From ac5c8f0ebc77002352abf9f90e4d10b09085c52b Mon Sep 17 00:00:00 2001 From: Andrzej Grzelak Date: Tue, 26 Sep 2023 14:24:41 +0200 Subject: [PATCH 1/3] Update host header when proxying to services. ISTIO proxy uses Host header to route traffic. --- helm/revproxy/gen3.nginx.conf/indexd-service.conf | 3 +-- helm/revproxy/gen3.nginx.conf/metadata-service.conf | 2 +- helm/revproxy/gen3.nginx.conf/peregrine-service.conf | 7 +++++-- helm/revproxy/gen3.nginx.conf/sheepdog-service.conf | 2 +- helm/revproxy/gen3.nginx.conf/workspace-token-service.conf | 2 +- helm/revproxy/nginx/nginx.conf | 1 - 6 files changed, 9 insertions(+), 8 deletions(-) diff --git a/helm/revproxy/gen3.nginx.conf/indexd-service.conf b/helm/revproxy/gen3.nginx.conf/indexd-service.conf index a464afcc..897ea8cb 100644 --- a/helm/revproxy/gen3.nginx.conf/indexd-service.conf +++ b/helm/revproxy/gen3.nginx.conf/indexd-service.conf @@ -1,4 +1,3 @@ - # GA4GH endpoint for DOS resolver and DRS server location /ga4gh/ { if ($csrf_check !~ ^ok-\S.+$) { @@ -45,7 +44,7 @@ set $proxy_service "indexd"; set $upstream http://indexd-service$des_domain; rewrite ^/index-admin/(.*) /$1 break; - proxy_set_header Host $host; + proxy_set_header Host indexd-service$des_domain; proxy_set_header X-Forwarded-For "$realip"; proxy_set_header X-UserId "$userid"; proxy_set_header X-SessionId "$session_id"; diff --git a/helm/revproxy/gen3.nginx.conf/metadata-service.conf b/helm/revproxy/gen3.nginx.conf/metadata-service.conf index d85344f6..8d7c7674 100644 --- a/helm/revproxy/gen3.nginx.conf/metadata-service.conf +++ b/helm/revproxy/gen3.nginx.conf/metadata-service.conf @@ -28,7 +28,7 @@ set $proxy_service "metadata-service"; set $upstream http://metadata-service$des_domain; rewrite ^/mds-admin/(.*) /$1 break; - proxy_set_header Host $host; + proxy_set_header Host metadata-service$des_domain; proxy_set_header X-Forwarded-For "$realip"; proxy_set_header X-UserId "$userid"; proxy_set_header X-SessionId "$session_id"; diff --git a/helm/revproxy/gen3.nginx.conf/peregrine-service.conf b/helm/revproxy/gen3.nginx.conf/peregrine-service.conf index db172326..219e7f69 100644 --- a/helm/revproxy/gen3.nginx.conf/peregrine-service.conf +++ b/helm/revproxy/gen3.nginx.conf/peregrine-service.conf @@ -2,10 +2,12 @@ location /peregrine/_status { set $proxy_service "peregrine"; set $upstream http://peregrine-service.$namespace.svc.cluster.local/_status; + proxy_set_header Host "peregrine-service.$namespace.svc.cluster.local"; proxy_pass $upstream; } location /peregrine/_version { set $upstream http://peregrine-service.$namespace.svc.cluster.local/_version; + proxy_set_header Host "peregrine-service.$namespace.svc.cluster.local"; proxy_pass $upstream; } location /api/search { @@ -15,7 +17,7 @@ gzip off; proxy_next_upstream off; - proxy_set_header Host $host; + proxy_set_header Host "peregrine-service.$namespace.svc.cluster.local"; proxy_set_header Authorization "$access_token"; proxy_set_header X-Forwarded-For "$realip"; proxy_set_header X-UserId "$userid"; @@ -40,7 +42,7 @@ gzip off; proxy_next_upstream off; - proxy_set_header Host $host; + proxy_set_header Host "peregrine-service.$namespace.svc.cluster.local"; proxy_set_header Authorization "$access_token"; proxy_set_header X-Forwarded-For "$realip"; proxy_set_header X-UserId "$userid"; @@ -65,6 +67,7 @@ proxy_next_upstream off; set $proxy_service "peregrine"; + proxy_set_header Host "peregrine-service.