ON-PREM : Helm : Override the dslCompiler image used via values.yaml

Due to running our own Certificate Authority, I need to address the following error.  But, I can tell that the image being brought down by the automation worker is the default one, and not my specified one.

ERROR:

DSL processing started
Using Automation DSL runtime version 1.1.1596
Cleaned up the output folder: /tmp/8326280698569383276
Exception in thread "main" runtime.net.XHRException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at runtime.net.KtorHttpKt.ktorClientRequest(KtorHttp.kt:146)

 

Automation worker log - showing wrong image being used
20:03:57.885 INFO  [WORKER_LOG_LINE@default] INFO  c.p.c.r.SingleProcessComposeRunner - 1 container(s) started: public-registry-jetbrains-space-p-space-containers-space-automation-dsl-compile-2022-1-0-BETA-1596_9159041816704179305
20:04:00.089 INFO  [WORKER_LOG_LINE@default] INFO  c.p.c.r.SingleProcessComposeRunner - Service public-registry-jetbrains-space-p-space-containers-space-automation-dsl-compile-2022-1-0-BETA-1596_9159041816704179305 execution finished with exit code 1

 

Evidence in which images docker has loaded
webtask@trainintspcwrk001:~$ docker image ls
REPOSITORY                                                                        TAG                  IMAGE ID       CREATED       SIZE
nexus.webadmin.rainhail.com/rainhail/space-automation-worker-2022.1.0-beta.1596   1.0.0                eb5449fa01ad   3 days ago    563MB
public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile   2022.1.0-BETA.1596   20d30bc83d3f   2 weeks ago   565MB

 

1. I am running an automation worker via Docker
2. I am running space via K8S

relevant values.yaml

space:
  automation:
    dslCompiler:
      image:
        registry: "nexus.webadmin.rainhail.com/rainhail"
        repository: "space-automation-dsl-compile-2022.1.0-beta.1596"
        tag: "1.0.0"

 

In looking at the docker compose file that is being created, it is using the default image, not the one supplied in the values.yaml:
/tmp/jetbrains/space/automation/worker/data/steps-8nfW91iuPSO-8nfW91iuPSO-1/worker-data/docker-compose-8nfW91iuPSO.yml

version: "2.4"
services:
  public-registry-jetbrains-space-p-space-containers-space-automation-dsl-compile-2022-1-0-BETA-1596_6478632853887834916:
    image: "public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596"
    container_name: "public-registry-jetbrains-space-p-space-containers-space-automation-dsl-compile-2022-1-0-BETA-1596_6478632853887834916"

...
0
8 comments

While waiting for feedback, I am using this work-around.  I am tagging my image with the name of the default image being used by the automation worker.

sudo docker tag nexus.webadmin.rainhail.com/rainhail/space-automation-dsl-compile-2022.1.0-beta.1596:1.0.0 public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596

0

Hi Brooke Hedrick, could you please share the space-conf ConfigMap details with us for further investigation? Just in case, below is the command needed:

kubectl -n $namespace get cm $configmap_name -o yaml

Please submit a support request if there's any sensitive info there. Thanks!

