I am developing a ReactJS application that is calling REST APIs running in kubernetes.
The setup is as follows:
ReactJS being developed/debugged locally and ran with "npm start" because nothing beats how fast the local development server detects changes and reload the browser when changes are detected.
ReactJS API requests are done with axios
Backend APIs written in GO running as separate deployment/services locally in minikube.
There is an Ingress installed locally in minikube to forward requests from urlshortner.local to the respective k8s service.
The basic idea is the following:
ReactJS -> k8s ingress -> GO REST API
Now the problem starts when I try to set secure httpOnly cookies. Because the cookie needs to be secure, I created a self signed ssl certificate and applied it to be used by the ingress. I also enabled CORS settings in the ingress configuration. I also configured axios to not reject self signed certificates.
For some reason that is unknown to me I can't success in making the request.
Below are my relevant config files and code snippets:
k8s ingress:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: url-shortner-backend-services
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://localhost:4000"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
spec:
tls:
- secretName: urlshortner-local-tls
hosts:
- urlshortner.local
rules:
- host: urlshortner.local
http:
paths:
- path: /shortner(/|$)(.*)
backend:
serviceName: url-shortener-service
servicePort: 3000
- path: /auth(/|$)(.*)
backend:
serviceName: auth-service
servicePort: 3000
The react application start scripts:
PORT=4000 SSL_CRT_FILE=tls.crt SSL_KEY_FILE=tls.key react-scripts start
The axios code snippet that creates an axios instance that is used to issue a POST request
import axios from "axios";
import https from "https";
export default axios.create({
baseURL: 'https://urlshortner.local',
withCredentials: true,
httpsAgent: new https.Agent({
rejectUnauthorized: false
})
});
When a POST request is made, I see the following error in the browser console/network tab even though when I first load the page I am accepting the certificate warning and adding it as a trusted certificate:
The end result that I would like to achieve is to be able to set a cookie and read the cookie on subsequent requests.
The cookie is being set as follows:
c.SetSameSite(http.SameSiteNoneMode)
c.SetCookie("token", resp.Token, 3600, "/", "localhost:4000", true, true)
What is missing? What am I doing wrong?
Thanks in advance
I finally managed to fix this issue and the good news is that you don't need to create a self signed certificate.
The steps are the following:
set a HOST environment variable before starting your development react server.
adjust /etc/hosts so that 127.0.0.1 points to the value set in the HOST environment variable
adjust your k8s ingress CORS settings to allow "cors-allow-origin" from the domain set in the HOST environment variable
setting cookies should now work as expected.
Below are the relevant code snippets:
npm start script
"scripts": {
"start": "PORT=4000 HOST=app.urlshortner.local react-scripts start",
}
notice the HOST environment variable, the PORT environment variable is optional, I'm using it because the default port 3000 is already taken.
/etc/hosts
127.0.0.1 app.urlshortner.local
192.168.99.106 urlshortner.local
note that 192.168.99.106 is my local minikube ip address.
Kubernetes ingress configuration
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: url-shortner-backend-services
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "http://app.urlshortner.local:4000"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
spec:
rules:
- host: urlshortner.local
http:
paths:
- path: /shortner(/|$)(.*)
backend:
serviceName: url-shortener-service
servicePort: 3000
- path: /auth(/|$)(.*)
backend:
serviceName: auth-service
servicePort: 3000
What matters here is the following:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "http://app.urlshortner.local:4000"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
axios instance used
import axios from "axios";
let baseURL = '';
if (process.env.NODE_ENV === 'development') {
baseURL = 'http://urlshortner.local';
}
export default axios.create({
baseURL,
withCredentials: true
});
How the cookie is set:
c.SetCookie("token", resp.Token, 3600, "/", ".urlshortner.local", false, true)
note the domain used. It starts with a "."
I hope this helps someone.
