charts
charts copied to clipboard
Mongo-express: Support unauthorized liveness/readiness check
I am trying to deploy mongo express to GKE with a GCP Ingress LoadBalancer to make it available to the internet.
In doing so I ran into an issue where all pods are ready, but the LoadBalancer creates its own health check, which supposedly cannot be authenticated. Looking at the generated resources, the liveness & readiness probes seem to require an Authentication
header and I assume without it, the health check would fail.
Would it be possible to support a separate health check which does not require any authentication?
Also, are my assumptions correct and do you see another workaround for this issue?
Hi @masus04, I'm not the developer of the application. There is no real healthcheck on it. As soon as you activate basic authentication, you need a password to access it.
As I don't know GCP Ingress LoadBalancer, can you explain me the link between and the healthcheck used on the pod for liveness/readiness? Is this an Ingress controller or does it implement the LoadBalancer type for Services?
Thank you for the quick reply @sebastien-prudhomme.
The CGE class ingress is an ingress resource that provisions a GCP LoadBalancer outside of Kubernetes. It also has a health check that exists outside of the k8s cluster and performs an unauthenticated GET request to the baseURL of the server and expects a HTTPStatus of 200. I think the path can be configured, but as far as i know there is no way to pass any headers/authentication.
Is there an alternative to basic auth in order to secure mongo-express?
What you can try is removing basic auth from mongo-express and use an authentication proxy such as https://github.com/oauth2-proxy/oauth2-proxy which forward traffic to mongo-express. This one as a non-authenticated healthcheck on /ping
.
@masus04 Should be fixed by this: https://github.com/mongo-express/mongo-express/pull/940
Waiting for a new release of the Docker image
Great @sebastien-prudhomme !
Is there any documentation on how to configure the new feature?
It took time but it's fixed in #634