Inconsistencies and Issue in Regclient v1.2..0.1-B2

Hello!

For branch v1.2.0.1-B2

I understant that -set flag supersedes the values in values.yaml, but I want to clarify some inconsistencies.

In regclient values.yaml at mosip-infra/deployment/v3/mosip/regclient/values.yaml

image:
registry: docker.io
repository: mosipqa/registration-client
tag: 1.2.0.1

While in mosip-helm chart mosip-helm/blob/v1.2.0.1-B2/charts/regclient/values.yaml

image:
registry: docker.io
repository: mosipid/registration-client
tag: 1.2.0.1-B1

Which image should be used?

In my installation the mosipid/registration-client 1.2.0.1-B1 is the one used as reflected in Rancher, which is the one configured in the mosip-helm chart, since this was not overridden in the install.sh script through a -set flag or the file values.yaml

Another concern is that in mosip-infra/deployment/v3/mosip/regclient/install.sh

–set regclient.upgradeServerUrl=https://$INTERNAL_HOST
–set regclient.healthCheckUrl=$HEALTH_URL
–set regclient.hostName=$INTERNAL_HOST \

While in mosip-helm chart mosip-helm/blob/v1.2.0.1-B2/charts/regclient/values.yaml

regclient:
version: 1.2.0.1-B1
mountDir: /home/mosip/build_files/
/## Currently this is hardcoded. Will change in the future
cryptoKey: bBQX230Wskq6XpoZ1c+Ep1D+znxfT89NxLQ7P4KFkc4=
upgradeServerUrl: https://regclient.sandbox.xzy.net
hostName: https://api-internal.sandbox.mosip.net

What should be the correct value for regclient.upgradeServerUrl ?
And what should be the correct values for hostname/regclient.hostName ?

In my case it looks like the set flag did override the value because when you look at the log when running regclient

mosip.hostname : api-internal.x.x.x
mosip.client.upgrade.server.url : https://api-internal.x.x.x

Which follows what was configured with the -set flag

Please NOTE that in the current setting, I am experiencing errors when running the downloaded regclient after restarting it as instructed during the first successful login.

Warning: ** NO VALID AUTH-TOKEN TO SYNC **

I can’t login with the created credentials in Keycloak, even when using the credentials which was successful in the first login but no longer after restarting the regclient as instructed.

I tried this fix, based on the values.yaml, I edited install.sh

–set regclient.upgradeServerUrl=https://$REGCLIENT_HOST

The regclient machine log when running shows:

Properties with local preferences loaded.
mosip.hostname : api-internal.x.x.x
mosip.client.upgrade.server.url : https://regclient.x.x.x
Checking server connectivity…

I still am getting the warning
Warning : ** NO VALID AUTH-TOKEN TO SYNC **

But I can now login -

HOWEVER, after logging out since I haven’t configured Mock-MDS yet, when I try to login with same credentials I used that was successful just minutes ago, I can not login again with the error: Authentication Failure

What is going on? I am sure I used the same credentials.

Looking at my image, and I remembered that I lost Internet connection for a minute while I was logging in, so I tried logging in while not connected to the Internet. Well, I was able to login with the same credentials.

Anyone please explain why I can login while the Machine is offline, but can not when the Machine is online, with the exact same credential?

Another question. There are new variables in the MOSIP helm chart v1.2.0.1-B2

regclient:
version: 1.2.0.1-B1

certificate: mosip_cer.cer
signer_url: Timestamp Server And Stamping Protocols | Sectigo® Official

These are not superseded by the -set flag so what values should I put there since I am using my own domain while these values point to MOSIP setup specifically?

What values should I put that will point to my domain ? Could I leave it blank or null?

I believe it is asking for the domain certificate, but I don’t know where is that domain certificate located in the installation nor its filename.

Our domain names certificates used in the Nginx VM are certified by Lets Cert. Is that the certificate being asked ?

Also after reviewing the logfiles of regclient, there were no errors nor any failure indicated.

