search

atlassian / data-center-helm-charts

Helm charts for Atlassian's Data Center products
https://atlassian.github.io/data-center-helm-charts/
Apache License 2.0
154 stars 131 forks source link

[Suggestion] - Defining tomcatconfig.proxyName should override ingress.host #821

Closed Ansible-man closed 2 months ago

Ansible-man commented 3 months ago

Suggestion

We are experiencing issues with both jira and confluence related to reverse proxies. We have our ingress.host set to confluence.doman.com and a proxy that forwards requests to confluence.domain.com from confluence-prod.domain.com which is also the base URL of confluence. This causes errors when logging into confluence because the proxyurl is set to the value of ingress.host despite us setting tomcatconfig.proxyName per https://confluence.atlassian.com/jirakb/base-url-warnings-on-manage-apps-page-in-jira-1381400679.html. We have also tried overriding the ENV vars with no luck. This has been the case with helm serverxml enabled and disabled.

Product

Jira, Confluence

Code of Conduct

bianchi2 commented 3 months ago

@Ansible-man thanks for sharing this use case. What you can do is define:

confluence:
  additionalEnvironmentVariables:
  - name: ATL_PROXY_NAME
    value: confluence-prod.domain.com

This will work is confluence.tomcatConfig.generateByHelm is set to false (i.e. server.xml is generated in the image entrypoint).

If confluence.tomcatConfig.generateByHelm is set to true, you can just set:

confluence:
  tomcatConfig:
     proxyName: confluence-prod.domain.com
Ansible-man commented 3 months ago

Thank you for the fast response

We have the following values set confluence: tomcatConfig: generateByHelm: true proxyName: "confluence-prod.domain.com"

We are observing that the config map generated by helm still sets the proxy name to the value of ingress.host. We also attempted deleting the configMap and when it gets regenerated the value of ingress.host is still the value for proxyName within the configMap

bianchi2 commented 3 months ago

Oh, right, it's because:

proxyName="{{ .Values.ingress.host | default .Values.confluence.tomcatConfig.proxyName }}"

It should be vice versa, default is ingress host unless it's overridden in the config. I'll raise a PR to fix it.

Have you tried just setting environment variable and let image entrypoint generate it?

Ansible-man commented 3 months ago

We have tried that method as well will no luck. The ENV vars seem to get overwritten

bianchi2 commented 3 months ago

@Ansible-man you must be be doing it wrong. I have just tested it and it works for me:

helm install confluence ./ \
   --set ingress.create=true \
   --set ingress.host=hello.com \
   --set confluence.additionalEnvironmentVariables[0].name=ATL_PROXY_NAME \
   --set confluence.additionalEnvironmentVariables[0].value=no.com

And then check server.xml:

k exec -ti confluence-0 bash
root@confluence-0:/var/atlassian/application-data/confluence# cat /opt/atlassian/confluence/conf/server.xml | grep proxy
               proxyName="no.com"
               proxyPort="443"
        <Context path="${confluence.context.path}/synchrony-proxy"
                 docBase="../synchrony-proxy"
root@confluence-0:/var/atlassian/application-data/confluence#
inka commented 2 months ago

@bianchi2 I tried your example and it does not work for me with helm chart version 1.20.1.

I try to deploy Confluence datacenter with dedicated Synchrony URL and fail because both are using "ingress.host" to define their env vars.

So a mechanism to override ATL_PROXY_NAME for confluence tomcat would help me out.

