not initialize NSS
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:260)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:144)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:141)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:141)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:251)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:242)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:242)
	at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:222)
	at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
	at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:379)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
	at java.base/java.security.Security.getImpl(Security.java:733)
	at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:178)
	at com.neu.core.Md5$.hash(AuthenticationManager.scala:199)
	at com.neu.web.StaticResources$class.$init$(StaticResources.scala:46)
	at com.neu.web.Rest$.<init>(Rest.scala:6)
	at com.neu.web.Rest$.<clinit>(Rest.scala)
	... 1 more
Caused by: java.io.IOException: configDir must be a directory: /etc/pki/nssdb
	at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:218)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:255)
	... 19 more

Expected behavior

The Neuvector web UI should be accessible.

neuvector-manager-pod logs (helm chart version 2.7.9)

2024-09-22 19:15:30,373|INFO |MANAGER|com.neu.web.Rest$(sslContext:31): Import manager's certificate and private key to manager's keystore
2024-09-22 19:15:30,380|INFO |MANAGER|com.neu.web.Rest$(sslContext:65): PKCS#1 private key is being used

Additional context
I believe this is due to my Kubernetes nodes running in FIPS mode (which blocks MD5 algorithm use). Helm chart version 2.7.9 works fine.
@tjmullicani
Copy link
Author

neuvector/neuvector#1573

@Sbennett99
Copy link

Is anything happening with this ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tjmullicani @Sbennett99