But I find this version of mock-sdk suspicious:

Downloading MOCK SDK…
–2023-03-31 05:01:00-- http://artifactory.artifactory/artifactory/libs-release-local/mock-sdk/1.1.5/mock-sdk.jar
Resolving artifactory.artifactory (artifactory.artifactory)… 10.43.149.60
Connecting to artifactory.artifactory (artifactory.artifactory)|10.43.149.60|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 14497 (14K) [application/java-archive]
Saving to: ‘/home/mosip/registration-client/target/lib/mock-sdk.jar’

It should be 1.2.0 for V1.2.0.1-B2, right?

I will use a different docker image and see if it also using mock-sdk version 1.1.5

Which image should be used?
→ Kinldy use released images. released images can be found under mosipid namespace.

What should be the correct value for regclient.upgradeServerUrl ?
→ This should be the URL of nginx server running in the reg-client docker container.
Ex: https://regclient.dev.mosip.net

And what should be the correct values for hostname/regclient.hostName ?
→ As shown in the example, this hostname resolves to internal services based on the URL context.
Ex: https://api-internal.dev.mosip.net

Warning: ** NO VALID AUTH-TOKEN TO SYNC **
→ This is just a warning. this warning is normal on initial startup of reg-client until unless there is one successful login and onboard.

Anyone please explain why I can login while the Machine is offline, but can not when the Machine is online, with the exact same credential?
→ Machine supports offline login only if there is a stored pwd hash in local DB for the provided userid (hash is updated on every successful online login).
Please share the reg-client logs on online login failure, if possible kernel-syncdata-service logs during the same time period will help a lot to debug.

What values should I put that will point to my domain ? Could I leave it blank or null?
** certificate: mosip_cer.cer
signer_url: Timestamp Server And Stamping Protocols | Sectigo® Official**
→ When the reg-client docker container is created, it starts the creation of reg-client installation zip. The installation zip includes signed & timestamped MOSIP jars. To sign the jars we will need a key pair. And a self-signed certificate is created with the public key which is part of the installation zip and the same certificate will be used to verify the signed jars later.

I find this version of mock-sdk suspicious
I agree, as the URL with 1.1.5 is causing this confusion, But this is maitained just for backward compatibility.
you can find the version used here : artifactory-ref-impl/Dockerfile at v1.2.0 · mosip/artifactory-ref-impl · GitHub

thanks & regards,
Anusha Sunkada

1 Like

@Anusha_sunkadh Thank you for answering and explaining. Your reply provided much needed information for a better understanding of the installation script of the MOSIP regclient module.

I have a follow up question with regards to the new variables in the MOSIP helm chart v1.2.0.1-B2.

If my understanding is correct, since signed & timestamped MOSIP jars are taken care of and used when the reg-client docker container is created, as well as at the creation of reg-client installation zip, why is there a need to indicate / include these variables in the Helm chart 12.0.1-B2 values.yaml for regclient (lines 77, 78 of mosip-helm/values.yaml at v1.2.0.1-B2 · mosip/mosip-helm · GitHub ) ?

I even suspect this is maybe causing the error in this post Regclient Deployment Problem (MOSIP v1.2.0.1-B1)

Looking at the previous versions of the Helm chart values.yaml, these variables/values are new and introduced only in chart version 12.0.1-B2.

By the way, with your help, regclient is now working without any error and I am now able to login with the newly created user with the roles Default, Regclient Operator and Regclient Supervisor.

But I used a local values.yaml to supersede the values in the Helm chart at the mosip-helm charts repo, and I didn’t put/use these new values/variables.

MOSIP jars are only GPG signed during the build. Only at the start of the reg-client downloader container, MOSIP jars are signed and timestamped using jarsigner command. That is the reason for passing the timestamp URL(line 78) in the helm chart.
FYR: registration-client/configure.sh at v1.2.0.1-B1 · mosip/registration-client · GitHub

Yeah, line 77 is not required @ckm007 pls confirm

1 Like

@Anusha_sunkadh Thank you for explaining things further. Now, I no longer have issues with regclient.

Great to hear that @rcsampang, thanks a lot for your time.

1 Like