My relevant values snippet: 

    confluence:
      additionalEnvironmentVariables:
        # this override does not work because env var is defined already before in
        # https://github.com/atlassian/data-center-helm-charts/blob/main/src/main/charts/confluence/templates/statefulset.yaml#L200
        - name: ATL_PROXY_NAME
          value: ${var.fqdn}
      additionalJvmArgs:
        - '-synchrony.proxy.enabled=false'
        - '-Dsynchrony.service.url=https://synchrony-${var.fqdn}/synchrony'
    ingress:
      # this is used by synchrony in SYNCHRONY_SERVICE_URL env var and can not be overwritten
      # https://github.com/atlassian/data-center-helm-charts/blob/main/src/main/charts/confluence/templates/statefulset-synchrony.yaml#L100
      host: synchrony-${var.fqdn}
      https: true
bianchi2 commented 2 months ago

@inka the snippet you shared should override both proxy name in server.xml and synchrony url for you. Though your ingress.host does not look right. Do you expect Confluence to be available at https://synchrony-${var.fqdn}? https://github.com/atlassian/data-center-helm-charts/blob/main/src/main/charts/confluence/templates/_helpers.tpl#L200 this is how Synchrony url is defined.

Is your use case the same - you need different ingress hostname and proxy name? Or do you just need synchrony to be available on a different url? Say, confluence is confluence.example.com and synchrony is synchrony.example.com/synchrony?

I have double checked additionalEnvironmentVariables override and it works as expected - proxyName is overridden.

inka commented 2 months ago

If I run above config I get this in my container spec for confluence-0: 

spec:
  containers:
  - env:
    - name: ATL_PROXY_NAME
      value: synchrony-confluence.my.url.com

and not like expected:

spec:
  containers:
  - env:
    - name: ATL_PROXY_NAME
      value: confluence.my.url.com

I wanted to have them on 2 different URLs because of the way how our ALBs routing to ISTIO ingress. But I can also try to write the Virtualservice in a different way and use the same FQDN. Would look like:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: {{ .Values.app }}
  namespace: {{ .Values.namespace }}
spec:
  gateways:
    - istio-system/global-gateway
  hosts:
    - {{ .Values.url }}
  http:
  - name: synchrony
    match:
    - uri:
        prefix: "/synchrony"
    route:
    - destination:
        host: confluence-synchrony.{{ .Values.namespace }}.svc.cluster.local
        port:
          number: 80
  - name: confluence
    route:
    - destination:
        host: confluence.{{ .Values.namespace }}.svc.cluster.local
        port:
          number: 80

Will test that and see how it goes. But this becomes off-topic. The general request of this suggestion I still support. It should be possible to override both URLs independent from each other.

and BTW regarding https://github.com/atlassian/data-center-helm-charts/blob/main/src/main/charts/confluence/templates/_helpers.tpl#L200 I got an error with JWT aud mismatch which went away via https://confluence.atlassian.com/confkb/synchrony-logs-show-invalid-aud-and-synchrony-is-not-connecting-to-confluence-937177818.html

bianchi2 commented 2 months ago

@inka what you are saying is that when you set ATL_PROXY_NAME in additional env vars in Helm values to confluence.my.url.com it is still synchrony-confluence.my.url.com as set in ingress.host? Please note that ATL_PROXY_NAME in container env will be duplicated, so there will be 2 variables with the same name, and the value of the last one will apply. Make sure you actually check server.xml and the effective ATL_PROXY_NAME value in the running container.

inka commented 2 months ago

@bianchi2 I checked again and you are right!

Indeed ATL_PROXY_NAME is set a second time in the env array with the correct value and appears from within the container as the correct overwritten value. So in my case it seems to be a different problem that the correct ENV var is not written into server.xml.

confluence@confluence-0:~$ env | grep -Ei '(ATL_PROXY_NAME|force)'
ATL_FORCE_CFG_UPDATE=true
ATL_PROXY_NAME=confluence.my.url.com

confluence@confluence-0:~$ cat /opt/atlassian/confluence/conf/server.xml | grep proxyName
               proxyName="synchrony-confluence.my.url.com"

With some wipe and retry it works finally! Thanks for that ultra quick response and help today. Really awesome.

bianchi2 commented 2 months ago

Fixed by https://github.com/atlassian/data-center-helm-charts/pull/822