Kiali: https cannot be disabled?

Created on 31 Dec 2019  路  6Comments  路  Source: kiali/kiali

Describe the bug
"When cert_file and private_key_file are set to an empty string, https will be disabled." This doesn't seem to work. I use Kubernetes Ingress and attach the ingress to the Kiali service works normally but when hitting http it redirects automatically to https.

Versions used
Kiali: kiali-operator.v1.11.0
Istio: 1.4.2
Kubernetes flavour and version: 1.14.9

To Reproduce
The following is my manifest for the operator.

apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  name: kiali
  namespace: istio
spec:
  installation_tag: Kiali
  istio_namespace: istio
  deployment:
    namespace: istio
    verbose_mode: '4'
    view_only_mode: false
  identity:
    cert_file: ''
    private_key_file: ''
  external_services:
    grafana:
      url: 'http://grafana.monitoring'
    prometheus:
      url: "http://prometheus-server.monitoring"
      custom_metrics_url: "http://prometheus-server.monitoring"
    tracing:
      url: 'http://jaeger-query.istio:16686'
  server:
    web_root: /kiali

Expected behavior
According to the documentation, having added the identity fields as empty strings, https should be disabled and when hitting 'kiali.my.domain.io' (example hostname) redirection to https should not occur.

Am I missing something?

Many Thanks!

bug

Most helpful comment

@eosantigen you are smarter than you think :) You did come across (perhaps unknowingly) a bug in the operator, even if you aren't specifically hitting it. I'm going to open a new github issue (since the bug is with the ingress created by the operator when it is told to create one; you have your own ingress that actually works around the bug).

All 6 comments

@eosantigen I'm looking into this .. but can you tell me the results of the following (note: I am assuming you changed the name of the istio controlplane namespace -- you aren't using "istio-system" but rather "istio" - this is why the commands below use -n istio)

kubectl get service kiali -n istio -o jsonpath='{.spec.ports}'

and

kubectl get cm kiali -n istio -o jsonpath="{.data['config\.yaml']}" | grep "_file"

and

kubectl get ingress kiali -n istio -o yaml

Thanks for the reply.

Output 1:

[map[name:http port:20001 protocol:TCP targetPort:20001]]

Output 2:

      ca_file: ''
      ca_file: ''
      ca_file: ''
  cert_file: ''
  private_key_file: ''

Output 3:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    field.cattle.io/ingressState: '{"a2lhbGkvaXN0aW8va2lhbGkubWV0aXMuc2l0ZS8va2lhbGkvMjAwMDE=":""}'
    field.cattle.io/publicEndpoints: '[{"addresses":["172.20.0.94"],"port":80,"protocol":"HTTP","serviceName":"istio:kiali","ingressName":"istio:kiali","hostname":"kiali.metis.site","path":"/kiali","allNodes":true}]'
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/secure-backends: "false"
  creationTimestamp: "2019-12-31T10:35:39Z"
  generation: 41
  labels:
    app: kiali
    version: v1.11.0
  name: kiali
  namespace: istio
  ownerReferences:
  - apiVersion: kiali.io/v1alpha1
    kind: Kiali
    name: kiali
    uid: 2a0f5383-2bb9-11ea-9b7a-ee35c2ee6d2c
  resourceVersion: "54909492"
  selfLink: /apis/extensions/v1beta1/namespaces/istio/ingresses/kiali
  uid: 4996ff67-2bb9-11ea-b674-e6b99219a925
spec:
  rules:
  - host: kiali.metis.site
    http:
      paths:
      - backend:
          serviceName: kiali
          servicePort: 20001
        path: /kiali
status:
  loadBalancer:
    ingress:
    - ip: 172.20.0.94
    - ip: 172.20.0.95
    - ip: 172.20.0.96
    - ip: 172.20.0.97
    - ip: 172.20.0.98

Thanks again. In case everything looks like ssl is indeed disabled and this is not a bug, it might be because of the cache in my browser, because now it seems that it actually has been disabled... So I should close this, sorry for the inconvenience,I just didn't imagine the browser keeps a cache for redirection to https!. (at least that's what it seems to have been happening).

Many Thanks and Congrats on Istio and Kiali

@eosantigen I'm not ready to stop looking at this yet :) because something looks weird to me. I noticed when the kiali operator installs the Ingress, it applies these two pieces of metadata annotations to it:

metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/secure-backends: "true"

This comes from here: https://github.com/kiali/kiali/blob/v1.11/operator/roles/kiali-deploy/templates/kubernetes/ingress.yaml#L9-L14

I thought this was a bug - that we need to flip these to HTTP and false if the identity fields are empty (the operator does not do this today). But I noticed in your Ingress, the annotations turn off the https protocol - from your last post:

metadata:
  annotations:
...
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/secure-backends: "false"

Do you happen to know how they flipped to HTTP and false? Did you perhaps (or someone else) manually change this? Because I do not think the Kiali operator did that (I'm still investigating if the operator somehow changes these). Or it could be the Kubernetes Ingress subsystem somehow knows the backend doesn't support HTTPS and Kubernetes itself (or nginx?) updated the annotations? I'm just guessing, but I do not know why your annotations there indicate HTTP and not HTTPS (which is what I thought the bug is).

Nice thought, but this is not an ingress generated by the Operator ! It has been applied by me separately because we use ingress-nginx controller on our k8s env . On which I haven't enabled these two annotations for using https... Don't worrry, I think it's been solved, so not worthy to waste your time :) Cheers.

@eosantigen you are smarter than you think :) You did come across (perhaps unknowingly) a bug in the operator, even if you aren't specifically hitting it. I'm going to open a new github issue (since the bug is with the ingress created by the operator when it is told to create one; you have your own ingress that actually works around the bug).

issue that came out of this investigation: https://github.com/kiali/kiali/issues/2066

Was this page helpful?
0 / 5 - 0 ratings