I have a the following setup:
1. Application (Java microservice) deployed on app engine.
2. Custom domain mapped to hit this service:.
myfavmicroservice.project-amazing.dev.corporation.com
3. This endpoint is secured to require authentication by enabling IAP.
4. Configured ESP to intercept, authenticate and fulfill request to all
backend microservices (like above) with a common gateway endpoint.
5. Microservice is deployed using app.yaml.
6. ESP endpoint is configured using api.yaml (OpenAPI API Surface document)
This is the tutorial I am following:
https://cloud.google.com/endpoints/docs/openapi/get-started-app-engine-standard
app.yaml to deploy the microservice:
runtime: java11
entrypoint: java -jar tar/worker.jar
instance_class: F2
service: myfavmicroservice
handlers:
- url: /.*
script: this field is required, but ignored
The ESP api.yaml for describing microservice api surface is like this
swagger: "2.0"
info:
title: "My fav micro Service"
description: "Serve my favorite microservice content"
version: "1.0.0"
# This field will be replaced by the deploy_api.sh script.
host: microservice-system-gateway-5c4s43dedq-ue.a.run.app
schemes:
- https
produces:
- application/json
paths:
/myfavmicroservice:
get:
summary: Greet the user
operationId: hello
description: "Get helloworld mainpage"
x-google-backend:
address: https://myfavmicroservice.project amazing.dev.corporation.com
jwt_audience: .....
responses:
'200':
description: "Success."
schema:
type: string
'400':
description: "The IATA code is invalid or missing."
schema:
type: string
But the problem is that whenever I make request to endpoint like this:
GET
https://microservice-system-gateway-5c4s43dedq-ue.a.run.app/myfavmicroservice
I always get gateway 500 error. Upon inspection of ESP logs I am finding primarily
1. SSL Handshake Error with Error no 40
2. upstream server temporarily disabled while SSL handshaking to upstream
3. request: "GET /metadatasvc-hello HTTP/1.1", upstream: "https://[3461:f4f0:5678:a13::63]:443/myfavmicroservice
So the ESP is intercepting my request correctly, perhaps forwarding the request in correct format as well as evidenced from #3. But I am getting SSL error.
Why am I getting this error?
Ok figured out the issue. For the benefit of stackoverflow community I am posting the solution here.
I figured that if you use custom domains that you map to app engine like this in the OpenAPI Configuration (That you deploy to ESP), SSL handshake fails:
x-google-backend:
address: https://my-microservice.my-custom-domain.company.com
However if you use the default URL that is assigned by APP Engine upon startup of the microservice like this, everything is fine:
x-google-backend:
address: https://my-microservice.appspot.com
So I am trying to figure out how to use custom domain mappings in ESP OpenAPI configuration. For now though, if I do that the SSL proxying is not working inside ESP.
I deployed 2 versions of openapi.yaml file to Google Cloud Endpoint using the Cloud Endpoint's versioning feature(i.e gcloud service-management deploy openapi_v1.yaml openapi_v2.yaml). Each version of the yaml file contains a version number and basepath different from the other, one endpoint that use api-key authentication, and definition for api-key authentication tag. After deployed to Endpoint, the configuration shows both yaml file, however deploying an api to GAE using this configuration will only have api-key authentication turned on for the newer version.
Does anyone know if this is a known bug, or there is something else I need to do to enable authentication for all versions?
The .yaml file looks like the following. The two versions I used to test on are identical except version and bathpath:
swagger: "2.0"
info:
description: "This API is used to connect 3rd-party ids to a common user identity"
version: "0.0.1"
title: "****"
host: "uie-dot-user-id-exchange.appspot.com"
basePath: "/v0"
...
- "https"
x-google-allow: all
paths:
...
/ids/search:
get:
operationId: "id_search"
produces:
- "application/json"
security:
- api_key: []
tags:
- "Ids"
summary: "Privileged endpoint. Provide any id (3rd party or otherwise) and get a hash of all ids associated with it."
parameters:
- in: "query"
name: "id_type"
description: "Type of id to search"
required: true
type: string
- in: "query"
name: "id_value"
description: "Value of id to search"
required: true
type: string
responses:
200:
description: "AssociatedIdsHash"
schema:
$ref: '#/definitions/AssociatedIdsHash'
400:
description: "Bad request. Requires both id_type and id_value query parameters."
