How configure this application for Kubernetes

Question

How configure this application for Kubernetes

stevelaclasse opened this issue 2 years ago · comments

Hi all and thanks for this great Tool,

I want to use your application in a Kubernetes Cluster. I have create a simple Helm chart for it with: Deployment, Service and Secret. I am using the latest image : kubeoperator/webkubectl:latest

1. Without authentication

I can generate a token to create a session and connect, but once connected, i always got authentication error : error: You must be logged in to the server (Unauthorized)

I didn't try with the KubeConfig file.

2. With authentication:

I have proceeded as explained in this blog to add a secret for for the credentials : https://www.civo.com/learn/webkubectl-running-kubectl-commands-from-your-web-browser

But once the GOTTY_CREDENTIAL env variable is set, the pod cannot be started. If i use a dummy variable, it will start.

I can share the helm chart if it can help to solve the issue.

3. How can we in this context handle the multiple users authentication ?

Thanks

stevelaclasse · Answer 1 · Wed Oct 19 2022 17:38:41 GMT+0800 (China Standard Time)

I also tried to add it with the GOTTY_OPTION env variable like this : GOTTY_OPTIONS : --port 8080 --permit-write --permit-arguments --credential user01:password01 . The variable is set i can see it but the pod cannot start.

I saw that the basic authentication is by default disabled, should it be enabled first before we pass the credentials ?

liqiang-fit2cloud · Answer 2 · Wed Oct 19 2022 17:59:27 GMT+0800 (China Standard Time)

Hi,

Would you please share the logs of pod and your helm chart?

stevelaclasse · Answer 3 · Wed Oct 19 2022 18:21:35 GMT+0800 (China Standard Time)

Hi,
Here are the logs

Without authentication (when the pod starts)

2022/10/19 09:48:47 Welcome to use webkubectl.
2022/10/19 09:48:47 GoTTY is starting with command: /opt/webkubectl/start-session.sh
2022/10/19 09:48:47 Permitting clients to write input to the PTY.
2022/10/19 09:48:47 HTTP server is listening at: http://:::8080

With env GOTTY_CREDENTIAL is set (Pod always restart)

2022/10/19 10:06:26 Welcome to use webkubectl.
2022/10/19 10:06:26 GoTTY is starting with command: /opt/webkubectl/start-session.sh
2022/10/19 10:06:26 Using Basic Authentication
2022/10/19 10:06:26 Permitting clients to write input to the PTY.
2022/10/19 10:06:26 HTTP server is listening at: http://:::8080

GOTTY_CREDENTIAL=user01:password01

The Helm chart is can be downloaded at this address : https://www.filemail.com/d/djwkizkxqhexfds

stevelaclasse · Answer 4 · Wed Oct 19 2022 18:25:54 GMT+0800 (China Standard Time)

It appears that when we remove the readinessProbe check in the deployment manifest, the pod starts and the authentication works. But the first problem still remains : error: You must be logged in to the server (Unauthorized)

Thanks

stevelaclasse · Answer 5 · Wed Oct 19 2022 21:58:55 GMT+0800 (China Standard Time)

Hi,
I have commented the readinessProbe and livenessProbe in the deployment manifest and added a confimap in the Helm chart to support the multi client authentication. I can use both the GOTTY_CREDENTIAL or GOTTY_CREDENTIAL_FILE env variable. But the problem is after the connection is still the same : error: You must be logged in to the server (Unauthorized).
To get the Token, you now need to add this flag on the command to authenticate : -u "us01:pass01"
In the pod logs, i can see that i am connected:

2022/10/19 13:54:07 New client connected: 10.42.2.61:36534, connections: 1/0

liqiang-fit2cloud · Answer 6 · Thu Oct 20 2022 10:29:51 GMT+0800 (China Standard Time)

Hi, Here are the logs

Without authentication (when the pod starts)

2022/10/19 09:48:47 Welcome to use webkubectl.
2022/10/19 09:48:47 GoTTY is starting with command: /opt/webkubectl/start-session.sh
2022/10/19 09:48:47 Permitting clients to write input to the PTY.
2022/10/19 09:48:47 HTTP server is listening at: http://:::8080

With env GOTTY_CREDENTIAL is set (Pod always restart)

2022/10/19 10:06:26 Welcome to use webkubectl.
2022/10/19 10:06:26 GoTTY is starting with command: /opt/webkubectl/start-session.sh
2022/10/19 10:06:26 Using Basic Authentication
2022/10/19 10:06:26 Permitting clients to write input to the PTY.
2022/10/19 10:06:26 HTTP server is listening at: http://:::8080

GOTTY_CREDENTIAL=user01:password01

The Helm chart is can be downloaded at this address : https://www.filemail.com/d/djwkizkxqhexfds

Hi,
Just checked your chart, seems the readinessProbe and livenessProbe missed http port.

liqiang-fit2cloud · Answer 7 · Thu Oct 20 2022 10:37:39 GMT+0800 (China Standard Time)

error: You must be logged in to the server (Unauthorized)

would you please check if your token is valid? or take a try with KubeConfig file?

stevelaclasse · Answer 8 · Thu Oct 20 2022 15:24:08 GMT+0800 (China Standard Time)

Hi @liqiang-fit2cloud and thank you for your answer.

The http port for both liveness and readiness are already defined, the problem is that when the authentication is enabled with the GOTTY_CREDENTIAL env variable this check fails as it expected a http response 200, but get a http response 401 (Unauthorized). A solution for this would be to expose an health check endpoint without authentication .

stevelaclasse · Answer 9 · Thu Oct 20 2022 17:19:21 GMT+0800 (China Standard Time)

error: You must be logged in to the server (Unauthorized)

would you please check if your token is valid? or take a try with KubeConfig file?

The generated token is valid , here is the output : {"success":true,"token":"7i6dfryikj2pl56dx11r","message":""}

It work when using the Kubeconfig file, but it won't be ideal to share this file among many users.

It is better to figure out to make it work with the token.

liqiang-fit2cloud · Answer 10 · Thu Oct 20 2022 17:38:21 GMT+0800 (China Standard Time)

Hi,
I didn't ask if the webkubectl token is valid...
I am wondering if your kubernetes bearer token is valid and ServiceAccount has sufficient permissions.

You can check it like this.

stevelaclasse · Answer 11 · Thu Oct 20 2022 18:37:07 GMT+0800 (China Standard Time)

I the Kubernetes bearer token is valid, and i think the generated token also work. The problem is that the token value change in the Url (https://webkubectl-ip-address/terminal/?token=####value###), so the server receive an invalid token.
When i look carefully, the token that i paste in the token field in the form is not the same as the one that appears in the url when i click on the connect button, and this value change at each click on the connect url.

stevelaclasse · Answer 12 · Thu Oct 20 2022 18:39:15 GMT+0800 (China Standard Time)

I the Kubernetes bearer token is valid, and i think the generated token also work. The problem is that the token value change in the Url (https://webkubectl-ip-address/terminal/?token=####value###), so the server receive an invalid token. When i look carefully, the token that i paste in the token field in the form is not the same as the one that appears in the url when i click on the connect button, and this value change at each click on the connect url.

I think i miss-used the Kubernetes bearer token and the webkubectl token.

The Helm Chart can be found here : https://github.com/stevelaclasse/Webkubectl_Helm_Chart.git

Thanks for you support.