search

jaegertracing / helm-charts

Helm Charts for Jaeger backend
Apache License 2.0
269 stars 347 forks source link

[Bug]: jaeger query oauth2-proxy sidecar issues with config #523

Open Harphies opened 1 year ago

Harphies commented 1 year ago

What happened?

The oauth2-proxy sidecar doesn't work out of the box with the configmap volume mount.

It needs this -

args:

Steps to reproduce

Enable the Oauth proxy and you get the error. query: oAuthSidecar: enabled: true

Expected behavior

The config should be passed to the config arguments of oauth-proxy container image.

Relevant log output

No response

Screenshot

No response

Additional context

No response

Jaeger backend version

v1.51.0

SDK

No response

Pipeline

No response

Stogage backend

No response

Operating system

No response

Deployment model

No response

Deployment configs

No response

Stevenpc3 commented 11 months ago

This is correct. We got it to work using this modification to the values.yaml, a separate config of our own, and another template in an wrapper chart where we have it set up to use keycloak at a and jaeger at a path "https:\subdomain.domain\jaeger"

I am only adding all of this in case someone doing an update wants to add a few new features along with the fix.

 query:
    agentSidecar:
      enabled: false
    # -- This should start with a /
    basePath: /jaeger
    # -- As of version 0.71.14, jaeger query only works on port 16686
    service:
      port: 16686
    oAuthSidecar:
      enabled: false
      # -- Use redis as session store instead of cookies (see [Troubleshooting](#Troubleshooting) section)
      redisSessions: false
      oauthSecretName: ""
      config: false
      pullPolicy: IfNotPresent
      containerPort: 4180
      args:
        - --config
        - /etc/oauth2-proxy/jaeger.conf
        - show-debug-on-error=true
      extraConfigmapMounts:
        - name: oauth2-proxyconfig
          configMap: 'jaeger.conf'
          mountPath: '/etc/oauth2-proxy'
      # -- Keycloak values for oAuth integration/deployment
      keycloak:
        # -- Realm for keycloak, required Value if using oAuthSidecar
        realm: ""
        # -- ClientID for keycloak, required Value if using oAuthSidecar
        clientID: ""
        # -- ClientSecret for Keycloak, required Value if using oAuthSidecar
        clientSecret: ""
        # -- CookieSecure - boolean value that is required for the cookie secret
        cookieSecure: false
        # -- CookieSecret - required if cookieSecure is true
        cookieSecret: "SECRETSECRETSECR"
        # -- Location of URL for keycloak instance, required value if using oAuthSidecar
        url: ""
        # -- emailDomain for Keycloak, required value
        emailDomain: "*"

jaeger-tracing\templates\configmap.yaml

{{- if .Values.jaeger.query.oAuthSidecar.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
  name: "jaeger.conf"
data:
  jaeger.conf: |-
{{ tpl (.Files.Get "config/jaegerConf.yaml") . | indent 4  }}
{{- end }}

jaeger-tracing\config\jaegerConf.yaml

{{- $redisURL := (include "site.com/common/serviceDiscovery/url/redis" .) -}}
{{- $oauthSidecar := default (dict) .Values.jaeger.query.oAuthSidecar -}}
{{- $oauthSecretName := default "" (include "site.com/common/util/tpl" (dict "root" . "value"  $oauthSidecar.oauthSecretName) )  -}}
{{- $secret_url := "" }}
{{- $secret_clientId :=  ""}}
{{- $secret_clientSecret := "" }}
{{- if $oauthSecretName -}}
  {{ $secret :=  (lookup "v1" "Secret" .Release.Namespace $oauthSecretName).data }}
    {{- if $secret }}
      {{- $secret_url =  $secret.baseUrl  | b64dec }}
      {{- $secret_clientId =  $secret.clientId  | b64dec }}
      {{- $secret_clientSecret =  $secret.clientSecret | b64dec }}
    {{- end -}}
{{- end -}}

{{- $url := .Values.jaeger.query.oAuthSidecar.keycloak.url -}}
{{- $realm := .Values.jaeger.query.oAuthSidecar.keycloak.realm -}}
{{- $endpoint := "" -}}
{{- if and $url $realm -}}
  {{- $endpoint = ( printf "https://%s/realms/%s" $url $realm ) -}}
{{- end -}}

{{- $clientId := .Values.jaeger.query.oAuthSidecar.keycloak.clientID -}}
{{- $clientSecret := .Values.jaeger.query.oAuthSidecar.keycloak.clientSecret -}}
{{- $emailDomain := .Values.jaeger.query.oAuthSidecar.keycloak.emailDomain -}}

{{- $keyCloak_url := required "Keycloak endpoint is required" (default $secret_url $endpoint) -}}
{{- $keyCloak_clientId := required "Keycloak ClientID is required" (default $secret_clientId $clientId) -}}
{{- $keyCloak_clientSecret := required "Keycloak clientSecret is required" (default $secret_clientSecret $clientSecret) -}}

provider = "oidc"
http_address = "0.0.0.0:4180"
oidc_issuer_url = "{{ $keyCloak_url }}"
client_id = "{{ $keyCloak_clientId }}"
client_secret = "{{ $keyCloak_clientSecret }}"
cookie_secret = "{{ .Values.jaeger.query.oAuthSidecar.keycloak.cookieSecret }}"
cookie_secure = {{ .Values.jaeger.query.oAuthSidecar.keycloak.cookieSecure }}
login_url = "{{ printf "%s/protocol/openid-connect/auth" $keyCloak_url }}"
redeem_url = "{{ printf "%s/protocol/openid-connect/token" $keyCloak_url }}"
validate_url = "{{ printf "%s/protocol/openid-connect/userinfo" $keyCloak_url  }}"
redirect_url = "{{ .Values.jaeger.query.basePath }}/oauth2/callback"
{{- if $emailDomain }}
email_domains = [{{ $emailDomain | quote }}]
{{- end }}
ssl_upstream_insecure_skip_verify = true
ssl_insecure_skip_verify = true
upstreams = ["http://localhost:16686"]
skip_provider_button = true
insecure_oidc_allow_unverified_email = true
proxy_prefix = "{{ .Values.jaeger.query.basePath }}/oauth2"
cookie_path = "{{ .Values.jaeger.query.basePath }}"
{{- if $oauthSidecar.redisSessions }}
session_store_type = "redis"
redis_connection_url = "{{ $redisURL }}"
{{- end }}