Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide a way to change the host used for endpoints #1785

Open
shanedell opened this issue Nov 25, 2024 · 7 comments
Open

Provide a way to change the host used for endpoints #1785

shanedell opened this issue Nov 25, 2024 · 7 comments

Comments

@shanedell
Copy link

Issue

When running using Contributing.md, once you get to running the CLI issues come up. This is due to everything running in docker so it is trying to use the keycloak docker service as a host. However, if you don't have access to the opentdf_platform and are running another docker container, the host cannot be accessed.


Possible fix

To get around this error I believe the sdk could be updated to allow the overriding of the host if specified. Meaning for example the CLI can make a new flag --endpoint-host that is passed to the New function for the SDK. Then the host is replaced with that value, or if its the same do nothing.


Steps to reproduce

Standup platform

git clone https://github.com/opentdf/platform.git
cd platform

./.github/scripts/init-temp-keys.sh -o kas-keys

docker-compose up -d --wait

cp opentdf-example.yaml opentdf.yaml

# keycloak data volue was added as the container fails to run without it
docker run --network opentdf_platform \
         -v "$(pwd)/opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml" \
         -v "$(pwd)/service/cmd/keycloak_data.yaml:/service/cmd/keycloak_data.yaml" \
         -it registry.opentdf.io/platform:nightly provision keycloak -e http://keycloak:8888/auth

docker run --network opentdf_platform \
      -d --name opentdf-platform \
      -p "127.0.0.1:8080:8080" \
      -v "$(pwd)/kas-keys/:/keys/" \
      -v "$(pwd)/opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml" \
      -it registry.opentdf.io/platform:nightly start

cd ../

Try testing with otdfctl

git clone https://github.com/opentdf/otdfctl.git
cd otdfctl

go run main.go auth client-credentials --host http://localhost:8080 opentdf secret

output received from go command:

Validating client credentials for http://localhost:8080... failed
   ERROR    An error occurred during login. Please check your credentials and try again: Get "http://keycloak:8888/auth/realms/opentdf/.well-known/openid-configuration": dial tcp: lookup keycloak: no such host
exit status 1
shanedell added a commit to shanedell/opentdf-platform that referenced this issue Dec 3, 2024
- Update docker command to volume in keycloak_data.yaml.
  - Command fails to run if this file isn't present.
- Update otdfctl client-credentials command.
- Created issue opentdf#1785, that came up when testing this documentation.
  - Specifically, when the otdfctl command tries to run it fails due to it looking for the keycloak host instead of localhost.
shanedell added a commit to shanedell/opentdf-platform that referenced this issue Dec 3, 2024
- Update docker command to volume in keycloak_data.yaml.
  - Command fails to run if this file isn't present.
- Update otdfctl client-credentials command.
- Created issue opentdf#1785, that came up when testing this documentation.
  - Specifically, when the otdfctl command tries to run it fails due to it looking for the keycloak host instead of localhost.
shanedell added a commit to shanedell/opentdf-platform that referenced this issue Dec 4, 2024
- Update docker command to volume in keycloak_data.yaml.
  - Command fails to run if this file isn't present.
- Update otdfctl client-credentials command.
- Created issue opentdf#1785, that came up when testing this documentation.
  - Specifically, when the otdfctl command tries to run it fails due to it looking for the keycloak host instead of localhost.
@shanedell
Copy link
Author

shanedell commented Dec 4, 2024

I believe this would also be needed in the case of deploying the platform via a server in a cloud or on premise but trying to use the CLI or perhaps the SDK locally on a laptop. @dmihalcik-virtru @jakedoublev is this type of connection currently supported? Or is only using localhost and/or using keycloak docker service host currently supported?

@jakedoublev
Copy link
Contributor

Hi @shanedell. Apologies, but I'm not totally sure I'm following.

If you replace all references of keycloak:8888 to localhost:8888, do you have success (including in your opentdf.yaml config file)?

The CLI (otdfctl) is more or less a wrapper around the Go SDK that makes gRPC requests as a Client, but any interactions it has with keycloak are driven by values exposed by the platform's well-known configuration (http://localhost:8080/.well-known/opentdf-configuration). Keycloak is used as a reference implementation integration with an identityProvider, but the platform is intended to be pluggable with different idPs.