0

kubectl -n space-ns get cm jb-space-space-conf -o yaml

apiVersion: v1
data:
  app.conf: "\nktor {\n    deployment {\n        environment = production\n        port
    = 8084\n        internalPort = 9084\n        autoreload = false\n        callGroupSize
    = 8\n    }\n\n    application {\n        modules = [circlet.server.ServerKt.main]\n
    \   }\n}\n\ncirclet {\n    stackName = \"Space On-Premises\"\n\n    server {\n
    \       features = [apiRules, onPremise]\n        enabledFeatureFlags = [FULL_TEXT_SEARCH_FOR_CODE_SNIPPETS_IN_CHAT_MESSAGES,
    APP_AUTH_IN_CHAT, SHOW_CHECKLISTS_IN_DOCUMENTS, APPLICATION_WEBHOOKS, APPLICATION_WEBHOOKS_UI_V2,
    SHOW_FILES_IN_DOCUMENTS, CALDAV_ALL_EVENTS, CODE_REVIEW_DETAILS_V2, CALDAV_WRITE_OPS,
    FTS_GOTO_AGGREGATOR_FLOW]\n        enableSqlTracing = false\n        enableExternalApiTracing
    = false\n        enableAutomationInternalsConfiguration = true\n        enableActiveAppTracker
    = true\n        dumpStacksOnExit = false\n        httpApiTimeout = 60000\n        dontFailOnLargeBatches
    = true\n        rpcTimeout = 60000\n        permissionCacheCalculationInterval
    = 2000\n        dbCacheCalculationTimeoutMs = 60000\n        pidFileName = \".main_app.pid\"\n
    \       orgInitTimeout = 180000\n    }\n\n    onprem {\n        jetSalesURL =
    \"https://account.jetbrains.com\"\n    }\n\n    push {\n        proxy {\n            url
    = \"https://on-premises.service.jetbrains.space\"\n        }\n    }\n\n    preload
    {\n        defaultProviders = [PreloadSpaceFeedAdvertiser, PreloadDefaultNotificationSettings,
    PreloadGeneralChannel]\n        builtinAuthModule {\n            enabled = true\n
    \       }\n        admin {\n            firstName   = ${SPACE_LOCAL_ADMIN_FIRSTNAME}\n
    \           lastName    = ${SPACE_LOCAL_ADMIN_LASTNAME}\n            username
    \   = ${SPACE_LOCAL_ADMIN_USERNAME}\n            email       = ${SPACE_LOCAL_ADMIN_EMAIL}\n
    \           password    = ${SPACE_LOCAL_ADMIN_PASSWORD}\n        }\n    }\n\n
    \   masterSecret = ${SPACE_MASTER_SECRET}\n\n    db {\n        type         =
    \"postgresql\"\n        schemaPrefix = \"crclt_\"\n        host         = ${DB_HOSTNAME}\n
    \       username     = ${DB_USERNAME}\n        password     = ${DB_PASSWORD}\n\n
    \       postgresql {\n            driver  = \"org.postgresql.Driver\"\n            url
    \    = ${DB_URL}\n        }\n\n        pool {\n            vendor = \"hikari\"\n\n
    \           maxActive = 96\n            minIdle   = ${DB_IDLE_POOL_SIZE}\n        }\n\n
    \       debug {\n            similar_queries_count_threshold = 10\n            all_queries_count_threshold
    \    = 100\n        }\n    }\n\n    organization {\n        // TODO: remove it
    when the new build is here: CRL-T-14412\n        name   = ${SPACE_ORGANIZATION_NAME}\n
    \       slogan = ${SPACE_ORGANIZATION_SLOGAN}\n        domain = \"space\"\n        schema
    = \"spacedb\"\n    }\n\n    bus {\n        engine = \"redis\"\n        host =
    ${REDIS_URL}\n        type = ${REDIS_ARCHITECTURE}\n        username = ${?REDIS_USERNAME}\n
    \       password = ${?REDIS_PASSWORD}\n    }\n\n    storage {\n        aws {\n
    \           region        = ${SPACE_STORAGE_REGION}\n            bucket        =
    ${SPACE_STORAGE_BUCKET_NAME}\n            bucketCreated = ${?SPACE_STORAGE_BUCKET_CREATED}\n
    \           endpoint      = ${SPACE_STORAGE_URL}\n            accessKey     =
    ${SPACE_STORAGE_ACCESS_KEY}\n            secretKey     = ${SPACE_STORAGE_SECRET_KEY}\n
    \           cacheMaxAge   = 86400\n        }\n        elastic {\n            host
    \   = ${SPACE_STORAGE_ELASTIC_HOSTNAME}\n            port    = ${SPACE_STORAGE_ELASTIC_PORT}\n
    \           prefix  = ${?SPACE_STORAGE_ELASTIC_PREFIX}\n            auth {\n                token
    = ${?SPACE_STORAGE_ELASTIC_AUTH_TOKEN}\n                apiKey = ${?SPACE_STORAGE_ELASTIC_AUTH_API_KEY}\n
    \               username = ${?SPACE_STORAGE_ELASTIC_AUTH_USERNAME}\n                password
    = ${?SPACE_STORAGE_ELASTIC_AUTH_PASSWORD}\n            }\n        }\n        reIndex
