csrf Forbidden on install behind nginx reverse proxy

[Nathaniel M - GoodBlock]

Thank you for looking at this. 

I am very new to kubes and awx. I Installed awx-operator from devel branch. 

When I go to log in now, I get a error "Error logging in." 

kubectl logs -f deployments/awx-web -c awx-web

0.244.0.1 - - [19/May/2023:15:40:50 +0000] "GET /api/login/ HTTP/1.0" 200 5710 "https://awx.myserver.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" "-"
[pid: 37|app: 0|req: 23/114] 10.244.0.1 () {64 vars in 1320 bytes} [Fri May 19 15:40:50 2023] GET /api/login/ => generated 5710 bytes in 176 msecs (HTTP/1.0 200) 10 headers in 460 bytes (1 switches on core 0)
2023-05-19 15:40:50,493 WARNING  [0652b6c133e642d58498550ce562ebd3] django.security.csrf Forbidden (Origin checking failed - https://awx.myserver.com  does not match any trusted origins.): /api/login/
[pid: 37|app: 0|req: 24/115] 10.244.0.1 () {70 vars in 1475 bytes} [Fri May 19 15:40:50 2023] POST /api/login/ => generated 1019 bytes in 51 msecs (HTTP/1.0 403) 7 headers in 276 bytes (1 switches on core 0)
10.244.0.1 - - [19/May/2023:15:40:50 +0000] "POST /api/login/ HTTP/1.0" 403 1019 "https://awx.myserver.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" "-"

I made a new user with password with "kubectl exec awx-operator-controller-manager-845fcfddfd-lm5kc -- --container -it awx-manage createsuperuser"

awx-operator 2.2.1. 

awx.yml ---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  ingress_type: ingress
  hostname:  awx.myserver.com
  csrf_cookie_secure: 'False'
  service_type: nodeport

On the host, nginx reverse proxy is installed with a certbot cert for awx.myserver.com.

Can you help me with the reverse proxy setup? I'm sure it's some easy TLS thing, but I can't seem to get it right because of my unfamiliarity with the project.

[AWX Project]

there is a known issue around this.  You might fix this by adding your proxy server name to the CSRF_TRUSTED_ORIGINS, e.g.

CSRF_TRUSTED_ORIGINS = ['https://awx.myserver.com']

I tried passing that into extra_settings via the operator but couldn't figure out the write way to get it to render correctly :/

We plan to add this as a setting in the API

[Nathaniel M - GoodBlock]

where do I add it?

[AWX Project]

it is a django setting

generally the way to pass it is through the extra_settings on the AWX spec https://github.com/ansible/awx-operator#extra-settings

but because this list of strings it is tricky to get the exact syntax right

[AWX Project]

okay you can it via extra settings like this

extra_settings:

- setting: CSRF_TRUSTED_ORIGINS

value:

- https://localhost:3001

give that a shot

[Nathaniel M - GoodBlock]

Sadly, I've tried every way I can to add CSRF_TRUSTED_ORIGINS and can't seem to get django to NOT error in this way. I don't want awx-operator to handle my nginx. I have my own reverse proxy. 

[Nathaniel M - GoodBlock]

I also get django.request Not Found: /.well-known/acme-challenge/A0DTIVLvld2sTIgGjhtOWfc4iIltKus2HYY-rRTsZH8 errors. 

[AWX Project]

can't seem to get django to NOT error in this way

what errors are you seeing?

here are some other users with the same problem, it seems passing the CSRF_TRUSTED_ORIGINS helped in their case

https://github.com/ansible/awx/issues/14024#issuecomment-1557919352