[Jenkins] FAILURE: CouchDB » Full Platform Builds » main #1119
Boo, we failed. https://ci-couchdb.apache.org/job/jenkins-cm1/job/FullPlatformMatrix/job/main/1119/display/redirect
[I] Option to project secrets as files [couchdb-helm]
bryopsida opened a new issue, #140: URL: https://github.com/apache/couchdb-helm/issues/140 **Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Several security benchmarking tools look for patterns like this. ``` yaml - name: "ADMINHASH" valueFrom: secretKeyRef: name: somename key: adminHash ``` And mark a finding due to policies such as: - https://avd.aquasec.com/compliance/kubernetes/cis-kubernetes-benchmarks-v1.23-1.23/5.4.1/ - https://www.tenable.com/policies/cloud-security/AC_K8S_0051 - https://www.tenable.com/audits/items/DISA_STIG_Kubernetes_v1r11.audit:fdb2906c002a74a6f822c62bef0d8ed0 **Describe the solution you'd like** A clear and concise description of what you want to happen. It would be nice if there was an option/toggle such as. `secretsAsFiles: true` That when enabled removed all usage such as ``` yaml - name: "ADMINHASH" valueFrom: secretKeyRef: name: somename key: adminHash ``` This would be off/disabled by default to preserve existing behavior and allow users to opt in if they want it. I'm willing to take on the PR to do this but may need some guidance on the preferred way to wire in the values as files. From looking at the manifests the following properties would need to be provided through files. - COUCHDB_ERLANG_COOKIE - COUCHDB_SECRET - COUCHDB_PASSWORD - COUCHDB_USER - ADMINUSERNAME - ADMINHASH -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[Jenkins] FAILURE: CouchDB » Full Platform Builds » main #1118
Boo, we failed. https://ci-couchdb.apache.org/job/jenkins-cm1/job/FullPlatformMatrix/job/main/1118/display/redirect
[PR] fix(imagePullSecrets): restore ability to set image pull secrets [couchdb-helm]
bryopsida opened a new pull request, #139: URL: https://github.com/apache/couchdb-helm/pull/139 What this PR does / why we need it: In the values.yaml file there is a commented out block referring to `imagePullSecrets` but this is not mapped into the statefulset. This restores the ability to use a private images that require a pull secret. Which issue this PR fixes *(optional, in `fixes #(, fixes #, ...)` format, will close that issue when PR gets merged)* - fixes # Special notes for your reviewer: Checklist [Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields. - [x] Chart Version bumped - [ ] e2e tests pass - [ ] Variables are documented in the README.md -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Cleanup a few clauses in fabric_view_changes [couchdb]
nickva merged PR #5060: URL: https://github.com/apache/couchdb/pull/5060 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Cleanup a few clauses in fabric_view_changes [couchdb]
jaydoane commented on code in PR #5060: URL: https://github.com/apache/couchdb/pull/5060#discussion_r1605562243 ## src/fabric/src/fabric_view_changes.erl: ## @@ -295,9 +278,7 @@ handle_message({complete, Props}, Worker, #collector{limit = 0} = State) -> O0 end, maybe_stop(State#collector{offset = O1}); -handle_message({no_pass, Props}, {Worker, From}, #collector{limit = 0} = State) when -is_list(Props) --> +handle_message({no_pass, [_ | _] = Props}, {Worker, From}, #collector{limit = 0} = State) -> Review Comment: Nice use of robot derriere! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Cleanup a few clauses in fabric_view_changes [couchdb]
nickva opened a new pull request, #5060: URL: https://github.com/apache/couchdb/pull/5060 `#changes{}` record and old `complete` format was deprecated 10 years ago [1]. While at it, cleanup un-necessarily long arg per line call formats. Coincidentally, this also improve code coverage a bit: ``` fabric_view_changes : 72% (pr) fabric_view_changes : 71% (main) ``` [1] https://github.com/apache/couchdb/commit/865b771e6099c9b34b1b14d2428ce02e50c3 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
