HAL on OpenShift #708
HAL on OpenShift #708
Conversation
| . Open https://hal.github.io/console | ||
| . Add a management interface to the public route: | ||
| + | ||
| Give an arbitrary name, select *https* as scheme, enter the hostname of the public route _without_ https and port *80*: |
There was a problem hiding this comment.
When I do this and click on Ping, nothing happens. Is it normal?
There was a problem hiding this comment.
Normally that should show the browser login modal and prompt for the username and password. Somehow this does not work for OpenShift. But you are able to login anyway, aren't you?
| + | ||
| image::hal/add-management-interface.png[Add management interface] | ||
| . Click *Add* and then *Connect* | ||
| . Login using `admin:admin` |
There was a problem hiding this comment.
When I did this to connect to the deployment created with ocnew-app quay.io/halconsole/wildfly, I got the error:
Status 401 - Unauthorized.
The management console could not be loaded.
If you changed your access control provider to RBAC, make sure that your configuration has current user mapped to one of the RBAC roles, preferably with at least one in the Administrator or SuperUser role.
If you have started with one of the standard xml configurations shipped with WildFly, the "$local" user should be mapped to the "SuperUser" role and the "local" authentication scheme should be enabled. This should allow a user running the CLI on the same system as the WildFly process to have full administrative permissions. Remote CLI users and web-based admin console users will have no permissions.
You should map at least one user besides "$local". Try to use CLI or shut the installation down and edit the xml configuration.
That seems weird as I was able to connect as admin:admin on the local HAL console.
There was a problem hiding this comment.
Does a browser refresh or private mode help?
There was a problem hiding this comment.
I just tried to reproduce that. This is what I did:
- Create the app
oc new-app quay.io/halconsole/wildfly
oc create route edge --service wildfly --port 9990
- Open https://hal.github.io/console
- Add the management interface. Please make sure to use port 80.
- Connect and login using
admin:admin
There was a problem hiding this comment.
weird, it still fails for me.
I thought that was due to the /core-service=management/management-interface=http-interface:list-add(name=allowed-origins,value=https://<hostname>) on my deployment but even with a fresh deployment it fails (using Chrome incognito mode)
|
@hpehl This goes beyond what you are doing in this example but there are a few things to keep in mind:
|
|
Thanks for the feedback @jmesnil. I think it makes sense to add some of your comments as "Things to keep in mind" in the post. |
There was a problem hiding this comment.
/lgtm thanks
On the limitations, I wrote down some notes at jboss-dockerfiles/wildfly#237 (comment) to make the configuration persistent (and still configurable at runtime for the route host)
| The console uses the https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API[fetch API] to talk to the management interface of a running WildFly instance. In an OpenShift environment, the origins of the public route and the management interface itself are different. That's why we need to tell WildFly that it is ok to make requests to the management interface from another origin (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[CORS policies] for more details). | ||
|
|
||
| You can build such an image on your own based on the official WildFly images available at https://quay.io/repository/wildfly/wildfly[quay.io/wildfly/wildfly] (see "Extending the image"). Another way is to use the pre-built images from https://quay.io/repository/halconsole/wildfly[quay.io/halconsole/wildfly]. These images are mainly meant for HAL development and testing but already meet these requirements, which makes them suitable for our use case. In particular the images add a management user `admin:admin` and have a list of preconfigured allowed origins. | ||
|
|
There was a problem hiding this comment.
Perhaps a WARNING admonition block saying this preconfigured admin:admin setup is for development purposes or something? I'd be concerned if people start running this in production and relying only on allowed-origins to control access.
|
|
||
| * Changing the management configuration of a pod is an antipattern as it will not outlive a pod restart. At that point, you'll have to reconfigure the allowed origin. | ||
| * With a route, you are accessing pods behind a service. If your deployments have multiple pods, it's complex and hacky to access a specific pod or configure all pods. | ||
|
|
There was a problem hiding this comment.
Please add something about not using admin:admin in an insecure environment.
|
Thanks for the feedback @bstansberry |
|
|
||
| You can build such an image on your own based on the official WildFly images available at https://quay.io/repository/wildfly/wildfly[quay.io/wildfly/wildfly] (see "Extending the image"). Another way is to use the pre-built images from https://quay.io/repository/halconsole/wildfly[quay.io/halconsole/wildfly]. These images are mainly meant for HAL development and testing but already meet these requirements, which makes them suitable for our use case. In particular the images add a management user `admin:admin` and have a list of preconfigured allowed origins. | ||
|
|
||
| WARNING: The additions in the https://quay.io/repository/halconsole/wildfly[quay.io/halconsole/wildfly] images are only meant for development and testing purposes. Please do not rely on the management user `admin:admin` or the preconfigured allowed origins. It is strongly recommended not to use that in production! |
There was a problem hiding this comment.
s/It is strongly recommend not to use/Do not use/g
Probably in bold.
|
Ok, got it 😉 I rephrased the warning and "Things to keep in mind" section to make it unmistakable to not use it in production. |
Blog post about how to access the management console for WildFly instances running on OpenShift.
Preview: https://hpehl.github.io/wildfly.org/news/2024/12/18/Management-Console-on-OpenShift/