    = true\n    }\n\n    audit {\n        elastic {\n            host    = ${SPACE_STORAGE_ELASTIC_AUDIT_HOSTNAME}\n
    \           port    = ${SPACE_STORAGE_ELASTIC_AUDIT_PORT}\n            auth {\n
    \               token = ${?SPACE_STORAGE_ELASTIC_AUDIT_AUTH_TOKEN}\n                apiKey
    = ${?SPACE_STORAGE_ELASTIC_AUDIT_AUTH_API_KEY}\n                username = ${?SPACE_STORAGE_ELASTIC_AUDIT_AUTH_USERNAME}\n
    \               password = ${?SPACE_STORAGE_ELASTIC_AUDIT_AUTH_PASSWORD}\n            }\n
    \       }\n    }\n\n    perf {\n        client {\n            enabled = false\n
    \       }\n        elastic {\n            enabled = false\n        }\n\n        riemann
    {\n            enabled = false\n        }\n\n        prometheus {\n            enabled
    = false\n            jmx = false\n        }\n    }\n\n    metrics {\n        elastic
    {\n            host    = ${SPACE_STORAGE_ELASTIC_METRICS_HOSTNAME}\n            port
    \   = ${SPACE_STORAGE_ELASTIC_METRICS_PORT}\n            auth {\n                token
    = ${?SPACE_STORAGE_ELASTIC_METRICS_AUTH_TOKEN}\n                apiKey = ${?SPACE_STORAGE_ELASTIC_METRICS_AUTH_API_KEY}\n
    \               username = ${?SPACE_STORAGE_ELASTIC_METRICS_AUTH_USERNAME}\n                password
    = ${?SPACE_STORAGE_ELASTIC_METRICS_AUTH_PASSWORD}\n            }\n        }\n
    \   }\n\n    auth {\n        bruteForceGuard {\n            failedLoginCountThreshold
    = 3\n            failedLoginCountOrganizationThreshold = 1000\n            throttlingDuration
    = \"1day\"\n            recaptcha {\n                siteKey     = ${?SPACE_AUTH_RECAPTCHAV2_SITEKEY}\n
    \               secretKey   = ${?SPACE_AUTH_RECAPTCHAV2_SECRETKEY}\n            }\n
    \       }\n    }\n\n    // Circlet as OAuth 2.0 authentication server\n    oauth
    {\n        rememberMe {\n            // Remember me cookie TTL in seconds\n            ttl
    {\n                // If user checked remember me\n                userLong =
    2592000 // 30 * 24 * 60 * 60\n                // If admin checked remember me\n
    \               adminLong = 604800 // 7 * 24 * 60 * 60\n                // If
    user or admin unchecked remember me\n                short = 3600 // 60 * 60\n
    \           }\n\n            // Authentication session cache\n            cache
    {\n                protectedQueueSize = 100\n                probationalQueueSize
    = 100\n            }\n        }\n\n        accessToken {\n            // Access
    token TTL in seconds\n            ttl = 600 // do not use anything longer in production,
    potential security issue\n            // List of client IDs with custom TTL for
    access_token\n            ttlCustom {\n                \"circlet-ios-app\" = 25h\n
    \               \"circlet-android-app\" = 25h\n            }\n\n            //
    RSA512 key pair to sign JWT\n            rsa {\n                // X.509 encoded
    public key\n                public = ${SPACE_OAUTH_ACCESSTOKEN_RSA_PUBLIC}\n\n
    \               // PKCS#8 encoded private key\n                private = ${SPACE_OAUTH_ACCESSTOKEN_RSA_PRIVATE}\n
    \           }\n        }\n\n        message {\n            encoding {\n                //
    an example of 128 bit key for AES.\n                // openssl rand 16 | base64\n
    \               key = ${SPACE_OAUTH_MESSAGE_ENCODING_KEY}\n            }\n        }\n\n
    \       twoFactor {\n            // an example of 128 bit key for AES.\n            //
    openssl rand 16 | base64\n            encryptionKey = ${SPACE_OAUTH_2FA_ENCODING_KEY}\n
    \       }\n\n        // 128 bit key for AES.\n        encryptionKey = ${SPACE_OAUTH_ENCODING_KEY}\n\n
    \       // 2048-bit public/private key pair for signing/verifying outgoing messages
    to applications\n        messageSigning {\n            rsa {\n                //
    X.509 encoded public key\n                public = ${SPACE_OAUTH_MESSAGE_SIGNING_RSA_PUBLIC}\n\n
    \               // PKCS#8 encoded private key\n                private = ${SPACE_OAUTH_MESSAGE_SIGNING_RSA_PRIVATE}\n