$namespace.svc.cluster.local"; set $upstream http://peregrine-service.$namespace.svc.cluster.local/v0/submission/getschema; proxy_pass $upstream; } diff --git a/helm/revproxy/gen3.nginx.conf/sheepdog-service.conf b/helm/revproxy/gen3.nginx.conf/sheepdog-service.conf index cc0ad569..fabcc95a 100644 --- a/helm/revproxy/gen3.nginx.conf/sheepdog-service.conf +++ b/helm/revproxy/gen3.nginx.conf/sheepdog-service.conf @@ -6,7 +6,7 @@ location /api/ { proxy_next_upstream off; # Forward the host and set Subdir header so api # knows the original request path for hmac signing - proxy_set_header Host $host; + proxy_set_header Host sheepdog-service.$namespace.svc.cluster.local; proxy_set_header Subdir /api; proxy_set_header Authorization "$access_token"; proxy_set_header X-Forwarded-For "$realip"; diff --git a/helm/revproxy/gen3.nginx.conf/workspace-token-service.conf b/helm/revproxy/gen3.nginx.conf/workspace-token-service.conf index 8fd62dff..cd3a0819 100644 --- a/helm/revproxy/gen3.nginx.conf/workspace-token-service.conf +++ b/helm/revproxy/gen3.nginx.conf/workspace-token-service.conf @@ -5,7 +5,7 @@ gzip off; proxy_next_upstream off; - proxy_set_header Host $host; + proxy_set_header Host workspace-token-service.$namespace.svc.cluster.local; proxy_set_header Authorization "$access_token"; proxy_set_header X-Forwarded-For "$realip"; proxy_set_header X-UserId "$userid"; diff --git a/helm/revproxy/nginx/nginx.conf b/helm/revproxy/nginx/nginx.conf index d2be4bd3..56c6a4fe 100644 --- a/helm/revproxy/nginx/nginx.conf +++ b/helm/revproxy/nginx/nginx.conf @@ -259,7 +259,6 @@ http { # not set headers ... http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header # proxy_set_header Authorization "$access_token"; - proxy_set_header Host $host; proxy_set_header X-Forwarded-For "$realip"; proxy_set_header X-UserId "$userid"; # Can propagate this request id through downstream microservice requests for tracing From eaff7c775acd563aa692ee16efba489004995092 Mon Sep 17 00:00:00 2001 From: Andrzej Grzelak Date: Tue, 26 Sep 2023 14:26:39 +0200 Subject: [PATCH 2/3] Update proxy http version to 1.1. Remove https redirect on HTTP connection from ISTIO proxy - ingress takes care of TLS termination/redirects --- helm/revproxy/nginx/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/revproxy/nginx/nginx.conf b/helm/revproxy/nginx/nginx.conf index 56c6a4fe..e9aeda93 100644 --- a/helm/revproxy/nginx/nginx.conf +++ b/helm/revproxy/nginx/nginx.conf @@ -165,11 +165,11 @@ http { server_tokens off; proxy_hide_header server; proxy_hide_header X-Powered-By; + proxy_http_version 1.1; add_header "X-Frame-Options" "SAMEORIGIN" always; add_header "X-Content-Type-Options" "nosniff" always; add_header "X-Xss-Protection" "1; mode=block" always; - if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; } # # Strict-Transport-Security only applys for https traffic - set after testing protocol # From 446b95e9db120b40d52c7691af15b649eb56fd35 Mon Sep 17 00:00:00 2001 From: Andrzej Grzelak Date: Wed, 27 Sep 2023 18:49:02 +0200 Subject: [PATCH 3/3] Remove initContainers from jobs that were waiting for a service to be up and moved their code to the