Unable to set auth password in installation kubernetes, aready set https and shared-secret
hdavila146 opened this issue · comments
Hello, I already set https behind a ingress with a cert, enable shared secret and configure a authentication type PASSWORD but still unable to set the configuration for password file.
this is my current config values.yaml
image:
tag: ""
server:
workers: 3
config:
https:
enabled: true
port: 8443
keystore:
path: ""
authenticationType: "PASSWORD"
auth:
passwordAuth: "XXXX:XXXX"
refreshPeriod: 1m
additionalConfigProperties:
- "internal-communication.shared-secret=XXXX"
coordinator:
secretMounts:
- name: trino-password-authentication
secretName: trino-file-authentication
path: /etc/trino/auth
jvm:
maxHeapSize: "8G"
worker:
jvm:
maxHeapSize: "8G"
service:
type: "NodePort"
port: 8080
ingress:
enabled: true
className: ""
annotations:
kubernetes.io/ingress.class: "nginx"
hosts:
- host: somedomain.com
paths:
- backend:
service:
name: trino-cluster
port:
number: 8080
path: /
pathType: Prefix
- http:
paths:
- backend:
service:
name: trino-cluster
port:
number: 8080
path: /*
pathType: ImplementationSpecific
tls:
- hosts:
- somedomain.com
secretName: secret-tls
I got no errors just is not enable the auth by password in the login screen. of course XXXX are the password and user.
in the case creating the password I followed this procedure
Creating a password file#
Password files utilizing the bcrypt format can be created using the htpasswd utility from the Apache HTTP Server. The cost must be specified, as Trino enforces a higher minimum cost than the default.
**Create an empty password file to get started:
touch password.db
Add or update the password for the user test:
htpasswd -B -C 10 password.db test**
and about the shared-secret I use
openssl rand 512 | base64
Hi @hdavila146!
It's already happened to me. After spending a lot of time investigating, again and again, I noticed that my bcrypt string started with $2a$, but Trino supports $2y$.
After replacing the start of the string, the password authentication works. Maybe this could be your problem... It's just a guess.
Hi @heitorrbarros
Is already with $2y$ even I tried with the example user and password and still not active the authentication.
@hdavila146 some steps to help you:
- If you load balancer are delivering http to the trino application:
1.1. Ensure the optioncoordinatorExtraConfig.http-server.process-forwarded=trueare defined.
1.2. Disable the httpsserver.config.https.enabled=false - With v0.19.0 of the trinodb chart, you need to fix some inputs in the
values.yaml, fixes:
image:
tag: ""
server:
workers: 3
config:
https: # depends of you load balance ssl offload, I suppressed this section because of the explanation on the last topic.
authenticationType: "PASSWORD"
auth:
passwordAuth: "XXXX:XXXX"
refreshPeriod: 1m
additionalConfigProperties:
- "internal-communication.shared-secret=XXXX"
coordinator:
# I removed the section `secretMounts:`, it's already builded and mounted by the chart -> https://github.com/trinodb/charts/blob/main/charts/trino/templates/deployment-coordinator.yaml#L68
jvm:
maxHeapSize: "8G"
worker:
jvm:
maxHeapSize: "8G"
service:
type: "NodePort"
port: 8080
ingress:
enabled: true
className: ""
annotations:
kubernetes.io/ingress.class: "nginx"
hosts:
- host: somedomain.com
paths:
- backend:
service:
name: trino-cluster
port:
number: 8080
path: /
pathType: Prefix
- http:
paths:
- backend:
service:
name: trino-cluster
port:
number: 8080
path: /*
pathType: ImplementationSpecific
tls:
- hosts:
- somedomain.com
secretName: secret-tlsps: What's the version of chart that you are using?
Thanks @heitorrbarros It work's, I use the last version v0.19.0 and this is What I did.
1.1. Ensure the option coordinatorExtraConfig.http-server.process-forwarded=true are defined. as
coordinatorExtraConfig: "http-server.process-forwarded=true"
1.2. Disable the https server.config.https.enabled=false
1.3 remove the secret volume that is not need it.
This was already fixed.