Open pmallampati-sift opened 3 weeks ago
Hello @pmallampati-sift! I'm here to help you with any questions or issues you might have. I can assist with bug fixes, troubleshooting, and becoming a contributor.
To deploy DevLake with a MySQL database hosted on GCP with SSL enabled using a Helm chart, you need to pass the SSL certificates in the DB connection string. Here are the steps to achieve this:
Create a Kubernetes secret with the necessary database connection details and SSL certificates:
kubectl create secret generic devlake-mysql-auth \
--from-literal=MYSQL_USER=<your-username> \
--from-literal=MYSQL_PASSWORD=<your-password> \
--from-literal=MYSQL_DATABASE=<your-database> \
--from-literal=MYSQL_ROOT_PASSWORD=<your-root-password> \
--from-literal=DB_URL='mysql://<your-username>:<your-password>@<dbserver>:<port>/<database>?charset=utf8mb4&parseTime=True&tls=custom' \
--from-file=ca-cert=<path-to-ca-cert> \
--from-file=client-cert=<path-to-client-cert> \
--from-file=client-key=<path-to-client-key>
Install the DevLake Helm chart and reference the created secret:
helm repo add devlake https://apache.github.io/incubator-devlake-helm-chart
helm repo update
ENCRYPTION_SECRET=$(openssl rand -base64 2000 | tr -dc 'A-Z' | fold -w 128 | head -n 1)
helm install devlake devlake/devlake \
--set mysql.useExternal=true \
--set mysql.externalServer=<dbserver> \
--set mysql.externalPort=<port> \
--set mysql.username=<your-username> \
--set mysql.password=<your-password> \
--set mysql.database=<your-database> \
--set option.connectionSecretName=devlake-mysql-auth \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET
Replace <your-username>
, <your-password>
, <your-database>
, <your-root-password>
, <dbserver>
, <port>
, <path-to-ca-cert>
, <path-to-client-cert>
, and <path-to-client-key>
with your actual values [1].
To continue talking to Dosu, mention @dosu.
Per above suggestion when deployed with above config it says unknown value tls=custom
for tls option.
Tried with tls=skip-verify
which gave access denied error.
--from-literal=DB_URL='mysql://<your-username>:<your-password>@<dbserver>:<port>/<database>?charset=utf8mb4&parseTime=True&tls=custom' \
error log from DB
textPayload: "time="2024-08-21 19:27:26" level=info msg="\x1b[35m/app/core/runner/db.go:154\n\x1b[0m\x1b[31m[error] \x1b[0mfailed to initialize database, got error invalid value / unknown config name: custom""
To correctly configure the DB_URL
for deploying DevLake with a managed GCP Cloud database service using SSL, you should use the tls=custom
option and specify the path to your CA certificate. Here is an example configuration:
DB_URL=mysql://<your-username>:<your-password>@<dbserver>:<port>/<database>?charset=utf8mb4&parseTime=True&tls=custom&ca-cert=/path/to/your/ca-certificate.crt
Make sure to replace /path/to/your/ca-certificate.crt
with the actual path to your CA certificate file. This configuration ensures that the SSL certificate is verified using the provided CA certificate. If you encounter issues with tls=custom
, you can also try tls=skip-verify
as a fallback, but be aware that it will not verify the SSL certificate [1][2][3].
To continue talking to Dosu, mention @dosu.
@dosu Hi We are seeing below error when deploying with SSL
"Wraps: (3) x509: cannot validate certificate for X.X.X.X(ip) because it doesn't contain any IP SANs"
To resolve the "x509: cannot validate certificate for X.X.X.X(ip) because it doesn't contain any IP SANs" error when deploying DevLake with SSL, you can add your root CA to the devlake
container. Here is an example of how to do this using docker-compose
:
devlake:
image: apache/devlake:v...
...
volumes:
...
- /path/to/your/rootCA.crt:/usr/local/share/ca-certificates/rootCA.crt
command: [ "sh", "-c", "update-ca-certificates; lake" ]
...
This approach involves mounting your rootCA.crt
into the devlake
container and adding a command
node to install the mounted certificate. Additionally, if you encounter a "Test Connection" error, you can set the environment variable IN_SECURE_SKIP_VERIFY=true
for the devlake
container to bypass certificate verification. Note that "GitExtractor" may fail to clone the repository due to certificate verification, as neither gogit nor git2go supports insecure HTTPS [1][2][3][4][5].
