search

openanalytics / shinyproxy-operator

Easily run ShinyProxy on a Kubernetes cluster
https://shinyproxy.io
Apache License 2.0
36 stars 9 forks source link

ShinyProxy not able to start with SAML settings #24

Open templary opened 2 years ago

templary commented 2 years ago

Hello,

When implementing the ShinyProxy oprator we encountered a problem, even if I use the original unmodified version of shinyproxy it does not work if I put it in the settings to auth mode: SAML

The application runs in a kubernetes cluster on Gcloud

.yaml config file

apiVersion: openanalytics.eu/v1
kind: ShinyProxy
metadata:
  name: shinyproxy
  namespace: shinyproxy
spec:
  server:
    secureCookies: true
    frameOptions: sameorigin
    forward-headers-strategy: native
  spring:
    session:
      store-type: redis
      redis:
        configure-action: none
    redis:
      host: redis
      password: ${REDIS_PASSWORD}
  proxy:
    operator:
      force-transfer: true
    title: ShinyProxy_222
    logoUrl: ""
    landingPage: /
    containerBackend: kubernetes
    kubernetes:
      namespace: shinyproxy
      internal-networking: true
      image-pull-policy: Always
    authentication: saml
    saml:
      idp-metadata-url: https://XXXXX.eu.auth0.com/samlp/metadata/XXXXXX
      app-entity-id: urn:XXXX
      app-base-url: http://localhost:8080
      name-attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      roles-attribute: http://schemas.auth0.com/roles
      logout-url: https://XXXXX/v2/logout?client_id=XXXXXX&returnTo=http://localhost:8080
      nameidentifier-attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      email-verified-attribute: http://schemas.auth0.com/email_verified
      created-at-attribute: http://schemas.auth0.com/created_at
    admin-groups: scientists
    users:
      - name: jack
        password: password
        groups: scientists
      - name: jeff
        password: password
        groups: mathematicians
    specs:
      - id: 01_hello
        display-name: Hello Application
        description: Application which demonstrates the basics of a Shiny app
        container-cmd: [ "R", "-e", "shinyproxy::run_01_hello()" ]
        container-image: openanalytics/shinyproxy-demo
        access-groups: [ scientists, mathematicians ]
      - id: 06_tabsets
        container-cmd: [ "R", "-e", "shinyproxy::run_06_tabsets()" ]
        container-image: openanalytics/shinyproxy-demo
        access-groups: scientists
      - id: rstudio
        displayName: RStudio
        description: RStudio
        containerImage: openanalytics/shinyproxy-rstudio-ide-demo:1.4.1106__4.0.4
        port: 8787
        container-env:
          DISABLE_AUTH: true
          WWW_ROOT_PATH: "#{proxySpec.containerSpecs[0].env.get('SHINYPROXY_PUBLIC_PATH')}"
  kubernetesPodTemplateSpecPatches: |
    - op: add
      path: /spec/containers/0/env/-
      value:
        name: REDIS_PASSWORD
        valueFrom:
          secretKeyRef:
            name: redis-password
            key: password
    - op: add
      path: /spec/containers/0/resources
      value:
        limits:
          cpu: 1
        requests:
          cpu: 0.5
    - op: add
      path: /spec/serviceAccountName
      value: shinyproxy-sa
    - op: replace
      path: /spec/containers/0/startupProbe
      value:
        httpGet:
          path: /actuator/health/liveness
          port: 9090
          scheme: HTTP
        timeoutSeconds: 3
        periodSeconds: 5
        successThreshold: 1
        failureThreshold: 6
        initialDelaySeconds: 60
  image: openanalytics/shinyproxy:2.6.0
  imagePullPolicy: Always
  fqdn: shinyproxy-demo.local

Thank you a lot for your time

LEDfan commented 2 years ago

Hi

Can you explain a bit more what does not work? Is the pod with ShinyProxy not deployed? Or does it not start up? Or does SAML simply not work? Can you provide some logs of the operator and ShinyProxy.

Thanks

LEDfan commented 2 years ago

BTW it seems that the proxy.saml. app-base-url is wrong. You have configured it as http://localhost:8080 but that probably won't work in a k8s cluster. It should be the URL that your users see in the browser when you access the ShinyProxy environment. This is similar to what you configured in the proxy.fqdn property.

templary commented 2 years ago

Hi, I can create a new pod of shinyproxy, the operator also works as it should but I can't find any way to be able to run an application with a modified config file. The application stops at the moment -> see log and then restarts continuously.