401:
description: "Unauthorized. Please provide a valid api-key in the \"api-key\" header."
404:
description: "Not found - no entry found for key provided"
...
################ SECURITY DEFINITIONS ################
securityDefinitions:
# This section configures basic authentication with an API key.
api_key:
type: "apiKey"
name: "key"
in: "query"
I can replicate this issue and it appears to be a bug.
What does work is adding the API key restriction on the global level for both versions rather than at the per-path level. Perhaps this workaround will suffice for your use case.
...
security:
- api_key: []
path:
...
I am trying to follow an e-commerce tutorial where I have to create the connection with the database. I am on windows 7 with xampp v3.2.
So I use this : php bin/console generate:doctrine:entity
which gives me this error :
SQLSTATE[HY000] [2002] no connection could be made because the target
machine actively refused it
I closed xampp and I still had the same error. So I understand it comes from the configuration; somehow my shell doesn't communicate with my sql server from xampp.
here is my parameters.yml :
# This file is auto-generated during the composer install
parameters:
database_host: localhost
database_port: 3306
database_name: market
database_user: sebastian
database_password:
mailer_transport: smtp
mailer_host: localhost
mailer_user: null
mailer_password: null
secret:
and here my config.yml
imports:
- { resource: parameters.yml }
- { resource: security.yml }
- { resource: services.yml }
- { resource: "#EcommerceBundle/Resources/config/services.yml" }
# Put parameters here that don't need to change on each machine where the app is deployed
# http://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
parameters:
locale: en
framework:
#esi: ~
#translator: { fallbacks: ["%locale%"] }
secret: "%secret%"
router:
resource: "%kernel.root_dir%/config/routing.yml"
strict_requirements: ~
form: ~
csrf_protection: ~
validation: { enable_annotations: true }
#serializer: { enable_annotations: true }
templating:
engines: ['twig']
default_locale: "%locale%"
trusted_hosts: ~
trusted_proxies: ~
session:
# http://symfony.com/doc/current/reference/configuration/framework.html#handler-id
handler_id: session.handler.native_file
save_path: "%kernel.root_dir%/../var/sessions/%kernel.environment%"
fragments: ~
http_method_override: true
assets: ~
# Twig Configuration
twig:
debug: "%kernel.debug%"
strict_variables: "%kernel.debug%"
# Doctrine Configuration
doctrine:
dbal:
driver: pdo_mysql
host: "%database_host%"
port: "%database_port%"
dbname: "%database_name%"
user: "%database_user%"
password: "%database_password%"
charset: UTF8
# if using pdo_sqlite as your database driver:
# 1. add the path in parameters.yml
# e.g. database_path: "%kernel.root_dir%/data/data.db3"
# 2. Uncomment database_path in parameters.yml.dist
# 3. Uncomment next line:
# path: "%database_path%"
orm:
auto_generate_proxy_classes: "%kernel.debug%"
naming_strategy: doctrine.orm.naming_strategy.underscore
auto_mapping: true
# Swiftmailer Configuration
swiftmailer:
transport: "%mailer_transport%"
host: "%mailer_host%"
username: "%mailer_user%"
password: "%mailer_password%"
spool: { type: memory }
I checked for the extension php_pdo_mysql.dl and it is enabled.
I verified the database name, user and password.
here is a netstat :
netstat
Make sure that your MySQL server is running and that it's using that port (in xampp\mysql\bin\my.ini). Make sure that you're able to connect manually with those credentials as well.
Also, where are you specifying the database driver in your parameters.yml? Normally you should have something like this:
database_driver: pdo_mysql
And lastly, make sure that you don't have a different parameters.yml file included in your config_dev.yml because Symfony commands, by default, use the dev environment.
thank you for your answer.
