Teiid Wildfly on Rancher provisioned Kubernetes behind nginx ingress

Question

I have a Rancher provisioned Kubernetes cluster running and I am now trying to write a helm chart to get my Teiid-Wildfly Server running. Currently I am a little bit lost with the Ingress configuration. I am not able to reach the administration console via the ingress. I get the login page, however after providing credentials on the console login I always get the following error message:

Access Denied - Insufficient priviledges to acess this interface

When I use a kubectl port-forward 9990:9990 and I try to login via http everything is working as expected. Hence, my problem has to do with my use of the nginx ingress as reverse proxy. It does ssl termination by the way. My configuration in the helm chart looks as given below. I think I am missing some annotations here for the reverse proxing to work. I tried now a lot of different configurations but always without success. Would be great if someone could provide directions. Thanks a lot for your help!

Best regards,

Christoph

{{- $fullName := include "chart.fullname" . -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}
  labels:
  annotations:
    kubernetes.io/ingress.class: nginx  
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/server-snippet: |
        proxy_set_header "Host $host";

spec:
  tls:
    - hosts:
        - staging.example.de
        - www.staging.example.de
      secretName: staging-example-crt
  rules:
    - host: staging.example.de 
      http:
        paths:
          - path: /console
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: www.staging.example.de
      http:
        paths:
          - path: /console
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: staging.example.de
      http:
        paths:
          - path: /management
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: www.staging.example.de
      http:
        paths:
          - path: /management
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: staging.example.de
      http:
        paths:
          - path: /odata4/svc
            backend:
              serviceName: staging-teiid
              servicePort: svc-endpoint
    - host: www.staging.example.de
      http:
        paths:
          - path: /odata4/svc
            backend:
              serviceName: staging-teiid
              servicePort: svc-endpoint
```
------------
The docker image for the container is build with the following docker file

```
# this is the version we will use for productive use. vdb's for wildfly/teiid version 9 are compatible
FROM jboss/wildfly:17.0.0.Final
ENV TEIID_VERSION 12.3.0
ENV TEIID_CONSOLE_VERSION 3.1.0
ARG ADMIN_USER 
ARG ADMIN_PWD

MAINTAINER Christoph John <christoph_john@gmx.de> 
ENV JBOSS_HOME /opt/jboss/wildfly
ENV JBOSS_CLI /opt/jboss/wildfly/bin/jboss-cli.sh

# Copy and unzip Teiid console
COPY --chown=jboss:jboss dist-$TEIID_CONSOLE_VERSION-overlay.zip $JBOSS_HOME
RUN cd $JBOSS_HOME \
    && bsdtar -xf dist-$TEIID_CONSOLE_VERSION-overlay.zip \
    && rm dist-$TEIID_CONSOLE_VERSION-overlay.zip

# Copy and unzip Teiid server
COPY --chown=jboss:jboss teiid-wildfly-$TEIID_VERSION-dist.zip $JBOSS_HOME
RUN cd $JBOSS_HOME \
    && bsdtar -xf teiid-wildfly-$TEIID_VERSION-dist.zip \
    && chmod +x $JBOSS_HOME/bin/*.sh \
    && rm teiid-wildfly-$TEIID_VERSION-dist.zip

# add required admin and application user
RUN echo "=> Adding WildFly administrator and application user" \
    && $JBOSS_HOME/bin/add-user.sh -u $ADMIN_USER -p $ADMIN_PWD -g admin \   
    && $JBOSS_HOME/bin/add-user.sh -a -u $ADMIN_USER -p $ADMIN_PWD -g 'odata,rest'

# copy sql driver
ENV MYSQL_VERSION 8.0.16
COPY --chown=jboss:jboss  mysql-connector-java-${MYSQL_VERSION}.jar  /tmp/mysql-connector-java-${MYSQL_VERSION}.jar

