cvat
cvat copied to clipboard
cvat-ai
Installing cvat by using the official Helm Chart on an Openshift / OKD cluster yields an authorization error
My actions before raising this issue
- [x] Read/searched the docs
- [x] Searched past issues
Current Behaviour
We successfully deployed cvat with the help of the official Helm Chart on our Openshift / OKD cluster, meaning that all the pods are up and running. But after creating and accessing the route, we receive an authorization error as well as a "method not allowed"-error when checking the console:
Possible Solution
Steps to Reproduce (for bugs)
- Deployed cvat by using the official Helm chart following this set of instructions: https://github.com/openvinotoolkit/cvat/tree/develop/helm-chart
- Exposed a route in Openshift in order to access the UI
Context
We tried to switch Ingress on (with the respective parameters) and off in the values.yaml file, but it didn't make a difference. That might be Openshift specific though. Other than that, I don't see anything that I missed so far. I also tried to create a super user which worked by itself, but login in also throws a couple of "method not allowed"-errors.
There aren't any specific messages in the cvat frontend container either.
I'm hitting the same exact error, after installing CVAT to GKE using my own manifests (with the official helm chart as a starting point). Have you had any luck?
I thought maybe it was opa related, but if I exec into the cvat-backend container I can curl $IAM_OPA_DATA_URL no problem.
Any leads debugging this? The symptom is strange.
Personally, I didn't have any luck. This issue has been raised by a lot of people though. Apparently, this can't be fixed currently:
https://github.com/openvinotoolkit/cvat/issues/4718#issuecomment-1166941253
We had to abandon CVAT at this point. Hopefully it will get solved in the future.
@Julian-Marco , contact me on LinkedIn (https://www.linkedin.com/in/nikita-manovich-913b2b88/). I will try to help you.
@Julian-Marco , also the mentioned comment is about CVAT.org. It is a public server. It is out of free disk space.
We found the problem, or at least the solution: adding nginx.ingress.kubernetes.io/use-regex: "true" to the Ingress annotations.
Therefore @Julian-Marco I believe the observed behavior is a symptom of Ingress not working, whether its due to not supporting / not enabling regex in the paths or something else.
Note that your solution is probably different if you are not using nginx-ingress. I'm not sure how ingress works in OpenShift.
@hsharrison Thanks for your answer! I tried to play around with the ingress annoations too, but it didn't help unfortunately. As you said, it might be due to the fact that we're working on Openshift.
Hello ! I managed to get it to work on Openshift within my company. The key point is that we are using Haproxy and not nginx -> the specified annotations are not working. A workaround is to loop on the paths instead of using regex. It seems to work quite well. Here is an example :
{{- if .Values.ingress.enabled -}}
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: 'rt-{{ .Values.component_name }}'
namespace: {{ .Release.Namespace }}
labels:
{{- include "cvat.labels" . | nindent 4 }}
spec:
tls:
- hosts:
- <YOUR-HOST>
secretName: <YOUR-SECRET>
rules:
- host: <YOUR-HOST>
http:
paths:
{{- range tuple "/api" "/git" "/tensorflow" "/auto_annotation" "/analytics" "/static" "/admin" "/documentation" "/dextr" "/reid"}}
- path: {{ . }}
pathType: "Prefix"
backend:
service:
name: "svc-{{ $.Values.cvat.backend.component_name}}"
port:
{{- with (first $.Values.cvat.backend.service.ports) }}
number: {{ .port }}
{{- end }}
{{- end }}
- path: "/"
pathType: "Prefix"
backend:
service:
name: "svc-{{.Values.cvat.frontend.component_name}}"
port:
{{- with (first .Values.cvat.frontend.service.ports) }}
number: {{ .port }}
{{- end }}
{{- end }}