I have in my.ini 3306 port so it is the good one. I have intalled symfony2.8 and it is working so there is no credentials problems. I also tried to add the line with pdo_mysql but the error message is an pdo_exception, that means pdo works as well.
I also check config.dev but I don't really know what can be wrong inside. So I show you what it looks like :
imports:
- { resource: config.yml }
framework:
router:
resource: "%kernel.root_dir%/config/routing_dev.yml"
strict_requirements: true
profiler: { only_exceptions: false }
web_profiler:
toolbar: true
intercept_redirects: false
monolog:
handlers:
main:
type: stream
path: "%kernel.logs_dir%/%kernel.environment%.log"
level: debug
channels: [!event]
console:
type: console
channels: [!event, !doctrine]
# uncomment to get logging in your browser
# you may have to allow bigger header sizes in your Web server configuration
#firephp:
# type: firephp
# level: info
#chromephp:
# type: chromephp
# level: info
#swiftmailer:
# delivery_address: me#example.com
thank for your help
i cant connect to mysql on xamppp
install mysql 8 on my system on port 3307
and its worked great with laravel.
if you want please install mysql workbench (instead of phpmyadmin)
Trying to deploy some static content to GAE, since they removed the push-to-deploy pipeline feature. I've setup a brand new project. It's in the US region. Did gcloud auth login again. Still getting the same response.
Verbose debug output below. [REDACTED] is my addition to the code.
$ gcloud preview app deploy dist/app.yaml --verbosity debug
DEBUG: Running gcloud.preview.app.deploy with Namespace(__calliope_internal_deepest_parser=ArgumentParser(prog='gcloud.preview.app.deploy', usage=None, description="*(BETA)* This command is used to deploy both code and configuration to the App Engine\nserver. As an input it takes one or more ``DEPLOYABLES'' that should be\nuploaded. A ``DEPLOYABLE'' can be a module's .yaml file or a configuration's\n.yaml file.", version=None, formatter_class=<class 'argparse.HelpFormatter'>, conflict_handler='error', add_help=False), cmd_func=<bound method Command.Run of <googlecloudsdk.calliope.backend.Command object at 0x10bf14290>>, command_path=['gcloud', 'preview', 'app', 'deploy'], deployables=['dist/app.yaml'], document=None, env_vars=None, force=False, format=None, h=None, help=None, http_timeout=None, log_http=None, markdown=None, project=None, quiet=None, remote=False, server=None, set_default=False, trace_token=None, user_output_enabled=None, verbosity='debug', version=None).
You are about to deploy the following modules:
- [PROJECT_ID]/default/20150612t130942 From: [/Users/[ME]/Dropbox/Sites/[PROJECT_ID]/site/dist/app.yaml]
Do you want to continue (Y/n)? Y
Updating module [default]...DEBUG: Host: appengine.google.com
DEBUG: Host: appengine.google.com
DEBUG: Getting current resource limits.
DEBUG: Send: /api/appversion/getresourcelimits, params={'version': '20150612t130942', 'app_id': '[PROJECT_ID]'}
DEBUG: _Authenticate configuring auth; needs_auth=False
DEBUG: Sending request to https://appengine.google.com/api/appversion/getresourcelimits?app_id=[PROJECT_ID]&version=20150612t130942 headers={'X-appcfg-api-version': '1', 'content-length': '0', 'Content-Type': 'application/octet-stream'} body=
INFO: Attempting refresh to obtain initial access_token
INFO: Refreshing access_token
DEBUG: Got response: max_file_size: 32000000
max_blob_size: 32000000
max_files_to_clone: 2000
max_total_file_size: 9223372036854775807
max_file_count: 10000
DEBUG: Using resource limits: {'max_file_size': 32000000, 'max_total_file_size': 9223372036854775807, 'max_blob_size': 32000000, 'max_files_to_clone': 2000, 'max_file_count': 10000}
INFO: Reading app configuration.
DEBUG:
Starting update of app: [PROJECT_ID], version: 20150612t130942
DEBUG: Scanning files on local disk.