rnewson commented on issue #5059: URL: https://github.com/apache/couchdb/issues/5059#issuecomment-2118112510 :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
rnewson commented on issue #5059: URL: https://github.com/apache/couchdb/issues/5059#issuecomment-2118113271 yup, error handling is poor here, we'll improve it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
tommyli commented on issue #5059: URL: https://github.com/apache/couchdb/issues/5059#issuecomment-2118108427 OK, thanks for confirming that the key config is wrong, I worked out what happened. I'm using Keycloak and I used the certificate instead of the public key from the realm settings. The cryptic error is probably trying to parse a public key but was given a certificate, i.e. the error `{"error":"bad_request","reason":"not an RSA public key"}` is a lot more meaningful as soon as I used `-BEGIN CERTIFICATE-` instead of `-BEGIN PUBLIC KEY-`. It's working now, thanks for your help. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
tommyli closed issue #5059: Unexpected JWT auth response "badmatch" URL: https://github.com/apache/couchdb/issues/5059 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
rnewson commented on issue #5059: URL: https://github.com/apache/couchdb/issues/5059#issuecomment-2118037003 ``` 4> public_key:pem_decode(BinPEM). [{'SubjectPublicKeyInfo',<<48,130,2,181,48,130,1,157,2,6, 1,136,80,108,152,219,48,13,6,9, 42,134,72,134,247,13,...>>, not_encrypted}] 5> [PEMEntry] =public_key:pem_decode(BinPEM). [{'SubjectPublicKeyInfo',<<48,130,2,181,48,130,1,157,2,6, 1,136,80,108,152,219,48,13,6,9, 42,134,72,134,247,13,...>>, not_encrypted}] 6> public_key:pem_entry_decode(PEMEntry). ** exception error: no match of right hand side value {error,{asn1,{{wrong_tag,{{expected,6}, {got,2,{2,<<1,136,80,108,152,219>>, [{'OTP-PUB-KEY',match_tags,2, [{file,"OTP-PUB-KEY.erl"},{line,23999}]}, {'OTP-PUB-KEY',decode_object_identifier,2, [{file,"OTP-PUB-KEY.erl"},{line,23557}]}, {'OTP-PUB-KEY',dec_AlgorithmIdentifier,2, [{file,"OTP-PUB-KEY.erl"},{line,14558}]}, {'OTP-PUB-KEY',dec_SubjectPublicKeyInfo,2, [{file,"OTP-PUB-KEY.erl"},{line,15014}]}, {'OTP-PUB-KEY',decode,2, [{file,"OTP-PUB-KEY.erl"},{line,1232}]}, {public_key,der_decode,2, [{file,"public_key.erl"},{line,358}]}, {public_key,pem_entry_decode,1, [{file,"public_key.erl"},{line,226}]}, {erl_eval,do_apply,6,[{file,"erl_eval.erl"},{line,689}]}]}}} in function public_key:der_decode/2 (public_key.erl, line 362) in call from public_key:pem_entry_decode/1 (public_key.erl, line 226) 7> ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
rnewson commented on issue #5059: URL: https://github.com/apache/couchdb/issues/5059#issuecomment-2118029081 we should catch and rethrow as something more presentable, but the config is wrong. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
rnewson commented on issue #5059: URL: https://github.com/apache/couchdb/issues/5059#issuecomment-2118028530 I think it's a decode error for the public key in the config, @big-r81 we don't need the token -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unexpected JWT auth response "badmatch" [couchdb]
big-r81 commented on issue #5059: URL: https://github.com/apache/couchdb/issues/5059#issuecomment-2118006020 Hi, can you paste your JWT token? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[Jenkins] SUCCESS: CouchDB » Full Platform Builds » main #1117
Yay, we passed. https://ci-couchdb.apache.org/job/jenkins-cm1/job/FullPlatformMatrix/job/main/1117/display/redirect
[I] Unexpected JWT auth response "badmatch" [couchdb]