    \           }\n        }\n    }\n\n    supervisor {\n        orgDatabases {\n
    \           default {\n                host = ${circlet.db.host}\n                type
    = ${circlet.db.type}\n            }\n        }\n    }\n\n    limits {\n        perOrg
    = {\n            \"totalMembers\" = {\n                softCap = 9000000\n                hardCap
    = 10000000\n            }\n        }\n        request {\n            sessionTTL
    = 5000\n            limits = [\n                {\n                    type =
    \"bandwidth\"\n                    capacity = 1000\n                    refill
    {\n                        tokens = 400\n                        duration = \"1
    second\"\n                    }\n                },\n                {\n                    type
    = \"bandwidth\"\n                    capacity = 10000\n                    refill
    {\n                        tokens = 10000\n                        duration =
    \"1 minute\"\n                    }\n                }\n            ]\n        }\n
    \   }\n    \n    \n    vcs {\n        url     = ${SPACE_VCS_URL}\n        secret
    \ = ${SPACE_VCS_TOKEN}\n    }\n\n    mail {\n        outgoing {\n            enabled
    \             = true\n            fromAddress          = ${?SPACE_MAIL_SERVER_FROM_ADDRESS}\n
    \           host                 = ${?SPACE_MAIL_SERVER_HOSTNAME}\n            port
    \                = ${?SPACE_MAIL_SERVER_PORT}\n            protocol             =
    \"SMTP\"\n            login                = ${?SPACE_MAIL_SERVER_USERNAME}\n
    \           password             = ${?SPACE_MAIL_SERVER_PASSWORD}\n            messageQueuePrefix
    \  = ${?SPACE_MAIL_SERVER_MESSAGE_QUEUE_PREFIX}\n            aggregationDelaySecs
    = ${?SPACE_MAIL_SERVER_AGGREGATION_DELAY_SECS}\n            rateLimitPerSecond
    \  = ${?SPACE_MAIL_SERVER_RATE_LIMIT_PER_SECOND}\n        }\n    }\n\n    endUserAgreement
    {\n        jetBrains {\n            enabled = false\n        }\n    }\n\n    frontend
    {\n        url         = ${SPACE_EXTERNAL_URL}\n        internalUrl = ${SPACE_INTERNAL_URL}\n
    \       internalALB {\n            enabled = false\n        }\n        altUrls
    = [${?SPACE_ALT_URLS}]\n\n        enableWebdriverTestIds = false\n    }\n\n    healthcheck
    {\n        username = \"healthcheck\"\n        password = \"healthcheck\"\n    }\n\n
    \   webhooks {\n        key = ${SPACE_WEBHOOK_KEY}\n        client = \"Apache\"\n
    \   }\n\n    unfurl {\n        client = \"Apache\"\n    }\n\n    // external language
    server. This implementation implies syntax highlight only\n    // `client` should
    be one of `net` or `local`\n    language-server {\n        client  = net\n        engine
    \ = Apache\n        host    = ${SPACE_LANGSERVICE_HOSTNAME}\n        port    =
    ${SPACE_LANGSERVICE_PORT}\n    }\n\n    pipelines {\n        dsl {\n            compilation
    {\n                uploadCompiledDslAsZip = true\n                image = \"public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596\"\n
    \               storage {\n                    aws {\n                        region
    \       = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_REGION}\n                        bucket
    \       = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_BUCKET_NAME}\n                        bucketCreated
    = ${?SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_BUCKET_CREATED}\n                        endpoint
    \     = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_URL}\n                        accessKey
    \    = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_ACCESS_KEY}\n                        secretKey
    \    = ${SPACE_STORAGE_AUTOMATION_DSL_COMPILATION_SECRET_KEY}\n                        cacheMaxAge
    \  = 86400\n                    }\n                    reIndex = true\n                }\n
    \           }\n            runtime {\n                mavenRepo {\n                    url
    = \"https://maven.pkg.jetbrains.space/public/p/space/maven\"\n                }\n
    \           }\n        }\n\n        execution {\n            type = \"docker\"\n
