Set http proxy with kiali
141 views
Skip to first unread message
Mickaël Roger BESSE
Nov 19, 2020, 3:15:15 AM11/19/20
to kiali-users
Hello
I installed kiali using the operator deployed with helm.
I want to configure openid authentication in kiali as our kubernetes cluster is already configure using openid.
We are using azure AD and the issuer_uri is something like https://login.microsoftonline.com/XXXX
Kiali pods doesn't have direct access to internet, we have to use a proxy for that.
I need to find a way to configure kiali to use a proxy to be able to reach https://login.microsoftonline.com.
I tried to add https_proxy (also try in upper case) in the env of the deployment of kiali but it doesn't work.
Do you know if it's possible to use http proxy in kiali ?
Regards
Mickael
Mickaël Roger BESSE
Nov 19, 2020, 3:34:43 AM11/19/20
to kiali-users
Just want to add a comment.
https_proxy defined in the deployment is use by kiali but it is not use to reach the
issuer_uri URL.
Regards
Mickael
John Mazzitelli
Nov 19, 2020, 4:35:19 AM11/19/20
to Mickaël Roger BESSE, kiali-users
Have you reviewed the docs here?
https://kiali.io/documentation/latest/configuration/authentication/openid/
We also have this in the FAQ:
https://kiali.io/documentation/latest/faq/#x-forwarded-port
Related to that FAQ, we also have just introduced this port config to Kiali in case you don't want to use the solution described in the FAQ above. This feature will be in the next Kiali release (to be released tomorrow):
https://github.com/kiali/kiali-operator/pull/190/files
(note to Edgar - we might want to update that FAQ after tomorrow's release to mention this new web_port)
> --
> You received this message because you are subscribed to the Google Groups
> "kiali-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kiali-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/kiali-users/5ae45c33-b4f1-4c01-b689-c3cd6498e7cen%40googlegroups.com.
>
https://kiali.io/documentation/latest/configuration/authentication/openid/
We also have this in the FAQ:
https://kiali.io/documentation/latest/faq/#x-forwarded-port
Related to that FAQ, we also have just introduced this port config to Kiali in case you don't want to use the solution described in the FAQ above. This feature will be in the next Kiali release (to be released tomorrow):
https://github.com/kiali/kiali-operator/pull/190/files
(note to Edgar - we might want to update that FAQ after tomorrow's release to mention this new web_port)
> You received this message because you are subscribed to the Google Groups
> "kiali-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kiali-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/kiali-users/5ae45c33-b4f1-4c01-b689-c3cd6498e7cen%40googlegroups.com.
>
Mickaël Roger BESSE
Nov 19, 2020, 4:54:53 AM11/19/20
to kiali-users
Hi
Thanks for the answer.
Yes, I reviewed the doc https://kiali.io/documentation/latest/configuration/authentication/openid/ and use it to do my openid configuration.
x-forwarded-port and port config is note related to my issue, for the moment i am using kubectl port-forward svc/kiali 20001:20001 -n istio-system to directly reach kiali from my browser.
The problem is that kiali try to reach the URL https://login.microsoftonline.com/XXXXX/v2.0/.well-known/openid-configuration just after clicing the button "log in with openID"
It's not possible as the pod doesn't not have direct access to internet and the http_proxy environment variable is ignored.
I have this error just after clicing the button "log in with openID"
{"error":"Error fetching OpenID provider metadata.","detail":"Get \"https://login.microsoftonline.com/XXXXXX/v2.0/.well-known/openid-configuration\": dial tcp 40.126.1.167:443: i/o timeout (Client.Timeout exceeded while awaiting headers)"}
Regards
Mickael
John Mazzitelli
Nov 19, 2020, 5:10:02 AM11/19/20
to Mickaël Roger BESSE, kiali-users
(message to Edgar H. -> I think we may need more docs/FAQ on configuring with http proxies.)
This has come up many times in the past; unfortunately, I do not know enough about it to suggest anything. Let's see if Edgar can chime you. You also might want to search the kiali-users google group for past threads on this (also check the kiali-dev google group in case the threads I'm thinking of were over there).
> https://groups.google.com/d/msgid/kiali-users/a356b46e-eb61-4315-9b3c-e1ccac34437cn%40googlegroups.com.
>
This has come up many times in the past; unfortunately, I do not know enough about it to suggest anything. Let's see if Edgar can chime you. You also might want to search the kiali-users google group for past threads on this (also check the kiali-dev google group in case the threads I'm thinking of were over there).
>
Edgar Hernández
Nov 19, 2020, 11:13:58 AM11/19/20
to Mickaël Roger BESSE, kiali-users
Hi, Mickaël
You will need to open a new GitHub issue asking for this support.
Most of the time, Kiali only "talks" to in-cluster services, so the forward proxy is usually not needed.
It's the first time we heard that somebody is using a forward proxy to reach the internet. It, anyway should honor the environment variables, but since Kiali is creating a customized transport, I think we omitted this important detail of grabbing what is defined in the environment (see: https://github.com/kiali/kiali/blob/d13dc407c71ded8a6a456f2679e5efde3b86e546/business/openid_auth.go#L281-L292).
You will need to open a new GitHub issue asking for this support.
Most of the time, Kiali only "talks" to in-cluster services, so the forward proxy is usually not needed.
It's the first time we heard that somebody is using a forward proxy to reach the internet. It, anyway should honor the environment variables, but since Kiali is creating a customized transport, I think we omitted this important detail of grabbing what is defined in the environment (see: https://github.com/kiali/kiali/blob/d13dc407c71ded8a6a456f2679e5efde3b86e546/business/openid_auth.go#L281-L292).
To view this discussion on the web visit https://groups.google.com/d/msgid/kiali-users/a356b46e-eb61-4315-9b3c-e1ccac34437cn%40googlegroups.com.
Nathan Flynn
Nov 20, 2020, 10:38:21 AM11/20/20
to kiali-users
We've the same issue as above. No direct internet access but need Kiali to use a proxy to retrieve the OIDC files;
Reply all
Reply to author
Forward
0 new messages