DependencyTrack/helm-charts

Can't able to login to frontend.(405 Not Allowed)

Closed this issue · 6 comments

numa1985 commented

Hi,

In the production can't able to connect to frontend with default credentails.PFB details.

Ingress for frontend

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: "dependency-track"
meta.helm.sh/release-namespace: "dependency-track"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/rewrite-target: /$1
generation: 1
labels:
app: "dependency-track"
app.kubernetes.io/instance: "dependency-track"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: "dependency-track"
helm.sh/chart: platform-0.1.0
name: "dependency-track"
namespace: "dependency-track"
spec:
ingressClassName: nginx
rules:

  • host: "dependency-track.private.***.com"
    http:
    paths:
    • backend:
      service:
      name: dependency-track-frontend
      port:
      number: 8080
      path: /(.*)
      pathType: ImplementationSpecific
      tls:
  • secretName: private.***.com
    status:
    loadBalancer:
    ingress:
    • ip: ******

Ingress for apiserver

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: "dependency-track-api"
meta.helm.sh/release-namespace: "dependency-track"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/rewrite-target: /$1
generation: 1
labels:
app: "dependency-track"
app.kubernetes.io/instance: "dependency-track"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: "dependency-track-api"
helm.sh/chart: platform-0.1.0
name: "dependency-track-api"
namespace: "dependency-track"
spec:
ingressClassName: nginx
rules:

  • host: "dependency-track-api.private.***.com"
    http:
    paths:
    • backend:
      service:
      name: dependency-track-api-server
      port:
      number: 8080
      path: /(.*)
      pathType: ImplementationSpecific
      tls:
  • secretName: private.***.com
    status:
    loadBalancer:
    ingress:
    • ip: *********

Values.yaml

apiServer:
resources:
requests:
cpu: "2"
memory: "4Gi"
limits:
cpu: "2"
memory: "4Gi"
persistentVolume:
enabled: true
size: 30Gi
nodeSelector:
agentpool: npuser3
kubernetes.io/os: linux
extraEnv:
ALPINE_DATABASE_MODE: "external"
ALPINE_DATABASE_URL: "jdbc:sqlserver://.database.windows.net:1433;databaseName=SBOM;sendStringParametersAsUnicode=false;trustServerCertificate=false"
ALPINE_DATABASE_DRIVER: "com.microsoft.sqlserver.jdbc.SQLServerDriver"
ALPINE_DATABASE_USERNAME: "admin@"
ALPINE_DATABASE_PASSWORD: '#{databasePassword}'
SYSTEM_REQUIREMENT_CHECK_ENABLED: "false"
initContainers:

  • name: fix-permissions
    image: docker.io/library/busybox
    command:
    • sh
    • -c
    • |
      chown -R 1000:1000 /data
      volumeMounts:
    • name: data
      mountPath: /data
      securityContext:
      capabilities:
      add:
      • CHOWN
        runAsNonRoot: false
        runAsUser: 0
        seccompProfile:
        type: RuntimeDefault

frontend:
apiBaseUrl: 'https://dependency-track-api.****.com/'

Error Info

nginx-ingress-nginx-controller-68466c9758-4mmm5:/etc/nginx$ curl -vlk https://dependency-track.private.***.com/api/v1/user/login -d "username=admin&password=admin"

  • Trying 10.100.72.4:443...
  • Connected to dependency-track.private.***.com (10.100.72.4) port 443 (#0)
  • ALPN: offers h2
  • ALPN: offers http/1.1
  • [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
  • [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20):
  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Finished (20):
  • [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN: server accepted h2
  • Server certificate:
  • subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
  • start date: Apr 16 13:20:50 2024 GMT
  • expire date: Apr 16 13:20:50 2025 GMT
  • issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
  • SSL certificate verify result: self-signed certificate (18), continuing anyway.
  • Using HTTP2, server supports multiplexing
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • h2h3 [:method: POST]
  • h2h3 [:path: /api/v1/user/login]
  • h2h3 [:scheme: https]
  • h2h3 [:authority: dependency-track.private.***.com]
  • h2h3 [user-agent: curl/7.87.0]
  • h2h3 [accept: /]
  • h2h3 [content-length: 29]
  • h2h3 [content-type: application/x-www-form-urlencoded]
  • Using Stream ID: 1 (easy handle 0x44121551800)
  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):