    \           backends = [\"worker\"]\n\n            // TODO: Remove this block
    as soon as Automation supports it.\n            bootstrap {\n                image
    = \"671090787922.dkr.ecr.eu-west-1.amazonaws.com/automation/alpine/git:v2.30.2-jb\"\n
    \          }\n\n            compose {\n                wrapperImage = \"public.registry.jetbrains.space/p/space/containers/space-automation-compose-host:2022.1.0-BETA.1596\"\n
    \           }\n\n            worker {\n                image = \"public.registry.jetbrains.space/p/space/containers/space-automation-worker:2022.1.0-BETA.1596\"\n
    \               initialVersion = \"default\"\n                dockerBuilderImage
    = \"public.registry.jetbrains.space/p/space/containers/space-automation-docker-builder:2022.1.0-BETA.1596\"\n
    \               dslCompileImage = \"public.registry.jetbrains.space/p/space/containers/space-automation-dsl-compile:2022.1.0-BETA.1596\"\n
    \           }\n\n            fileshare {\n                 storage {\n                    aws
    {\n                        region        = ${SPACE_STORAGE_AUTOMATION_WORKER_REGION}\n
    \                       bucket        = ${SPACE_STORAGE_AUTOMATION_WORKER_BUCKET_NAME}\n
    \                       bucketCreated = ${?SPACE_STORAGE_AUTOMATION_WORKER_BUCKET_CREATED}\n
    \                       endpoint      = ${SPACE_STORAGE_AUTOMATION_WORKER_URL}\n
    \                       accessKey     = ${SPACE_STORAGE_AUTOMATION_WORKER_ACCESS_KEY}\n
    \                       secretKey     = ${SPACE_STORAGE_AUTOMATION_WORKER_SECRET_KEY}\n
    \                       cacheMaxAge   = 86400\n                    }\n                    reIndex
    = true\n                }\n            }\n        }\n\n        serviceMessages
    {\n                 storage {\n                    aws {\n                        region
    \       = ${SPACE_STORAGE_AUTOMATION_LOGS_REGION}\n                        bucket
    \       = ${SPACE_STORAGE_AUTOMATION_LOGS_BUCKET_NAME}\n                        bucketCreated
    = ${?SPACE_STORAGE_AUTOMATION_LOGS_BUCKET_CREATED}\n                        endpoint
    \     = ${SPACE_STORAGE_AUTOMATION_LOGS_URL}\n                        accessKey
    \    = ${SPACE_STORAGE_AUTOMATION_LOGS_ACCESS_KEY}\n                        secretKey
    \    = ${SPACE_STORAGE_AUTOMATION_LOGS_SECRET_KEY}\n                        cacheMaxAge
    \  = 86400\n                    }\n                    reIndex = true\n                }\n
    \       }\n\n        blockstorage {\n            engine = \"local-docker\"\n        }\n
    \   }\n\n    packages {\n        notifications {\n            enabled = true\n
    \       }\n        oauth {\n            clientId     = ${SPACE_PACKAGES_CLIENT_ID}\n
    \           clientSecret = ${SPACE_PACKAGES_CLIENT_SECRET}\n        }\n\n        types
    {\n            maven {\n                url = ${SPACE_PACKAGES_EXTERNAL_URL}\n
    \               internalUrl = ${SPACE_PACKAGES_INTERNAL_URL}\n            }\n\n
    \           nuget {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           npm {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           container {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           pypi {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           composer {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n\n
    \           files {\n                url = ${circlet.packages.types.maven.url}\n
    \               internalUrl = ${circlet.packages.types.maven.internalUrl}\n            }\n
    \       }\n    }\n\n    attachments {\n        useCdn = false\n    }\n}\n"
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: jb-space
    meta.helm.sh/release-namespace: space-ns
  creationTimestamp: "2022-08-08T19:47:06Z"
  labels:
    app.kubernetes.io/component: space
    app.kubernetes.io/instance: jb-space
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: space
    helm.sh/chart: space-2022.1.0
  name: jb-space-space-conf
  namespace: space-ns
  resourceVersion: "41651300"
  uid: e7e1ec29-f3f0-455b-8b34-9f782be718a9
0

