jaegertracing/helm-charts

[Bug]: jaeger query oauth2-proxy sidecar issues with config

Harphies opened this issue · 1 comments

What happened?

The oauth2-proxy sidecar doesn't work out of the box with the configmap volume mount.

It needs this -

args:
- --config=/etc/oauth2-proxy/oauth2-proxy.cfg

Steps to reproduce

Enable the Oauth proxy and you get the error.
query:
oAuthSidecar:
enabled: true

Expected behavior

The config should be passed to the config arguments of oauth-proxy container image.

Relevant log output

No response

Screenshot

No response

Additional context

No response

Jaeger backend version

v1.51.0

SDK

No response

Pipeline

No response

Stogage backend

No response

Operating system

No response

Deployment model

No response

Deployment configs

No response

This is correct. We got it to work using this modification to the values.yaml, a separate config of our own, and another template in an wrapper chart where we have it set up to use keycloak at a and jaeger at a path "https:\subdomain.domain\jaeger"

I am only adding all of this in case someone doing an update wants to add a few new features along with the fix.

query:
   agentSidecar:
     enabled: false
   # -- This should start with a /
   basePath: /jaeger
   # -- As of version 0.71.14, jaeger query only works on port 16686
   service:
     port: 16686
   oAuthSidecar:
     enabled: false
     # -- Use redis as session store instead of cookies (see [Troubleshooting](#Troubleshooting) section)
     redisSessions: false
     oauthSecretName: ""
     config: false
     pullPolicy: IfNotPresent
     containerPort: 4180
     args:
       - --config
       - /etc/oauth2-proxy/jaeger.conf
       - show-debug-on-error=true
     extraConfigmapMounts:
       - name: oauth2-proxyconfig
         configMap: 'jaeger.conf'
         mountPath: '/etc/oauth2-proxy'
     # -- Keycloak values for oAuth integration/deployment
     keycloak:
       # -- Realm for keycloak, required Value if using oAuthSidecar
       realm: ""
       # -- ClientID for keycloak, required Value if using oAuthSidecar
       clientID: ""
       # -- ClientSecret for Keycloak, required Value if using oAuthSidecar
       clientSecret: ""
       # -- CookieSecure - boolean value that is required for the cookie secret
       cookieSecure: false
       # -- CookieSecret - required if cookieSecure is true
       cookieSecret: "SECRETSECRETSECR"
       # -- Location of URL for keycloak instance, required value if using oAuthSidecar
       url: ""
       # -- emailDomain for Keycloak, required value
       emailDomain: "*"

jaeger-tracing\templates\configmap.yaml

{{- if .Values.jaeger.query.oAuthSidecar.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
  name: "jaeger.conf"
data:
  jaeger.conf: |-
{{ tpl (.Files.Get "config/jaegerConf.yaml") . | indent 4  }}
{{- end }}

jaeger-tracing\config\jaegerConf.yaml

{{- $redisURL := (include "site.com/common/serviceDiscovery/url/redis" .) -}}
{{- $oauthSidecar := default (dict) .Values.jaeger.query.oAuthSidecar -}}
{{- $oauthSecretName := default "" (include "site.com/common/util/tpl" (dict "root" . "value"  $oauthSidecar.oauthSecretName) )  -}}
{{- $secret_url := "" }}
{{- $secret_clientId :=  ""}}
{{- $secret_clientSecret := "" }}
{{- if $oauthSecretName -}}
  {{ $secret :=  (lookup "v1" "Secret" .Release.Namespace $oauthSecretName).data }}
    {{- if $secret }}
      {{- $secret_url =  $secret.baseUrl  | b64dec }}
      {{- $secret_clientId =  $secret.clientId  | b64dec }}
      {{- $secret_clientSecret =  $secret.clientSecret | b64dec }}
    {{- end -}}
{{- end -}}

{{- $url := .Values.jaeger.query.oAuthSidecar.keycloak.url -}}
{{- $realm := .Values.jaeger.query.oAuthSidecar.keycloak.realm -}}
{{- $endpoint := "" -}}
{{- if and $url $realm -}}
  {{- $endpoint = ( printf "https://%s/realms/%s" $url $realm ) -}}
{{- end -}}

{{- $clientId := .Values.jaeger.query.oAuthSidecar.keycloak.clientID -}}
{{- $clientSecret := .Values.jaeger.query.oAuthSidecar.keycloak.clientSecret -}}
{{- $emailDomain := .Values.jaeger.query.oAuthSidecar.keycloak.emailDomain -}}

{{- $keyCloak_url := required "Keycloak endpoint is required" (default $secret_url $endpoint) -}}
{{- $keyCloak_clientId := required "Keycloak ClientID is required" (default $secret_clientId $clientId) -}}
{{- $keyCloak_clientSecret := required "Keycloak clientSecret is required" (default $secret_clientSecret $clientSecret) -}}

provider = "oidc"
http_address = "0.0.0.0:4180"
oidc_issuer_url = "{{ $keyCloak_url }}"
client_id = "{{ $keyCloak_clientId }}"
client_secret = "{{ $keyCloak_clientSecret }}"
cookie_secret = "{{ .Values.jaeger.query.oAuthSidecar.keycloak.cookieSecret }}"
cookie_secure = {{ .Values.jaeger.query.oAuthSidecar.keycloak.cookieSecure }}
login_url = "{{ printf "%s/protocol/openid-connect/auth" $keyCloak_url }}"
redeem_url = "{{ printf "%s/protocol/openid-connect/token" $keyCloak_url }}"
validate_url = "{{ printf "%s/protocol/openid-connect/userinfo" $keyCloak_url  }}"
redirect_url = "{{ .Values.jaeger.query.basePath }}/oauth2/callback"
{{- if $emailDomain }}
email_domains = [{{ $emailDomain | quote }}]
{{- end }}
ssl_upstream_insecure_skip_verify = true
ssl_insecure_skip_verify = true
upstreams = ["http://localhost:16686"]
skip_provider_button = true
insecure_oidc_allow_unverified_email = true
proxy_prefix = "{{ .Values.jaeger.query.basePath }}/oauth2"
cookie_path = "{{ .Values.jaeger.query.basePath }}"
{{- if $oauthSidecar.redisSessions }}
session_store_type = "redis"
redis_connection_url = "{{ $redisURL }}"
{{- end }}