tommyli opened a new issue, #5059: URL: https://github.com/apache/couchdb/issues/5059 Here's the config and I'm running this under Docker. ``` [log] level = debug [chttpd] enable_cors = true require_valid_user_except_for_up = true authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler} [cors] origins = * credentials = true methods = GET, PUT, POST, HEAD, DELETE headers = accept, authorization, content-type, origin, referer, x-csrf-token, cache-control, x-requested-with [couchdb] single_node=true uuid = 6d057d34277b409fdd27f23e6ed6527f default_security = everyone [jwt_auth] required_claims = exp [jwt_keys] rsa:ox0hFY2jKRhMa5Q2Cs63_L1pktqKtivq0EQulGgdV0M = -BEGIN PUBLIC KEY-\nMIICtTCCAZ0CBgGIUGyY2zANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNiaW9pbmZvbWV0aG9kcy10ZXN0MB4XDTIzMDUyNTAwNTkzNFoXDTMzMDUyNTAxMDExNFowHjEcMBoGA1UEAwwTYmlvaW5mb21ldGhvZHMtdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALQRdgwoLJXWunAFCHZzMjY410kMTmVjoFoFRtUL6UJUqXhkhepqqM4JhoGk3Lc7RpXnzcA+7DWt3HQGlFHcOwiNZ3BOv3ZNyQwRCgc0jpI8OCtYCBPH2jjZUvukTKBnMP6ld4iW5i81b7J3ufxFcEldCDqQq/JabH6EFmAAm3Hs/ah6g+x4s4ipdAZ/yd4fuDCGNzc0Mh/sYOh4OnZ5c2Qh+nrw5L1mRbS0H6TC/vL1HOVd5iTT1MZKtK18pyHBJsiXc2FNAXFYU2/qiLFE9TTc5tKm9V+FbYHPBKZafvELRNtKAaPGSDp4NgQDey/+JFT8SEdmOGGVEdmVspVjHhUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKWxq/h3VtzKFMFlUmyKD+dlOsx0p1zDtHgoTUZC6lDHDhfWMv5216I0+uVazXjqixi/xJdZtQchXthXulUzjHMs6tm/+wMgREf2uDoGDQeWveVIUZQpG+X1M2JQ1hw4Su+jKIhwOZey+/VcmTsL0ZaVqW3q1C1X5TUPCuW3zf/sQyr2blbOquWWoQuCOY3PNN6frnox3tSMzT4PUqVRfh/TqhbfL7mPhqwPOfEDbQPmIleMIcvEfiPtAalmduD49od9U35yCBeZlt6baQnQm9lI0YG29gjpiwQ/ZiFCoV+3t76NDeBPgH/XNA9bFTDoiEPfyzKOqP GML1MJvOvTOyg==\n-END PUBLIC KEY-\n [admins] admin = -pbkdf2-30ee3c0240b4e9c1533ed6671a61c37a88d284c7,bef7d0e2b9283d3a331bff3ad90a2a10,10 ``` Here's the curl test and output. ```bash curl -L -H "Authorization: Bearer $IDTOKEN" http://localhost:5984/_session < HTTP/1.1 500 Internal Server Error < Cache-Control: must-revalidate < Content-Length: 1062 < Content-Type: application/json < Date: Fri, 17 May 2024 15:37:56 GMT < Server: CouchDB/3.3.3 (Erlang OTP/24) < X-Couch-Request-ID: 5ae5a78a5a < X-Couch-Stack-Hash: 655401945 < X-CouchDB-Body-Time: 0 < {"error":"badmatch","reason":"{error,{asn1,{{wrong_tag,{{expected,6},{got,2,{2,<<1,136,80,108,152,219>>,\n [{'OTP-PUB-KEY',match_tags,2,\n [{file,\"OTP-PUB-KEY.erl\"},{line,23999}]},\n {'OTP-PUB-KEY',decode_object_identifier,2,\n [{file,\"OTP-PUB-KEY.erl\"},{line,23557}]},\n {'OTP-PUB-KEY',dec_AlgorithmIdentifier,2,\n [{file,\"OTP-PUB-KEY.erl\"},{line,14558}]},\n {'OTP-PUB-KEY',dec_SubjectPublicKeyInfo,2,\n [{file,\"OTP-PUB-KEY.erl\"},{line,15014}]},\n {'OTP-PUB-KEY',decode,2,[{file,\"OTP-PUB-KEY.erl\"},{line,1232}]},\n {public_key,der_decode,2,[{file,\"public_key.erl\"},{line,358}]},\n {public_key,pem_entry_decode,1,\n [{file,\"public_key.erl\"},{line,226}]},\n {jwtf_keystore,get_from_config,2,\n [{ file,\"src/jwtf_keystore.erl\"},{line,120}]}]}}}","ref":655401945} * Connection #0 to host localhost left intact /0.0s NOTE: Picked up JDK_JAVA_OPTIONS: ``` What does this mean? Even if my configuration is incorrect, this kind of error is a bit cryptic to understand. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Slow couchdb after many queries [couchdb]
luca-simonetti commented on issue #5044: URL: https://github.com/apache/couchdb/issues/5044#issuecomment-2117456407 thank you for the help! We updated couchdb as requested: ```json { "javascript_engine": { "version": "78", "name": "spidermonkey" }, "erlang": { "version": "24.3.4.17", "supported_hashes": [ "blake2s", "blake2b", "sha3_512", "sha3_384", "sha3_256", "sha3_224", "sha512", "sha384", "sha256", "sha224", "sha", "ripemd160", "md5", "md4" ] }, "collation_driver": { "name": "libicu", "library_version": "70.1", "collator_version": "153.112", "collation_algorithm_version": "14" } }``` but unfortunately didn't help. The problem is still the same -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Update erlang versions for convenience binary packages [couchdb-www]
big-r81 merged PR #68: URL: https://github.com/apache/couchdb-www/pull/68 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org