To continue talking to Dosu, mention @dosu.
@dosu We are using clouds sql from GCP and in the generated ssl certs we have CN=Google Cloud SQL Server CA but missing SAN name in it. But lake is trying to verify SAN in the certificates. Any workarounds.
To address the issue with the missing SAN names in the SSL certificates generated by GCP Cloud SQL, you can add your root CA to the devlake
container and update the CA certificates within the container. Here is an example of how to do this using docker-compose
:
devlake:
image: apache/devlake:v...
...
volumes:
...
- /path/to/your/rootCA.crt:/usr/local/share/ca-certificates/rootCA.crt
command: [ "sh", "-c", "update-ca-certificates; lake" ]
...
Since you are using Helm, you can adapt this approach by adding the root CA to your Helm chart configuration. Here is an example of how to do this:
Create a Kubernetes secret with your root CA:
kubectl create secret generic root-ca-cert --from-file=rootCA.crt=/path/to/your/rootCA.crt
Update your Helm chart to mount the root CA and update the CA certificates:
volumeMounts:
- name: newcerts
mountPath: /etc/ssl/certs
- name: root-ca-cert
mountPath: /usr/local/share/ca-certificates/rootCA.crt
volumes:
- name: newcerts
secret:
secretName: newcerts
- name: root-ca-cert
secret:
secretName: root-ca-cert
initContainers:
- name: update-ca-certificates
image: busybox
command: ["sh", "-c", "update-ca-certificates"]
volumeMounts:
- name: root-ca-cert
mountPath: /usr/local/share/ca-certificates/rootCA.crt
Ensure the IN_SECURE_SKIP_VERIFY=true
environment variable is set:
env:
- name: IN_SECURE_SKIP_VERIFY
value: "true"
This setup should help in cases where the generated SSL certificates have CN=Google Cloud SQL Server CA but are missing SAN names, and mounting the required certs and setting IN_SECURE_SKIP_VERIFY=true
does not resolve the issue [1][2][3].
To continue talking to Dosu, mention @dosu.
@dosu
I have executed above suggested steps but still I am getting same error
Also generated a rootCA.crt
using the DB dns and placed below certs in/etc/ssl/certs folder.
devlake-client-key.pem
devlake-client-cert.pem
devlake-server-ca.pem
rootCA.crt
Also placed rootCA.crt under /usr/local/share/ca-certificates
in lake container
Wraps: (3) x509: cannot validate certificate for 10.252.182.24 because it doesn't contain any IP SANs
Also in the init container I am seeing below error.
ERROR 2024-08-23T06:13:29.444710841Z [resource.labels.containerName: update-ca-certificates] sh: update-ca-certificates: not found
To resolve the "x509: cannot validate certificate for 10.252.182.24 because it doesn't contain any IP SANs" error when deploying DevLake with SSL, you need to ensure that your root CA is properly added to the devlake
container. Given that you are seeing an "update-ca-certificates: not found" error in the init container, it indicates that the update-ca-certificates
command is not available in the container's environment.
Here is a solution based on the provided documentation:
Mount your rootCA.crt
into the devlake
container:
Ensure that your root CA certificate is mounted correctly into the container.
Install the necessary package to use update-ca-certificates
:
Modify the command
node to install the required package before running update-ca-certificates
.
Here is an example of how you can modify your docker-compose
file to achieve this:
devlake:
image: apache/devlake:v...
...
volumes:
...
- /path/to/your/rootCA.crt:/usr/local/share/ca-certificates/rootCA.crt
command: [ "sh", "-c", "apt-get update && apt-get install -y ca-certificates && update-ca-certificates; lake" ]
...
This command ensures that the ca-certificates
package is installed, which provides the update-ca-certificates
command, and then updates the CA certificates before starting the lake
process.
Additionally, if you encounter issues with self-signed certificates, you can set the environment variable IN_SECURE_SKIP_VERIFY=true
for the devlake
container to bypass certificate verification during the "Test Connection" phase. However, this is not recommended for production environments due to security concerns.
For more detailed troubleshooting, you can refer to the Configuration and Blueprint Troubleshooting section in the DevLake documentation. Specifically, the section on "Failed to collect data from the server with a self-signed certificate" provides relevant information and solutions [1][2][3][4][5].
