Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] OAuth configuration for hostAliases when running on local.ndslabs.org #25

Closed
wants to merge 8 commits into from
Closed

[WIP] OAuth configuration for hostAliases when running on local.ndslabs.org #25

wants to merge 8 commits into from

Conversation

bodom0015
Copy link
Member

Problem

EDGE CASE: When running on www.local.ndslabs.org, everything under *.local.ndslabs.org will resolve to localhost. This presents a problem on the off-chance that they attempt to access the domain directly from within a Pod.

Note that minikube will likely not encounter the same problem, because it runs on its own IP and does not rely on localhost resolving properly.

For example, when the API receives a request to register/authenticate a user via OAuth, it needs to reach out to the oauth2-proxy Pod to verify the authenticity of the token. In doing so, it sends a request to www.local.ndslabs.org/oauth/userinfo. This ultimately resolves to localhost/oauth/userinfo which does not exist within the container, causing the request to fail.

Approach

Include an optional snippet in the deployment.yaml to resolve to the Ingress controller instead, so that our request can be properly

How to Test

  1. Run a Kubernetes cluster using Docker for MacOSX or Docker for Windows
    • NOTE: minikube should not encounter the same problem
  2. Run and configure OAuth2 Proxy + Keycloak + CILogon (See Setup: Configuring oauth2-proxy to use Keycloak + CILogon)
  3. Deploy the Helm chart from the oauth-configuration branch to use OAuth and to run on local.ndslabs.org
    • NOTE: this domain always resolves to localhost
  4. Attempt to sign into the Workbench via OAuth
    • NOTE: This will fail when using local.ndslabs.org
  5. Run kubectl logs -f deploy/workbench -c apiserver
    • You should see an error in the apiserver logs from attempting to validate the OAuth token
  6. Checkout this branch and redeploy the Helm chart, run kubectl get deploy workbench -o yaml
    • You should see that a hostAliases configuration within the Workbench Deployment
  7. Attempt to sign in once more to the Workbench via OAuth
    • You should now be allowed into the platform with an OAuth user account
    • You should no longer see an error in the apiserver logs for this action

TODOs

  • How can we fetch this IP programmatically? Does Helm offer a way to consume Service discovery envvars in our templates? Alternatively, we can standardize the namespace of our Ingress deployment and rely on Cluster DNS to resolve things.
  • Make the hostAliases segment conditional, only present if .Values.workbench.domain == "local.ndslabs.org"

@bodom0015 bodom0015 changed the base branch from master to cddr March 12, 2021 21:56
@bodom0015 bodom0015 marked this pull request as ready for review June 2, 2021 18:50
@bodom0015 bodom0015 closed this Jun 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bodom0015