Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

302 for all api calls using docker container #8

Open
brunnels opened this issue Dec 25, 2024 · 3 comments
Open

302 for all api calls using docker container #8

brunnels opened this issue Dec 25, 2024 · 3 comments

Comments

@brunnels
Copy link

I'm using piraeus-operator in kubernetes and have 1.8.2 deployed with some slight changes to the nginx config so the pod will run rootless. I can see the webpage and the metrics proxy location seems to be working okay but any calls to the api/v1 proxied location result in 302. Here are some container logs.

10.69.2.206 - - [24/Dec/2024:20:47:43 -0600] "GET /v1/view/resources HTTP/1.1" 302 210 "https://linstor.mydomain.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.69.2.206 - - [24/Dec/2024:20:47:43 -0600] "GET /metrics HTTP/1.1" 200 16381 "https://linstor.mydomain.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.69.2.206 - - [24/Dec/2024:20:47:45 -0600] "GET /v1/view/resources?limit=10&offset=0 HTTP/1.1" 302 210 "https://linstor.mydomain.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.69.2.206 - - [24/Dec/2024:20:47:45 -0600] "GET /v1/stats/resources HTTP/1.1" 302 211 "https://linstor.mydomain.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.69.2.206 - - [24/Dec/2024:20:47:45 -0600] "GET /v1/key-value-store HTTP/1.1" 302 211 "https://linstor.mydomain.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.69.2.206 - - [24/Dec/2024:20:47:45 -0600] "GET /v1/view/storage-pools HTTP/1.1" 302 214 "https://linstor.mydomain.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.69.2.206 - - [24/Dec/2024:20:47:45 -0600] "GET /v1/nodes HTTP/1.1" 302 201 "https://linstor.mydomain.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

Here's my flux2 repo that deploys the container as a deployment in the same namespace as the controller.

https://github.com/brunnels/talos-cluster/blob/korg/kubernetes/apps/piraeus-datastore/linstor/gui/helmrelease.yaml

The container just built locally and pushed to my local repo.

Dashboard page looks mostly okay because it's mostly derived from the metrics api endpoint but no data gets loaded when clicking on anything because of the 302 errors.

image
@brunnels
Copy link
Author

It's the default https redirect when going to the /v1 api. Is there a config setting to disable this?

I also tried exposing the linstor-controller service via LoadBalancer but the automatic UI redirect is giving me an exception when I go to the load balancer IP port 3370.

If I try to go to port 3371 on the LoadBalancer IP I get the self-signed cert but then an empty response. This even happens if I exec into the container and use curl -k -v https://localhost:3371

Dec 25, 2024 2:30:35 PM org.glassfish.jersey.server.ServerRuntime$Responder mapException
SEVERE: An exception has been thrown from an exception mapper class com.linbit.linstor.api.rest.v1.config.LinstorMapper.
java.lang.IllegalStateException: Not inside a request scope.
        at org.glassfish.jersey.internal.guava.Preconditions.checkState(Preconditions.java:169)
        at org.glassfish.jersey.process.internal.RequestScope.current(RequestScope.java:153)
        at org.glassfish.jersey.inject.hk2.RequestContext.findOrCreate(RequestContext.java:55)
        at org.jvnet.hk2.internal.MethodInterceptorImpl.internalInvoke(MethodInterceptorImpl.java:65)
        at org.jvnet.hk2.internal.MethodInterceptorImpl.invoke(MethodInterceptorImpl.java:101)
        at org.jvnet.hk2.internal.MethodInterceptorInvocationHandler.invoke(MethodInterceptorInvocationHandler.java:39)
        at jdk.proxy4/jdk.proxy4.$Proxy81.getPath(Unknown Source)
        at com.linbit.linstor.api.rest.v1.config.LinstorMapper.toResponse(GrizzlyHttpService.java:470)
        at com.linbit.linstor.api.rest.v1.config.LinstorMapper.toResponse(GrizzlyHttpService.java:424)
        at org.glassfish.jersey.server.ServerRuntime$Responder.mapException(ServerRuntime.java:542)
        at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:412)
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:264)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356)
        at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:190)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:535)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:515)
        at java.base/java.lang.Thread.run(Thread.java:840)

Dec 25, 2024 2:30:35 PM org.glassfish.jersey.server.ServerRuntime$Responder mapException
SEVERE: An exception was not mapped due to exception mapper failure. The HTTP 500 response will be returned.
javax.ws.rs.NotFoundException: HTTP 404 Not Found
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:253)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356)
        at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:190)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:535)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:515)
        at java.base/java.lang.Thread.run(Thread.java:840)

@brunnels
Copy link
Author

brunnels commented Dec 26, 2024
edited
Loading

okay, so more playing around. I can pull the client certs from the csi-controller and talk to the controller with curl. So just need to work out how to use client certs when using the UI.

@brunnels
Copy link
Author

brunnels commented Dec 26, 2024
edited
Loading

Okay, I figured it out. I created a new Certificate for the ui and an ingress that uses the cert via proxy-ssl-secret annotation.

The problem now is that I want to use rewrite on the ingress so that https://linstor.domain.org/ui/#! is rewritten to https://linstore.domain.org that way I can secure the UI via authelia or the user setup in the gui.

I don't want to expose the API via the ingress.

For anyone searching here's the ingress:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: linstor-gui
  annotations:
    external-dns.alpha.kubernetes.io/target: "linstor.${SECRET_DOMAIN}"
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "piraeus-datastore/linstor-gui-tls"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/secure-backends: "true"
  labels:
    app.kubernetes.io/instance: linstor-gui
    app.kubernetes.io/name: linstor-gui
spec:
  ingressClassName: internal
  rules:
  - host: "linstor.${SECRET_DOMAIN}"
    http:
      paths:
      - backend:
          service:
            name: linstor-controller
            port:
              number: 3371
        path: /
        pathType: Prefix

And the cert:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linstor-gui-tls
spec:
  commonName: linstor-gui-tls
  dnsNames:
    - linstor-gui-tls
  issuerRef:
    kind: Issuer
    name: linstor-api-ca
  secretName: linstor-gui-tls
  usages:
    - client auth

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brunnels