To continue talking to Dosu, mention @dosu.
@dosu Could you please give instructions on how to execute below steps via helm chart.
Install the necessary package to use update-ca-certificates:
Modify the command node to install the required package before running update-ca-certificates.
To execute the steps for installing the necessary package and running update-ca-certificates
via the Helm chart, you can use an init container to handle the installation and update process. Here is how you can modify your Helm chart configuration to achieve this:
Create a Kubernetes secret with your root CA:
kubectl create secret generic root-ca-cert --from-file=rootCA.crt=/path/to/your/rootCA.crt
Update your values.yaml
file to include the init container and mount the root CA:
lake:
initContainers:
- name: update-ca-certificates
image: debian:bullseye
command: ["sh", "-c", "apt-get update && apt-get install -y ca-certificates && cp /mnt/rootCA.crt /usr/local/share/ca-certificates/rootCA.crt && update-ca-certificates"]
volumeMounts:
- name: root-ca-cert
mountPath: /mnt
volumes:
- name: root-ca-cert
secret:
secretName: root-ca-cert
Install the Helm chart with the updated configuration:
helm repo add devlake https://apache.github.io/incubator-devlake-helm-chart
helm repo update
ENCRYPTION_SECRET=$(openssl rand -base64 2000 | tr -dc 'A-Z' | fold -w 128 | head -n 1)
helm install devlake devlake/devlake \
--set mysql.useExternal=true \
--set mysql.externalServer=<dbserver> \
--set mysql.externalPort=<port> \
--set mysql.username=<your-username> \
--set mysql.password=<your-password> \
--set mysql.database=<your-database> \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET \
--values values.yaml
Replace <dbserver>
, <port>
, <your-username>
, <your-password>
, and <your-database>
with your actual values.
This configuration ensures that the ca-certificates
package is installed, the root CA certificate is copied to the appropriate location, and the CA certificates are updated before the main lake
container starts.
To continue talking to Dosu, mention @dosu.
@dosu
Per your suggestion if we do below step, do we still need to create the devlake-mysql-auth
with DB url and SSL certs as you have mentioned here https://github.com/apache/incubator-devlake/issues/7928#issuecomment-2300787106
`lake: initContainers:
name: update-ca-certificates image: debian:bullseye command: ["sh", "-c", "apt-get update && apt-get install -y ca-certificates && cp /mnt/rootCA.crt /usr/local/share/ca-certificates/rootCA.crt && update-ca-certificates"] volumeMounts:
volumes:
Yes, you still need to create the devlake-mysql-auth
with the database URL and SSL certificates even if you implement an init container to update CA certificates. The init container approach is for updating CA certificates within the devlake
container, but it does not replace the need for the devlake-mysql-auth
configuration which is required for database authentication and SSL setup [1].
To continue talking to Dosu, mention @dosu.
@dosu
In that case its still not working with above suggestion I was able to get the both below init containers up and running.
But after that the lake container is still failing with
Wraps: (3) x509: cannot validate certificate for because it doesn't contain any IP SANs
To resolve the "x509: cannot validate certificate for 10.252.182.24 because it doesn't contain any IP SANs" error, you can bypass the certificate verification by setting the IN_SECURE_SKIP_VERIFY
environment variable to true
. This is not recommended for production environments due to security concerns, but it can help you move forward.
Here is how you can update your Helm chart configuration to include this environment variable:
Update your values.yaml
file to include the IN_SECURE_SKIP_VERIFY
environment variable:
lake:
env:
- name: IN_SECURE_SKIP_VERIFY
value: "true"
Install the Helm chart with the updated configuration:
helm repo add devlake https://apache.github.io/incubator-devlake-helm-chart
helm repo update
ENCRYPTION_SECRET=$(openssl rand -base64 2000 | tr -dc 'A-Z' | fold -w 128 | head -n 1)
helm install devlake devlake/devlake \
--set mysql.useExternal=true \
--set mysql.externalServer=<dbserver> \
--set mysql.externalPort=<port> \
--set mysql.username=<your-username> \
--set mysql.password=<your-password> \
--set mysql.database=<your-database> \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET \
--values values.yaml
Replace <dbserver>
, <port>
, <your-username>
, <your-password>
, and <your-database>
with your actual values.