HI Brooke Hedrick, I just experimented with my local cluster configuration using exactly the same values you shared initially, and the changes have been successfully propagated to the app.conf file. Could you please double-check that all indentation and contexts are defined correctly, as it really seems that Space uses the fallback image values specified in the default values.yaml file?

0

Pavel Boger,

Where can I find the app.conf file?

Did you notice that the configmap for my space-conf was not updated to the values from my values.yaml?

I have been doing 

helm uninstall ..
helm install ...

Each time I make changes to the values.yaml - if that matters.

0

Brooke Hedrick, that's correct, I referred to the CM configuration you shared previously when talking about app.conf file, and yes, we can see that changes haven't been propagated. Therefore, I asked to double-check that formatting for the automation block is correct.

Instead of reinstalling Space from scratch, let's try to apply value changes to already existing installation. Please create a custom values.yaml file with the custom image parameters beforehand. The commands should look like this:

 helm template jb-space jetbrains-space-onpremises/space --namespace space-ns -f custom_values.yaml | kubectl apply -f-

 

0

Hi. We are facing the same (or a similar) problem but on a Docker on-premises installation.

We use a self-signed certificate on Space, and when the container `space-automation-dsl-compile` tries to connect to Space it gets the follow error:

DSL processing started
Using Automation DSL runtime version 1.2.2496
Downloading DSL script content from https://space.example.com/vcs/file/project-name-3c1e35e6/5105ddd6f690e38e33d898e2ff3efb0f80c4b4f2//.space.kts
Cleaned up the output folder: /tmp/12105410624355369358

Exception in thread "main" runtime.net.XHRException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at runtime.net.KtorHttpKt.ktorClientRequest(KtorHttp.kt:146)
    at runtime.net.KtorHttpKt.access$ktorClientRequest(KtorHttp.kt:1)
    at runtime.net.KtorHttpKt$ktorClientRequest$1.invokeSuspend(KtorHttp.kt)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:285)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:345)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:523)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
    ... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 24 more

 

Here is our `.space.kts`

job("Example shell script") {
host(displayName = "Say Hello") {
shellScript {
content = """
echo Hello
echo World!
"""
}
}
}

 

Any tips on how to handle this?

 

0

Modestino, could you please refer to the following comment?

https://space-support.jetbrains.com/hc/en-us/community/posts/11087065961490/comments/11114055041042

The fact is that Space Automation uses multiple container images when the job is initiated, therefore, it's necessary to include custom cacerts to each of these images.

 

0

Please sign in to leave a comment.