https://prefect.io logo
r

Riley Hun

11/24/2020, 8:25 AM
Hi everyone, I'm using the newly announced k8s helm chart, which is awesome by the way! I'm trying to add basic authentication to the apollo server to protect it through an nginx controller on kubernetes. But now the "server cannot be reached". Could anyone please kindly offer up any insight on this? Would be most appreciated! The other alternative I could look into is making the apollo server an internal load balancer which I'll try next.
j

Joël Luijmes

11/24/2020, 10:14 AM
How did you add the basic authentication? One possible thing you could possible run in to, is that by protecting your app, kubernetes readyness/liveness probe fails (they also get the same 403). Thus, kubernetes won’t serve the app. Giving you a “500 ish server cannot be reached.” If you run into this, unprotect the route for kubernetes health chekks. If not, I wouldn’t know, but it might help if you share your modifications.
r

Riley Hun

11/24/2020, 4:37 PM
Hi @Joël Luijmes, Thanks for your response. I can try this. I'm using an nginx-controller and ingress separate from the helm config. Ex.
Copy code
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: prefect-gke-ingress
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
    <http://nginx.ingress.kubernetes.io/auth-type|nginx.ingress.kubernetes.io/auth-type>: basic
    <http://nginx.ingress.kubernetes.io/auth-secret|nginx.ingress.kubernetes.io/auth-secret>: basic-auth
    <http://nginx.ingress.kubernetes.io/auth-realm|nginx.ingress.kubernetes.io/auth-realm>: 'Authentication Required - admin'
spec:
  rules:
    - http:
       paths:
         - path: /
           backend:
             serviceName: prefect-gke-ui
             servicePort: 80
         - path: /graphql
           backend:
             serviceName: prefect-gke-apollo
             servicePort: 4200
j

Joël Luijmes

11/24/2020, 6:15 PM
Ah okay, wasn’t aware about the kubernetes ingress with nginx. Then you probably wouldn’t run into that issue. To troubleshoot for me it usually helps to describe the different resources, it still could be that your app is not healthy for some other reason?
r

Riley Hun

11/24/2020, 7:42 PM
I can confirm that the application is healthy. I'm not a security engineer so this is all quite frustrating to me. I don't think nginx-ingress is the right approach. Investigating alternatives