This configuration will bypass the certificate verification, allowing the lake
container to connect to the database despite the missing IP SANs in the certificate [1][2][3][4][5].
To continue talking to Dosu, mention @dosu.
It appears that MySQL SSL connections are currently not supported. For now, I recommend trying a connection without an SSL certificate.
Thank you @klesh yes mysql SSL were not supported, but we were able to resolve the issue by connecting using cloudsql-auth-proxy.
Hi @dosu How to add new plugins to devlake using helm chart.
To add new plugins to DevLake using a Helm chart, follow these steps:
Modify the values.yaml
file:
Add the new plugin configuration under the lake.plugins
section in the values.yaml
file. For example, if you are adding a plugin named new-plugin
, you might add:
lake:
plugins:
- name: new-plugin
image: your-docker-repo/new-plugin:latest
env:
- name: PLUGIN_SETTING
value: "some-value"
Install or upgrade the Helm chart with the updated values.yaml
:
Use the helm install
or helm upgrade
command with the updated values.yaml
file.
helm repo add devlake https://apache.github.io/incubator-devlake-helm-chart
helm repo update
ENCRYPTION_SECRET=$(openssl rand -base64 2000 | tr -dc 'A-Z' | fold -w 128 | head -n 1)
helm upgrade devlake devlake/devlake --version=0.20.0-beta8 --set lake.encryptionSecret.secret=$ENCRYPTION_SECRET -f values.yaml
This will apply the new configuration and include the new plugin in your DevLake installation [1][2].
To continue talking to Dosu, mention @dosu.
hi @dosu Can we integrate devlake with OKTA SSO config....?
Currently, there is no specific documentation or configuration guide for integrating DevLake with OKTA SSO. However, DevLake does support SSO integration through the authproxy
service, which uses oauth2-proxy
. This service can be configured to work with various OAuth2 providers, including OKTA.
Here is a general approach to integrate DevLake with OKTA SSO using oauth2-proxy
:
Configure oauth2-proxy
with OKTA settings:
Update the docker-compose-dev.yml
file to include the necessary OKTA configuration for oauth2-proxy
.
authproxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0-amd64
network_mode: "host"
ports:
- 4180:4180
env_file:
- ./.env
environment:
OAUTH2_PROXY_PROVIDER: oidc
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: OKTA
OAUTH2_PROXY_COOKIE_SECRET: <your-cookie-secret>
OAUTH2_PROXY_COOKIE_DOMAINS: localhost:4180
OAUTH2_PROXY_COOKIE_SECURE: 'false'
OAUTH2_PROXY_EMAIL_DOMAINS: '*'
OAUTH2_PROXY_OIDC_ISSUER_URL: https://<your-okta-domain>/oauth2/default
OAUTH2_PROXY_CLIENT_ID: <your-client-id>
OAUTH2_PROXY_CLIENT_SECRET: <your-client-secret>
OAUTH2_PROXY_UPSTREAMS: http://localhost:4000
OAUTH2_PROXY_HTTP_ADDRESS: http://0.0.0.0:4180
OAUTH2_PROXY_REVERSE_PROXY: 'true'
OAUTH2_PROXY_SKIP_AUTH_ROUTES: ^/grafana.*
Deploy the updated configuration:
Ensure that the authproxy
service is deployed with the updated configuration.
Update Helm chart for OKTA SSO:
If you are using Helm, you can add the necessary environment variables and configurations in your values.yaml
file.
authproxy:
enabled: true
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0-amd64
env:
- name: OAUTH2_PROXY_PROVIDER
value: oidc
- name: OAUTH2_PROXY_PROVIDER_DISPLAY_NAME
value: OKTA
- name: OAUTH2_PROXY_COOKIE_SECRET
value: <your-cookie-secret>
- name: OAUTH2_PROXY_COOKIE_DOMAINS
value: localhost:4180
- name: OAUTH2_PROXY_COOKIE_SECURE
value: 'false'
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: '*'
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: https://<your-okta-domain>/oauth2/default
- name: OAUTH2_PROXY_CLIENT_ID
value: <your-client-id>
- name: OAUTH2_PROXY_CLIENT_SECRET
value: <your-client-secret>
- name: OAUTH2_PROXY_UPSTREAMS
value: http://localhost:4000
- name: OAUTH2_PROXY_HTTP_ADDRESS
value: http://0.0.0.0:4180
- name: OAUTH2_PROXY_REVERSE_PROXY
value: 'true'
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ^/grafana.*
Install or upgrade the Helm chart:
Use the helm install
or helm upgrade
command with the updated values.yaml
file.
