dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Make 'isCurrentDomainSecure' more flexible

Open everflux opened this issue 2 years ago • 4 comments

What would you like to be added?

For local development it would be great, if not exactly the host name must match 'localhost' (or 127.0.0.1), but if prefixes are allowed for non-https access. For example "dashboard.localhost".

The code could look like

private isCurrentDomainSecure_(): boolean {
    return location.hostname.endsWith('localhost') ||  location.hostname.endsWith('127.0.0.1');
  }

Why is this needed?

It is not easily possible to create TLS certificates for localhost. Using an ingress to access all cluster services - incl. the dashboard - would allow for a more consistent experience. To achieve this it is most convenient to use sudomains with the 'localhost' domain.

everflux avatar Apr 28 '22 20:04 everflux

I am not sure why would it matter for the local dev environment. When running locally I simply grant Dashboard itself full privileges and disable HTTPS. Another option is to simply ignore the browser prompt about untrusted certificates since you know this is your local dev instance.

floreks avatar Jun 14 '22 10:06 floreks

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 12 '22 11:09 k8s-triage-robot

I have a different motivation for allowing dashboard.localhost: Dashboard doesn't have native support for operating from a subpath (#3686, #5017). The easiest way to run it behind Ingress/Gateway (providing authn middleware) is to use a hostname matcher.

I'm running my Bottlerocket/K8s tests in VirtualBox and using NAT with port-forwarding to the VM, which means my Gateway ends up as e.g. localhost:1234. To differentiate Dashboard from something else running on the same Gateway, it would be nice to be able to just say dashboard.localhost:1234 in the browser, which AFAIK resolves the same as localhost everywhere, but the Host header becomes more useful.

Edit Confirmed that subdomains of localhost should be treated as localhost.: https://datatracker.ietf.org/doc/html/rfc6761#section-6.3

tommie avatar Apr 14 '23 21:04 tommie

I built a monkey-patched PoC image and a script to monkey-patch the manifests: https://github.com/kubernetes/dashboard/issues/7058

tommie avatar Apr 15 '23 08:04 tommie