Yes, localhost:8080 doesn't make sensehere, but if I understand correctly, the application should be able to start despite this configuration mistake. Am I right?

LOG from shinyproxy pod

 :: Spring Boot ::       (v2.3.12.RELEASE)

2021-12-12 17:33:38.355  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Multiple Spring Data modules found, entering strict repository configuration mode!
2021-12-12 17:33:38.361  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2021-12-12 17:33:38.678  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 216ms. Found 0 Redis repository interfaces.
2021-12-12 17:33:49.255  INFO 1 --- [           main] e.o.c.service.IdentifierService          : ShinyProxy runtimeId:                   whdc
2021-12-12 17:33:50.455  INFO 1 --- [           main] e.o.c.service.IdentifierService          : ShinyProxy instanceID (hash of config): c056db7b293c8828a1cdd4fd27211821cde4a0f5
2021-12-12 17:33:50.456  INFO 1 --- [           main] e.o.c.service.IdentifierService          : ShinyProxy realmId:                     shinyproxy
2021-12-12 17:33:56.872  WARN 1 --- [           main] io.undertow.websockets.jsr               : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used
2021-12-12 17:33:57.183  INFO 1 --- [           main] io.undertow.servlet                      : Initializing Spring embedded WebApplicationContext
2021-12-12 17:33:57.184  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 29612 ms

Operator log

17:30:26.478 [0.103.128.1/...] DEBUG eu.op.sh.co.ReplicaSetFactory        - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Component/ReplicaSet] Created sp-shinyproxy-rs-c056db7b293c8828a1cdd4fd27211821cde4a0f5
17:30:26.479 [0.103.128.1/...] DEBUG eu.op.sh.co.ResourceListener         - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Add component] [Component/ReplicaSet]
17:30:26.485 [0.103.128.1/...] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:26.486 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:26.486 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:26.486 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:26.487 [0.103.128.1/...] DEBUG eu.op.sh.co.ResourceListener         - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update component] [Component/ReplicaSet]
17:30:26.492 [0.103.128.1/...] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:26.492 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:26.492 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:26.493 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:26.494 [0.103.128.1/...] DEBUG eu.op.sh.co.ResourceListener         - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update component] [Component/ReplicaSet]
17:30:26.499 [0.103.128.1/...] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:26.500 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:26.500 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:26.500 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:27.033 [atcher-worker-2] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] ShinyProxyInstance has no running apps and is not the latest version => removing this instance
17:30:27.034 [atcher-worker-2] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] DeleteSingleShinyProxyInstance [Step 1/3]: Update status
17:30:27.034 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/global] Trying to update status (attempt 1/5)
17:30:27.054 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyListener       - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update]
17:30:27.054 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/global] Status successfully updated
17:30:27.055 [atcher-worker-2] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] DeleteSingleShinyProxyInstance [Step 2/3]: Update Ingress
17:30:27.099 [atcher-worker-2] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:27.100 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:27.100 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:27.100 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:57.058 [atcher-worker-2] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] DeleteSingleShinyProxyInstance [Step 3/3]: Delete resources
17:30:57.071 [0.103.128.1/...] WARN  eu.op.sh.co.ResourceListener         - [ReplicaSet] [shinyproxy/sp-shinyproxy-rs-3b29815c5e7c7091b6c3bf82f567caea6196a340] Cannot find hash of instance for this resource - probably the resource is being deleted
17:30:57.078 [0.103.128.1/...] WARN  eu.op.sh.co.ResourceListener         - [ConfigMap] [shinyproxy/sp-shinyproxy-cm-3b29815c5e7c7091b6c3bf82f567caea6196a340] Cannot find hash of instance for this resource - probably the resource is being deleted
17:37:09.459 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyListener       - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update]
17:37:09.482 [pool-3-thread-1] INFO  eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:37:09.483 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:37:09.483 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:37:09.483 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyController     - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
LEDfan commented 2 years ago

Hi

I think there may be an misunderstanding how the operator woks. You mention:

but I can't find any way to be able to run an application with a modified config file. The application stops at the moment -> see log and then restarts continuously.

If you update the shinyproxy resource, the operator will launch a new ShinyProxy pod with the updated configuration file. If nobody is using the old ShinyProxy server, it will cleanup (i.e. remove) the old ShinyProxy server. This is expected behavior. As a user, you should not notice this and it should feel like you are using only one ShinyProxy server.

Does this helps? If not, can you try to more clearly explain what is going on? Can you show the k8s events added to the ShinyProxy pod as well (e.g. using kubectl describe pod/... ?