helm repo add devlake https://apache.github.io/incubator-devlake-helm-chart
helm repo update
helm upgrade devlake devlake/devlake --values values.yaml
This setup should help you integrate DevLake with OKTA SSO using oauth2-proxy
. Make sure to replace placeholders like <your-cookie-secret>
, <your-okta-domain>
, <your-client-id>
, and <your-client-secret>
with your actual OKTA configuration values.
To continue talking to Dosu, mention @dosu.
@dosu How do I get value of OAUTH2_PROXY_COOKIE_SECRET to configure oauth2-proxy....?
To generate a value for OAUTH2_PROXY_COOKIE_SECRET
to configure oauth2-proxy
, you can use a secure random string. This secret is used to encrypt the cookie data, so it should be a strong, random value.
Here are a few ways to generate this secret:
You can use the openssl
command to generate a random base64 string:
openssl rand -base64 32
You can also use Python to generate a random string:
import os
import base64
print(base64.b64encode(os.urandom(32)).decode('utf-8'))
If you are on a Linux system, you can use the following command:
head -c32 /dev/urandom | base64
Once you have generated the secret, it will look something like this:
s3cr3tK3yTh4tIsV3ryS3cur3AndR4nd0m==
You can then use this value in your values.yaml
file or environment variable configuration for oauth2-proxy
:
authproxy:
enabled: true
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0-amd64
env:
- name: OAUTH2_PROXY_PROVIDER
value: oidc
- name: OAUTH2_PROXY_PROVIDER_DISPLAY_NAME
value: OKTA
- name: OAUTH2_PROXY_COOKIE_SECRET
value: s3cr3tK3yTh4tIsV3ryS3cur3AndR4nd0m==
- name: OAUTH2_PROXY_COOKIE_DOMAINS
value: localhost:4180
- name: OAUTH2_PROXY_COOKIE_SECURE
value: 'false'
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: '*'
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: https://<your-okta-domain>/oauth2/default
- name: OAUTH2_PROXY_CLIENT_ID
value: <your-client-id>
- name: OAUTH2_PROXY_CLIENT_SECRET
value: <your-client-secret>
- name: OAUTH2_PROXY_UPSTREAMS
value: http://localhost:4000
- name: OAUTH2_PROXY_HTTP_ADDRESS
value: http://0.0.0.0:4180
- name: OAUTH2_PROXY_REVERSE_PROXY
value: 'true'
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ^/grafana.*
Replace <your-okta-domain>
, <your-client-id>
, and <your-client-secret>
with your actual OKTA configuration values.
To continue talking to Dosu, mention @dosu.
@dosu
Per suggestion I have added the oauth2-proxy,
settings to vaules.yml file, but still I get basic auth username/password pop up coming up.
Do we need to delete the pod resources and recreate from scratch...?
To resolve the issue of the basic auth username/password pop-up still appearing after adding oauth2-proxy
, you may need to ensure that the oauth2-proxy
is correctly configured and that the old configurations are not interfering. Here are a few steps to troubleshoot and resolve this:
Verify oauth2-proxy
Configuration:
Ensure that the oauth2-proxy
configuration is correct and that it is properly integrated with your OKTA settings.
Check Ingress Configuration:
Make sure that your Ingress configuration is routing traffic through the oauth2-proxy
. This typically involves updating the Ingress annotations to use oauth2-proxy
.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: devlake-ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://<your-domain>/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://<your-domain>/oauth2/start?rd=$request_uri"
spec:
rules:
- host: <your-domain>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: devlake
port:
number: 80
Delete and Recreate Pods: If the configuration changes are not taking effect, you may need to delete the existing pods to ensure that the new configuration is applied. You can do this by deleting the pods, and Kubernetes will automatically recreate them with the updated configuration.
kubectl delete pod -l app=devlake
Check Logs:
Check the logs of the oauth2-proxy
and devlake
pods to ensure that there are no errors and that the authentication flow is working as expected.