# Configure Wildfly server with mysql driver
# Database
ARG DB_NAME
ARG DB_USER
ARG DB_PASS
ARG DB_URI

RUN echo "=> Starting WildFly server" \
    && bash -c '$JBOSS_HOME/bin/standalone.sh -c standalone-teiid.xml &' \
    && echo "=> Waiting for the server to boot" \
    && bash -c 'until `$JBOSS_CLI -c ":read-attribute(name=server-state)" 2> /dev/null | grep -q running`; do echo `$JBOSS_CLI -c ":read-attribute(name=server-state)" 2> /dev/null`; sleep 1; done' \
    && echo "=> Adding MySQL module" \
    && $JBOSS_CLI --connect --command="module add --name=com.mysql --resources=/tmp/mysql-connector-java-${MYSQL_VERSION}.jar --dependencies=javax.api,javax.transaction.api" \
    && echo "=> Adding MySQL driver" \
    && $JBOSS_CLI --connect --command="/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.cj.jdbc.Driver)" \
#    && $JBOSS_CLI --connect --command="/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-xa-datasource-class-name=com.mysql.cj.jdbc.MysqlXADataSource)" \
    && echo "=> Creating a new datasource" \
#    && $JBOSS_CLI --connect --command="xa-data-source add \
#    --name=${DB_NAME} \
#    --jndi-name=java:/${DB_NAME} \
#    --user-name=${DB_USER} \
#    --password=${DB_PASS} \
#    --driver-name=mysql \
##    --valid-connection-checker-class-name=com.mysql.cj.jdbc.integration.jboss.MysqlValidConnectionChecker \
##    --exception-sorter-class-name=com.mysql.cj.jdbc.integration.jboss.ExtendedMysqlExceptionSorter \
#    --xa-datasource-properties=[ServerName=db, PortNumber=3306, DatabaseName=${DB_NAME}, UseCursorFetch=true]\
#    --use-ccm=false \
#    --statistics-enabled=true \
#    --enabled=true" \
    && $JBOSS_CLI --connect --command="data-source add \
    --name=${DB_NAME} \
    --jndi-name=java:/${DB_NAME} \
    --user-name=${DB_USER} \
    --password=${DB_PASS} \
    --driver-name=mysql \
    --connection-url=jdbc:mysql://${DB_URI}/${DB_NAME}?useCursorFetch=true \
    --use-ccm=false \
    --max-pool-size=25 \
    --blocking-timeout-wait-millis=5000 \
    --statistics-enabled=true \
    --enabled=true" \
    && echo "=> Setting CORS headers" \
    && $JBOSS_CLI --connect --command="/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value=*)" \
    && $JBOSS_CLI --connect --command="/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add" \
    && $JBOSS_CLI --connect --command="/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=secure,value=true)" \
    && echo "=> Shutting down WildFly and Cleaning up" \ 
    && $JBOSS_CLI --connect --command=":shutdown" \
    && rm -rf $JBOSS_HOME/standalone/configuration/standalone_xml_history/ $JBOSS_HOME/standalone/log/* 


# Deploy VDB
COPY --chown=jboss:jboss ./vdb/svc-vdb.ddl $JBOSS_HOME/standalone/deployments
COPY --chown=jboss:jboss ./vdb/svc-vdb.ddl.dodeploy $JBOSS_HOME/standalone/deployments

USER jboss

ENV LAUNCH_JBOSS_IN_BACKGROUND true

# Expose Teiid server  ports 
EXPOSE 8080 9990 31000 35432 

# Run Teiid server and bind to all interface
CMD ["/bin/sh", "-c", "$JBOSS_HOME/bin/standalone.sh -c standalone-teiid.xml -b 0.0.0.0 -bmanagement 0.0.0.0"]
```

I suspect nginx is not forwarding the authentication header to Wildfly server, see if there is any annotation to enable that. — Ramesh Reddy, Nov 24 '19 at 04:05
Hello Ramesh, what header field are you meaning? And is it somehow possible to debug how the http header which teiid recieves looks like? I am not sure, if the annotations which I provide to the ingress via my helm chart are working as expected. It would make things more clear if I could see in a debug log what wildfly/teiid receives. — cjohn, Nov 24 '19 at 16:47
I could only find https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ maybe try Kubernetes community — Ramesh Reddy, Dec 02 '19 at 13:12
Hello Ramesh, yes this is the only info I could find so far as well. Did not help me. I was trying to get help at Kubernetes community in parallel, without success yet. But back to my last question, as it is wildfly/teiid specific, Is it possible to see the http headers which teiid/wildfly receives. I have not found a debug log option for that. I would like to check if the configuration options for my nginx ingress are working as expected. Thanks for your help. — cjohn, Dec 03 '19 at 17:31
IMO, this is not teiid/wildfly specific as you confirmed when you port forwarded it and worked. What I suspect is, the service/ingress you created is not passing all the details to wildfly server. Any logs will be in Kube. — Ramesh Reddy, Dec 04 '19 at 00:10

Teiid Wildfly on Rancher provisioned Kubernetes behind nginx ingress

0 Answers0