@shanedell
Copy link
Author

shanedell commented Dec 4, 2024

@jakedoublev If I change the instances of keycloak inside of opentdf.yaml to localhost the platform container is not able to run:

time=2024-12-04T22:52:57.158Z level=ERROR msg="issue creating opentdf server" error="failed to create authentication interceptor: Get \"http://localhost:8888/auth/realms/opentdf/.well-known/openid-configuration\": dial tcp [::1]:8888: connect: connection refused"
Error: issue creating opentdf server: failed to create authentication interceptor: Get "http://localhost:8888/auth/realms/opentdf/.well-known/openid-configuration": dial tcp [::1]:8888: connect: connection refused
time=2024-12-04T22:52:57.158Z level=ERROR msg="issue starting opentdf" error="issue creating opentdf server: failed to create authentication interceptor: Get \"http://localhost:8888/auth/realms/opentdf/.well-known/openid-configuration\": dial tcp [::1]:8888: connect: connection refused"

To try to work around this the --network flag value can be changed to host but this causes the port not to be able to publish and I believe this is also insecure. So, when doing it fully containerized it seems the keycloak docker service has to be used in the opentdf.yaml or it doesn't work. Changing keycloak to localhost after the platform is up doesn't resolve anything either.

Basically once everything is up and runnning it seems there is no way to connect with the CLI, the only way I can think of it working is running the CLI in a docker container that joins the docker network opentdf_network. This would also be the same for the SDK since to be able to access host keycloak for anything it would need to be connected to the docker network opentdf_network. But I assumed I should be able to run the CLI directly from my machine and be able to hit the platform or be able to connect to the SDK without making that client be containerized necessarily.

However, when running the platform via: go run github.com/opentdf/platform/service start and not inside of docker then everything seems to function perfectly fine.


The comment I left is about connecting a connect to a remote server instead of the same machine, for example:

Mac (otdfctl/sdk) -> Linux VM in Digital Ocean (platform)

Is that supported or not currently?

shanedell added a commit to shanedell/opentdf-platform that referenced this issue Dec 4, 2024
- Update docker command to volume in keycloak_data.yaml.
  - Command fails to run if this file isn't present.
- Update otdfctl client-credentials command.
- Created issue opentdf#1785, that came up when testing this documentation.
  - Specifically, when the otdfctl command tries to run it fails due to it looking for the keycloak host instead of localhost.
- Add --rm to bootstrap keycloak command so no hanging container is leftover.
@shanedell
Copy link
Author

@jakedoublev Pinging here in case there are some ideas on what I should try to fix my issue and/or info on remote connections.

@strantalis
Copy link
Member

@shanedell I think the issue is that keycloak is setting the issuer to http://keycloak:8888. But that hostname is not resolvable outside the docker network. I think in keycloak v25 or v26 you can now have keycloak use an internal url. While frontend clients can access it on the one thats exposed.

https://www.keycloak.org/server/hostname#_utilizing_an_internal_url_for_communication_among_clients

@shanedell
Copy link
Author

@jakedoublev @strantalis I am still having trouble with this. @strantalis I am not sure how to use the link you provided to solve the issue I am facing. The error is also a bit different when running a different command on Linux, since you need to use --with-client-creds or --with-client-creds-file. When running:

otdfctl policy attributes list --host http://localhost:8080 --with-client-creds-file ./creds.json

I get this error

ERROR    Failed to authenticate with flag-provided client credentials.: Get "http://keycloak:8888/auth/realms/opentdf/.well-known/openid-configuration": dial tcp: lookup keycloak on 127.0.0.53:53: server misbehaving

@shanedell
Copy link
Author

Now if I add these to the docker-compose.yaml:

- "--hostname=http://localhost:8888"
- "--hostname-backchannel-dynamic=true"

For keycloak I get further but then get this:

ERROR    Failed to authenticate with flag-provided client credentials.: invalid character '<' looking for beginning of value

When running:

otdfctl --host http://localhost:8080 --with-client-creds-file ./creds.json policy attributes list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants