Use of the TUI client

[toroarnaud]

Hi,

It's just to share my experience to save other's time when facing the same issue.
First, there is an error in the documentation in the Kubernetes Operation Guids>TUI K8s section:
TUI_CLIENT_ID=$(kubectl get cm cn -n --template={{.data.jca_client_id}})
TUI_CLIENT_SECRET=$(kubectl get secret cn -n --template={{.data.jca_client_pw}} | base64 -d)
In the example, the jca_client is used instead of the tui_client. It will fail (the jca client does not have the device code enabled) and the link to enable the device will never be displayed.
To fix it just replace jca with tui.

The other issue I've faced (in a Kubernetes env) is because of the use of the self signed certificated by default. If I am not wrong, the conf-api service tries to access the auth-server service doing an HTTP request during the authorization phase of the request. In Java, Http client request will throw an exception in such a case if the targeted server's certificate is a self signed certificate:
jakarta.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If you have a signed certificate by a trusted CA, using it instead of the default self signed certificate (tls-certificate) will fix the problem. Make sure to you use the full chain certificate. A certificate without the intermediate certificate might work in some browser but not with a Java client (use Curl to test as it will fail too without the full chain)

[nynymike]

Thanks for the feedback. We'll check the docs versus yourfeedback.

[ossdhaval]

@toroarnaud

the jca_client is used instead of the tui_client.

I see that issue got fixed in the latest documents.

use of the self signed certificated by default

@misba7 Do we have any explicit instructions about certificate setup in K8S? If not, then can you add few lines? You can leverage this content and give reference.

[ossdhaval]

Hi @toroarnaud

Setup creates self-signed certificates only if the admin has not already provided a certificate.

We have a document here. We are updating the docs to state the above fact explicitly.

cc: @misba7