POST /api/v1/user/login HTTP/2
Host: dependency-track.private.***.com
user-agent: curl/7.87.0
accept: /
content-length: 29
content-type: application/x-www-form-urlencoded

  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • We are completely uploaded and fine
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
  • [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
    < HTTP/2 405
    < date: Mon, 27 May 2024 12:51:00 GMT
    < content-type: text/html
    < content-length: 157
    < strict-transport-security: max-age=15724800; includeSubDomains
    <
<title>405 Not Allowed</title>

405 Not Allowed

nginx/1.25.5 * Connection #0 to host dependency-track.private.***.com left intact

image

image

image

api server webpage

image

Frontend webpage
image

nscuro commented

You have a few options in your ingress (i.e. nginx.ingress.kubernetes.io/rewrite-target) that will affect how request paths are forwarded to the pod.

If you're getting a 405 you're hitting the wrong endpoint on the API server. For reference, when you click Login, a POST request is sent to /api/v1/user/login on the API server.

You'll need to debug if and where path segments are dropped or added. I can't help with that, and this is not an issue with the Helm chart.

numa1985 commented

@nscuro : Thanks for letting me know , I will try to modify rewrite targets and path prefix accordingly. In below snapshot of frontend login page ,when I tried logging in manually with default credentials , its throwing error with 304 error .Is there any variable that needs to be set for frontend in values.yaml or is there any port conflict that both the frontend and api server are using 8080. ?

image

ubuntu@NARU-Pr5530:~/sbom$ kubectl logs dependency-track-frontend-54b75f9644-7m7fk -n dependency-track |tail -10
10.100.0.172 - - [27/May/2024:13:31:26 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"
10.100.0.172 - - [27/May/2024:13:31:26 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"
10.100.0.172 - - [27/May/2024:13:31:41 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"
10.100.0.172 - - [27/May/2024:13:31:41 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"
10.100.0.172 - - [27/May/2024:13:31:56 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"
10.100.0.172 - - [27/May/2024:13:31:56 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"
10.100.0.105 - - [27/May/2024:13:32:05 +0000] "GET /login?redirect=%2Fdashboard HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0" "172.20.30.24"
10.100.0.105 - - [27/May/2024:13:32:05 +0000] "GET /static/config.json HTTP/1.1" 304 0 "https://dependency-track.private.*****.com/login?redirect=%2Fdashboard" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0" "172.20.30.24"
10.100.0.172 - - [27/May/2024:13:32:11 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"
10.100.0.172 - - [27/May/2024:13:32:11 +0000] "GET / HTTP/1.1" 200 6702 "-" "kube-probe/1.29" "-"

numa1985 commented

@nscuro : Am able to fix the ingress issue and currently was able to reach the login api with default credentials. Thanks

WantDead commented

@nscuro : Am able to fix the ingress issue and currently was able to reach the login api with default credentials. Thanks

please share how exactly you solved this problem because I faced the same thing

numa1985 commented

@WantDead : I had tried with below in the values.yaml and worked as expected for me.

ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/client-max-body-size: 5m
nginx.ingress.kubernetes.io/proxy-body-size: 5m
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffering: "on"
hostname: "dependency-track.*****.com"
ingressClassName: "nginx"
tls:

  • secretName: ****.com
    hosts:
    • "dependency-track.****.com"
WantDead commented

@WantDead : I had tried with below in the values.yaml and worked as expected for me.

ingress: enabled: true annotations: nginx.ingress.kubernetes.io/client-max-body-size: 5m nginx.ingress.kubernetes.io/proxy-body-size: 5m nginx.ingress.kubernetes.io/proxy-buffer-size: 128k nginx.ingress.kubernetes.io/proxy-buffering: "on" hostname: "dependency-track.*****.com" ingressClassName: "nginx" tls:

* secretName: ****.com
  hosts:
  
  * "dependency-track.****.com"

thanks, dude