actual container because ISTIO sidecar does not work in init-container by default so there is no connectivity to a service. --- helm/fence/templates/usersync-cron.yaml | 6 +----- helm/indexd/templates/pre-install.yaml | 6 +----- helm/wts/templates/wts-oidc.yaml | 7 ++----- 3 files changed, 4 insertions(+), 15 deletions(-) diff --git a/helm/fence/templates/usersync-cron.yaml b/helm/fence/templates/usersync-cron.yaml index ef683944..22881a90 100644 --- a/helm/fence/templates/usersync-cron.yaml +++ b/helm/fence/templates/usersync-cron.yaml @@ -53,11 +53,6 @@ spec: - name: cred-volume secret: secretName: aws-config-fence - initContainers: - - name: wait-for-fence - image: curlimages/curl:latest - command: ["/bin/sh","-c"] - args: ["while [ $(curl -sw '%{http_code}' http://fence-service -o /dev/null) -ne 200 ]; do sleep 5; echo 'Waiting for fence...'; done"] containers: - name: usersync image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -101,6 +96,7 @@ spec: - "-c" # Script always succeeds if it runs (echo exits with 0) - | + while [ $(curl -sw '%{http_code}' http://fence-service -o /dev/null) -ne 200 ]; do sleep 5; echo 'Waiting for fence...'; done echo 'options use-vc' >> /etc/resolv.conf pip3 install SQLAlchemy==1.3.6 # can be removed once this is merged: https://github.com/uc-cdis/fence/pull/1096 diff --git a/helm/indexd/templates/pre-install.yaml b/helm/indexd/templates/pre-install.yaml index a6f6cd9f..07eb9da7 100644 --- a/helm/indexd/templates/pre-install.yaml +++ b/helm/indexd/templates/pre-install.yaml @@ -19,11 +19,6 @@ spec: volumes: {{- toYaml . | nindent 8 }} {{- end }} - initContainers: - - name: wait-for-indexd - image: curlimages/curl:latest - command: ["/bin/sh","-c"] - args: ["while [ $(curl -sw '%{http_code}' http://indexd-service/index -o /dev/null) -ne 200 ]; do sleep 5; echo 'Waiting for indexd...'; done"] containers: - name: indexd image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -82,6 +77,7 @@ spec: # Script always succeeds if it runs (echo exits with 0) # indexd image does not include jq, so use python - | + while [ $(curl -sw '%{http_code}' http://indexd-service/index -o /dev/null) -ne 200 ]; do sleep 5; echo 'Waiting for indexd...'; done echo 'python /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}' python /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}" echo 'python /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}' diff --git a/helm/wts/templates/wts-oidc.yaml b/helm/wts/templates/wts-oidc.yaml index d14c6e79..96b3314c 100644 --- a/helm/wts/templates/wts-oidc.yaml +++ b/helm/wts/templates/wts-oidc.yaml @@ -16,11 +16,6 @@ spec: secretName: "fence-config" - name: shared-volume emptyDir: {} - initContainers: - - name: wait-for-fence - image: curlimages/curl:latest - command: ["/bin/sh","-c"] - args: ["while [ $(curl -sw '%{http_code}' http://fence-service -o /dev/null) -ne 200 ]; do sleep 5; echo 'Waiting for fence...'; done"] containers: - name: fence-client # TODO: Make this configurable @@ -32,6 +27,8 @@ spec: args: - "-c" - | + while [ $(curl -sw '%{http_code}' http://fence-service -o /dev/null) -ne 200 ]; do sleep 5; echo 'Waiting for fence...'; done + export WTS_HOSTNAME={{ .Values.global.hostname }} echo "Trying to generate WTS client for hostname : $WTS_HOSTNAME..."