DEX UI not working with Rancher / Docker Desktop

mmartin24 commented 1 year ago

Issue:

Cannot login with OIDC / DEX when deploying Epinio v1.7.0 on Rancher Desktop v1.7.0 with Kubernetes version 1.25.4 Checked on Mac, Windows and Linux. CLI connection is working ok. Note: verified same error with Docker Desktop

Error logs:

ERRO[Thu Feb 23 13:08:51 UTC 2023] Failed to create Dex Client: failed to create dex OIDC provider: Get "https://auth.127.0.0.1.nip.io/.well-known/openid-configuration": dial tcp 127.0.0.1:443: connect: connection refused
creating the provider
github.com/epinio/ui-backend/src/jetstream/dex.NewOIDCProviderWithEndpoint
    /go/src/ui-backend/src/jetstream/dex/dex.go:71
main.(*portalProxy).GetDex
    /go/src/ui-backend/src/jetstream/main.go:1325
github.com/epinio/ui-backend/src/jetstream/plugins/epinio/dex.RedirectUrl
    /go/src/ui-backend/src/jetstream/plugins/epinio/dex/api.go:18
github.com/epinio/ui-backend/src/jetstream/plugins/epinio.(*Epinio).AddRootGroupRoutes.func6
    /go/src/ui-backend/src/jetstream/plugins/epinio/main.go:224
main.(*portalProxy).setSecureCacheContentMiddleware.func1
    /go/src/ui-backend/src/jetstream/middleware.go:242
main.(*portalProxy).setSecureCacheContentMiddleware.func1
    /go/src/ui-backend/src/jetstream/middleware.go:242
github.com/labstack/echo/v4.(*Echo).add.func1
    /root/go/pkg/mod/github.com/labstack/echo/v4@v4.7.2/echo.go:520
main.(*portalProxy).urlCheckMiddleware.func1
    /go/src/ui-backend/src/jetstream/middleware.go:222
main.(*portalProxy).setStaticCacheContentMiddleware.func1
    /go/src/ui-backend/src/jetstream/middleware.go:230
github.com/epinio/ui-backend/src/jetstream/plugins/epinio.(*Epinio).SessionEchoMiddleware.func1
    /go/src/ui-backend/src/jetstream/plugins/epinio/main.go:110
github.com/epinio/ui-backend/src/jetstream/plugins/epinio.(*Epinio).EchoMiddleware.func1
    /go/src/ui-backend/src/jetstream/plugins/epinio/main.go:97
main.retryAfterUpgradeMiddleware.func1
    /go/src/ui-backend/src/jetstream/middleware.go:299
main.errorLoggingMiddleware.func1
    /go/src/ui-backend/src/jetstream/middleware.go:271
github.com/labstack/echo/v4/middleware.SecureWithConfig.func1.1
    /root/go/pkg/mod/github.com/labstack/echo/v4@v4.7.2/middleware/secure.go:142
github.com/labstack/echo/v4/middleware.CORSWithConfig.func1.1
    /root/go/pkg/mod/github.com/labstack/echo/v4@v4.7.2/middleware/cors.go:142
github.com/labstack/echo/v4/middleware.RecoverWithConfig.func1.1
    /root/go/pkg/mod/github.com/labstack/echo/v4@v4.7.2/middleware/recover.go:119
github.com/labstack/echo/v4/middleware.LoggerWithConfig.func2.1
    /root/go/pkg/mod/github.com/labstack/echo/v4@v4.7.2/middleware/logger.go:117
main.sessionCleanupMiddleware.func1
    /go/src/ui-backend/src/jetstream/middleware.go:201
github.com/labstack/echo/v4.(*Echo).ServeHTTP
    /root/go/pkg/mod/github.com/labstack/echo/v4@v4.7.2/echo.go:630
net/http.serverHandler.ServeHTTP
    /usr/local/go/src/net/http/server.go:2936
net/http.(*conn).serve
    /usr/local/go/src/net/http/server.go:1995
runtime.goexit
    /usr/local/go/src/runtime/asm_amd64.s:1598
{"time":"2023-02-23T13:08:51.993553601Z","level":"ERROR","prefix":"echo","file":"main.go","line":"1258","message":"code=500, message={\"status\":\"error\",\"error\":\"Failed to create Dex Client\"}"}
Request: [2023-02-23T13:08:51Z] Remote-IP:"10.42.0.7" Method:"GET" Path:"/pp/v1/epinio/rancher/dex/redirectUrl" Status:500 Latency:59.193ms Bytes-In:0 Bytes-Out:5

thehejik commented 1 year ago

On Linux the problem is with --set global.domain=127.0.0.1.nip.io (sets ingress endpoints) which works well for external RD network/cluster communication. But epinio-ui pod is trying to communicate with auth.127.0.0.1.nip.io within the RD network which also translates to 127.0.0.1:443 but there is no ingress listening to respond.

The ingress in RD actually listens on 192.168.5.15:

k get svc traefik -n kube-system 
NAME      TYPE           CLUSTER-IP      EXTERNAL-IP                              PORT(S)                      AGE
traefik   LoadBalancer   10.43.201.109   192.168.5.15,fec0::5055:55ff:fe21:b7d7   80:30654/TCP,443:31600/TCP   3h

Maybe there is a simpler way how to workaround that via helm charts but this approach worked for me without extra epinio configuration:

get your machine IP (where the RD runs)
set this fw rule sudo iptables -t nat -I OUTPUT --dst <host-ip> -p tcp --dport 443 -j REDIRECT --to-ports 443
install epinio with --set global.domain=<host-ip>.nip.io
NOTE1: the rule just takes what comes to <host-ip>:443 and forwards that to 127.0.0.1:443
NOTE2: from RD point of view the rule does not exist so it translates to <host-ip>:443 where the ingress listen

enrichman commented 1 year ago

I'm going to reopen this because we still need to bump the charts.

mmartin24 commented 1 year ago

Revalidated in Epinio v1.7.1-rc1:

epinio / epinio

DEX UI not working with Rancher / Docker Desktop #2102

Issue:

Error logs: