2FAuth
2FAuth copied to clipboard
Bubka
Compatibility with Kubernetes
Describe the bug First of all, thank you for the amazing project!
I've been trying to get this working on my homelab kubernetes cluster. I ran into various issues and couldn't get it to a fully stable and working condition. I managed to fix a few of them by writing a separate dockerfile and customizing the entrypoint, but some issues requires understanding of the codebase and that's where I am stuck.
Please find the kubernetes manifests and updated Dockerfile for reference. Below are the issues i ran into
1. Support for postgresql database
The given docker image in the repo doesn't contain php81-pgsql and php81-pdo_pgsql packages which are required for laravel to connect to postgresql. i have added it here. I also had to run CREATE COLLATION nocase (LOCALE = 'en_US.utf8'); in the postgresql database to make it work. I'm planning to run two instances of the app in two separate clusters (private and public). So it is important to have an external database instead of sqlite. I already have a postgresql cluster with replication and backups, so it makes sense to reuse the same for 2Fauth as well.
I'm not sure if i will bump into any other issues with postgres. It would be nice to have it better documented.
2. Persistent database
The default docker image was wiping my whole data in the db whenever the container was restarted. This is due to the command php artisan migrate:refresh in the entrypoint. I don't understand the reason to run this in the container other than during development phase. This is one of the reasons why i had to customize the entrypoint.sh.
3. Passport keys
Passport private and public keys were getting regenerated each time the container restarts. It means I lose access each time container restarts. Running php artisan passport:keys separately and mounting the generated keys statically into the container fixed this issue. But, since the entrypoint runs php artisan passport install command, it creates oauth clients each time the container is restarted. I had to run the command manually once and remove it from the entrypoint (which is not really a good fix)
4. Shared storage
It would be nice to keep the icons, qrcodes etc in the db or remote storage (s3 for example) rather than local storage. In kubernetes it is not possible to share storage across pods unless we mount the hostPath or use a storage provisioner with RWX support. I understand that not many users would be interested in this feature though.
5. Webauthn
Passkeys is not working in my setup. I'm able to register devices and see their credentials in the db. But when I try to login, it always returns 401 and i'm not able to figure out why. The logs in the server or http response doesn't have any useful info to debug further. Does this have something to do with the static keys generated for passport?
Sorry for the long list. I would love to contribute the kubernetes manifests and related changes if someone could give me some guidance whether i'm in the right direction or not. Please let me know if i missed something when running multiple replicas of the app.
- Like for #193, I will add the postgresql drivers.
php artisan migrate:refreshruns only if 2FAuth is not identified as installed (see the condition check at line 29 of the Dockerfile). This is not the expected behavior if your db is rolled back at every container restart. Does theinstalledfile still exists in the\2fauthdirectory after the container stop?- Same as 2.
- Good idea. I mean, at the beginning of 2FAuth I choose to keep it simple, but now it could be a great addition.
- I don't think so. Have a look at #117 as a starting point. What is your key model?
Also another suggestion: create a healthcheck endpoint for Kubernetes probes. Maybe also add Prometheus metrics?
Also another suggestion: create a healthcheck endpoint for Kubernetes probes. Maybe also add Prometheus metrics?
Ideally this would be a /live and a /ready (or similar) and could be utilized for the docker healthcheck as well