kubectl logs <oauth2-proxy-pod-name>
kubectl logs <devlake-pod-name>
Update Helm Chart:
Ensure that your Helm chart values are correctly set to use oauth2-proxy
. Here is an example of what your values.yaml
might look like:
authproxy:
enabled: true
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0-amd64
env:
- name: OAUTH2_PROXY_PROVIDER
value: oidc
- name: OAUTH2_PROXY_PROVIDER_DISPLAY_NAME
value: OKTA
- name: OAUTH2_PROXY_COOKIE_SECRET
value: s3cr3tK3yTh4tIsV3ryS3cur3AndR4nd0m==
- name: OAUTH2_PROXY_COOKIE_DOMAINS
value: localhost:4180
- name: OAUTH2_PROXY_COOKIE_SECURE
value: 'false'
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: '*'
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: https://<your-okta-domain>/oauth2/default
- name: OAUTH2_PROXY_CLIENT_ID
value: <your-client-id>
- name: OAUTH2_PROXY_CLIENT_SECRET
value: <your-client-secret>
- name: OAUTH2_PROXY_UPSTREAMS
value: http://localhost:4000
- name: OAUTH2_PROXY_HTTP_ADDRESS
value: http://0.0.0.0:4180
- name: OAUTH2_PROXY_REVERSE_PROXY
value: 'true'
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ^/grafana.*
After making these changes, redeploy the Helm chart:
helm upgrade devlake devlake/devlake --values values.yaml
By following these steps, you should be able to resolve the issue and ensure that the oauth2-proxy
is correctly handling authentication.
To continue talking to Dosu, mention @dosu.
@dosu Did configuration per above message. I can see ingress got added but oauth2-proxy pod is not coming up. I can only see 2 pods dev-lake and UI.
NAME READY STATUS RESTARTS AGE
devlake-lake- 2/2 Running 1 (4m15s ago) 4m16s
devlake-ui 1/1 Running 0 4m16s
To troubleshoot why the oauth2-proxy
pod is not coming up, let's check a few things:
Verify Helm Chart Configuration:
Ensure that the oauth2-proxy
configuration is correctly added to your values.yaml
file. Here is an example configuration:
authproxy:
enabled: true
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0-amd64
env:
- name: OAUTH2_PROXY_PROVIDER
value: oidc
- name: OAUTH2_PROXY_PROVIDER_DISPLAY_NAME
value: OKTA
- name: OAUTH2_PROXY_COOKIE_SECRET
value: s3cr3tK3yTh4tIsV3ryS3cur3AndR4nd0m==
- name: OAUTH2_PROXY_COOKIE_DOMAINS
value: localhost:4180
- name: OAUTH2_PROXY_COOKIE_SECURE
value: 'false'
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: '*'
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: https://<your-okta-domain>/oauth2/default
- name: OAUTH2_PROXY_CLIENT_ID
value: <your-client-id>
- name: OAUTH2_PROXY_CLIENT_SECRET
value: <your-client-secret>
- name: OAUTH2_PROXY_UPSTREAMS
value: http://localhost:4000
- name: OAUTH2_PROXY_HTTP_ADDRESS
value: http://0.0.0.0:4180
- name: OAUTH2_PROXY_REVERSE_PROXY
value: 'true'
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ^/grafana.*
Check Helm Release Status: Check the status of your Helm release to see if there are any errors or issues:
helm status devlake
Check Kubernetes Events:
Check the Kubernetes events to see if there are any errors related to the oauth2-proxy
pod:
kubectl get events --sort-by=.metadata.creationTimestamp
Check for Pod Creation:
Ensure that the oauth2-proxy
pod is being created. If it is not, there might be an issue with the Helm chart configuration. List all pods to see if there are any pending or failed pods:
kubectl get pods
Check Helm Chart Values:
Ensure that the authproxy
section is correctly indented and placed in the values.yaml
file. Misconfiguration or incorrect indentation can cause the Helm chart to ignore the authproxy
settings.
Check Logs:
If the oauth2-proxy
pod is created but not running, check the logs for the pod to see if there are any errors:
kubectl logs <oauth2-proxy-pod-name>
Redeploy Helm Chart:
If you made any changes to the values.yaml
file, redeploy the Helm chart:
helm upgrade devlake devlake/devlake --values values.yaml
If you still do not see the oauth2-proxy
pod, please provide the output of the helm status devlake
and kubectl get events
commands, as well as any relevant logs, so I can help you further diagnose the issue.
To continue talking to Dosu, mention @dosu.
Hi @dosu
We are have forked https://github.com/apache/incubator-devlake repo and developed a new internal custom plugin. Now how can we generate a new devlake image to include new plugin and deploy it in our own cloud using helm chart.
Thanks in advance.
To generate a new DevLake image that includes your custom plugin and deploy it in your own cloud using a Helm chart, follow these steps:
Build the Custom DevLake Image:
Dockerfile
that includes your custom plugin.Example Dockerfile
:
FROM apache/devlake:latest
COPY your-plugin /path/to/plugin
Build and push the image:
docker build -t your-registry/your-devlake:custom .
docker push your-registry/your-devlake:custom
Deploy Using Helm:
Example Helm commands:
helm repo add devlake https://apache.github.io/incubator-devlake-helm-chart
helm repo update
ENCRYPTION_SECRET=$(openssl rand -base64 2000 | tr -dc 'A-Z' | fold -w 128 | head -n 1)
helm install devlake devlake/devlake \
--set lake.image.repository=your-registry/your-devlake \
--set lake.image.tag=custom \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET
This will deploy DevLake with your custom plugin included in the image. For more detailed instructions and additional configuration options, you can refer to the Apache DevLake Helm Setup documentation.
Custom Timezone:
helm install devlake devlake/devlake \
--set lake.image.repository=your-registry/your-devlake \
--set lake.image.tag=custom \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET \
--set commonEnvs.TZ="your timezone" \
--set grafana.env.TZ="your timezone"
Set Grafana Admin Password:
helm install devlake devlake/devlake \
--set lake.image.repository=your-registry/your-devlake \
--set lake.image.tag=custom \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET \
--set grafana.adminPassword=<your password>
Deploy with NodePort:
helm install devlake devlake/devlake \
--set lake.image.repository=your-registry/your-devlake \
--set lake.image.tag=custom \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET \
--set service.uiPort=30000
Deploy with Ingress:
helm install devlake devlake/devlake \
--set lake.image.repository=your-registry/your-devlake \
--set lake.image.tag=custom \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET \
--set "ingress.enabled=true,ingress.hostname=devlake.example.com"
For more detailed deployment scenarios and configurations, refer to the Helm Setup documentation [1][2][3][4].
To continue talking to Dosu, mention @dosu.
Thank you @dosu
Can you also send me details on how to generate a image just for plugin by itself and have the plugin image in helm values file.
To generate an image just for a custom plugin and configure the Helm values file to use this plugin image, follow these steps:
Build the Docker Image for Your Custom Plugin:
Create a Dockerfile
for your custom plugin and build the Docker image.
Example Dockerfile
:
FROM alpine:latest
COPY your-plugin /path/to/plugin
Build and push the image:
docker build -t your-registry/your-custom-plugin:latest .
docker push your-registry/your-custom-plugin:latest
Configure the Helm Values File to Use the Custom Plugin Image:
Update the values.yaml
file or use the --set
flag to specify the custom plugin image.
Example values.yaml
configuration:
lake:
image:
repository: your-registry/your-custom-plugin
tag: latest
pullPolicy: Always
Alternatively, you can set these values directly in the Helm install command:
helm repo add devlake https://apache.github.io/incubator-devlake-helm-chart
helm repo update
ENCRYPTION_SECRET=$(openssl rand -base64 2000 | tr -dc 'A-Z' | fold -w 128 | head -n 1)
helm install devlake devlake/devlake \
--set lake.image.repository=your-registry/your-custom-plugin \
--set lake.image.tag=latest \
--set lake.image.pullPolicy=Always \
--set lake.encryptionSecret.secret=$ENCRYPTION_SECRET
This will configure the Helm chart to use your custom plugin image [1][2].
To continue talking to Dosu, mention @dosu.
Question
Hi currently we are trying to deploy devlake in our dev env. We are trying to integrate devlake using helm chart with managed GCP Cloud database service. Our DB is SSL enabled and we don't see how to pass the SSL certs in the DB conn string part of helm chart. Could you please let us know what additional params we need to use for using SSL in additional to below params we pass to helm command.
Screenshots
If applicable, add screenshots to help explain.
Additional context
Add any other context here.