skupper icon indicating copy to clipboard operation
skupper copied to clipboard
verified publisher icon skupperproject

Grant server auto configuration breaks grant server BaseURL handling

Open andremarianiello opened this issue 10 months ago • 3 comments

Describe the bug When grant server auto configuration is enabled the autoConfigure overwrites grant server base url, reverting it to the host from the skupper-grant-server SecuredAccess resource status endpoint, in my case skupper-grant-server.skupper:9090.

How To Reproduce

  1. Turn on autoconfigure (SKUPPER_GRANT_SERVER_AUTOCONFIGURE)
  2. Set base url (SKUPPER_GRANT_SERVER_BASE_URL)
  3. Create AccessGrant
  4. Start controller

Expected behavior Controller should log

time=2025-03-05T19:27:32.815Z level=INFO msg="Setting URL for AccessGrant default/my-access-grant to https://foo/ff13ed35-50fb-4029-a23e-3ba9d83dccbe"

Actual Behavior Controller logs

time=2025-03-05T19:27:32.815Z level=INFO msg="Setting URL for AccessGrant default/my-access-grant to https://foo/ff13ed35-50fb-4029-a23e-3ba9d83dccbe"
<snip>
time=2025-03-05T19:27:36.584Z level=INFO msg="Starting grant server"
time=2025-03-05T19:27:36.585Z level=INFO msg="Grant server listening on [::]:9090"
time=2025-03-05T19:27:36.381Z level=INFO msg="Setting URL for AccessGrant default/my-access-grant to https://skupper-grant-server.skupper:9090/ff13ed35-50fb-4029-a23e-3ba9d83dccbe"

We can see the grant server overwrites the access grant url with the default host from the grant server SecuredAccess resource, rather than preserving the one set via base url configuration

Environment details

# skupper version
COMPONENT               VERSION                               
router                  3.1.0                                 
controller              2.0.0-preview-2                       
network-observer        2.0.0-preview-2                       
cli                     2.0.0-preview-2                       
prometheus              v2.42.0                               
origin-oauth-proxy      4.14.0
  • Platform: kubernetes

andremarianiello avatar Mar 05 '25 19:03 andremarianiello

The auto-configure option was envisaged as an alternative to manually setting the base url. "Automatically configure the URL and TLS credentials for the AccessGrant Server." as described. It would be clearer if the -grant-server-base-url and -grant-server-tls-credentials options stated that they were ignored if -grant-server-autoconfigure was enabled.

grs avatar Mar 05 '25 20:03 grs

I worried that was the case, but thanks for clarifying! Is there a way to get the auto-configured TLS credentials without the base url behavior?

andremarianiello avatar Mar 05 '25 20:03 andremarianiello

Is there a way to get the auto-configured TLS credentials without the base url behavior?

Not through the auto-configure option, at least at present. You can create a Certificate resource to generate the secret though. If you use certmanager you can just use that directly. If not you can use the skupper.io.Certificate as is created by auto-configure and just put in the hostname you want there, then supply the secret through the -grant-server-tls-credentials

grs avatar Mar 07 '25 09:03 grs