charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon cowboysysop

Mongo-express: Support unauthorized liveness/readiness check

Open masus04 opened this issue 2 years ago • 5 comments

I am trying to deploy mongo express to GKE with a GCP Ingress LoadBalancer to make it available to the internet.

In doing so I ran into an issue where all pods are ready, but the LoadBalancer creates its own health check, which supposedly cannot be authenticated. Looking at the generated resources, the liveness & readiness probes seem to require an Authentication header and I assume without it, the health check would fail.

Would it be possible to support a separate health check which does not require any authentication?

Also, are my assumptions correct and do you see another workaround for this issue?

masus04 avatar May 06 '22 15:05 masus04

Hi @masus04, I'm not the developer of the application. There is no real healthcheck on it. As soon as you activate basic authentication, you need a password to access it.

As I don't know GCP Ingress LoadBalancer, can you explain me the link between and the healthcheck used on the pod for liveness/readiness? Is this an Ingress controller or does it implement the LoadBalancer type for Services?

sebastien-prudhomme avatar May 06 '22 19:05 sebastien-prudhomme

Thank you for the quick reply @sebastien-prudhomme.

The CGE class ingress is an ingress resource that provisions a GCP LoadBalancer outside of Kubernetes. It also has a health check that exists outside of the k8s cluster and performs an unauthenticated GET request to the baseURL of the server and expects a HTTPStatus of 200. I think the path can be configured, but as far as i know there is no way to pass any headers/authentication.

Is there an alternative to basic auth in order to secure mongo-express?

masus04 avatar May 06 '22 23:05 masus04

What you can try is removing basic auth from mongo-express and use an authentication proxy such as https://github.com/oauth2-proxy/oauth2-proxy which forward traffic to mongo-express. This one as a non-authenticated healthcheck on /ping.

sebastien-prudhomme avatar May 07 '22 16:05 sebastien-prudhomme

@masus04 Should be fixed by this: https://github.com/mongo-express/mongo-express/pull/940

Waiting for a new release of the Docker image

sebastien-prudhomme avatar Sep 11 '22 09:09 sebastien-prudhomme

Great @sebastien-prudhomme !

Is there any documentation on how to configure the new feature?

masus04 avatar Nov 12 '22 10:11 masus04

It took time but it's fixed in #634

sebastien-prudhomme avatar Apr 09 '24 21:04 sebastien-prudhomme