INFO: Processing file [app.yaml]
INFO: Processing file [index.html]
INFO: Processing file [views/6a0e56b1.main.html]
INFO: Processing file [views/partials/90bc29e6.case-study.html]
INFO: Processing file [views/partials/cc69dea5.home.html]
INFO: Processing file [styles/9960b040.main.css]
INFO: Processing file [scripts/8a12aff1.scripts.js]
INFO: Processing file [scripts/8e6de882.libraries.js]
DEBUG: Send: /api/appversion/create, params={'version': '20150612t130942', 'app_id': '[PROJECT_ID]', 'module': 'default'}
DEBUG: _Authenticate configuring auth; needs_auth=False
DEBUG: Sending request to https://appengine.google.com/api/appversion/create?app_id=[PROJECT_ID]&module=default&version=20150612t130942 headers={'X-appcfg-api-version': '1', 'content-length': '633', 'Content-Type': 'application/octet-stream'} body=api_version: '1'
application: [PROJECT_ID]
auto_id_policy: default
builtins:
- default: 'on'
derived_file_type:
- python_precompiled
handlers:
- script: index.html
secure: optional
url: /
- secure: optional
static_dir: styles
url: /styles
- secure: optional
static_dir: scripts
url: /scripts
- secure: optional
static_dir: views
url: /views
- secure: optional
static_dir: fonts
url: /fonts
- secure: optional
static_dir: images
url: /images
- secure: optional
static_dir: res
url: /res
module: default
runtime: php
threadsafe: true
version: 20150612t130942
vm_settings:
module_yaml_path: app.yaml
INFO: Attempting refresh to obtain initial access_token
INFO: Refreshing access_token
Updating module [default].../DEBUG: Got http error 400.
DEBUG: Unexpected results: {'status': '400', 'alternate-protocol': '443:quic,p=1', 'content-length': '318', 'expires': 'Fri, 01 Jan 1990 00:00:00 GMT', 'server': 'Google Frontend', 'cache-control': 'no-cache', 'date': 'Fri, 12 Jun 2015 18:09:47 GMT', 'content-type': 'text/plain'}
Updating module [default]...done.
DEBUG: (gcloud.preview.app.deploy) Server responded with code [400]:
Bad Request Unexpected HTTP status 400
Traceback (most recent call last):
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/calliope/cli.py", line 538, in Execute
result = args.cmd_func(cli=self, args=args)
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/calliope/backend.py", line 1124, in Run
result = command_instance.Run(args)
File "/Users/[ME]/Applications/google-cloud-sdk/lib/googlecloudsdk/appengine/app_commands/deploy.py", line 119, in Run
client.DeployModule(module, version, info.parsed, info.file)
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/appengine/lib/appengine_client.py", line 276, in DeployModule
return appversion.DoUpload()
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/appengine/lib/appengine_deployments.py", line 1016, in DoUpload
missing_files = self.Begin()
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/appengine/lib/appengine_deployments.py", line 561, in Begin
payload=config_copy.ToYAML())
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/appengine/lib/util.py", line 288, in Send
result = self.rpcserver.Send(url, payload=payload, **kwargs)
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/appengine/lib/util.py", line 353, in Send
response = self._server.Send(*args, **kwargs)
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/appengine/lib/external/tools/appengine_rpc_httplib2.py", line 269, in Send
'Unexpected HTTP status %s' % status)
File "/Users/[ME]/Applications/google-cloud-sdk/./lib/googlecloudsdk/appengine/lib/external/tools/appengine_rpc_httplib2.py", line 67, in RaiseHttpError
raise urllib2.HTTPError(url, response_info.status, msg, response_info, stream)
RPCError: Server responded with code [400]:
Bad Request Unexpected HTTP status 400
ERROR: (gcloud.preview.app.deploy) Server responded with code [400]:
Bad Request Unexpected HTTP status 400
You might have to set the project id again if you have disabled/removed previous application from google cloud console.
gcloud config set project PROJECT_ID
The generic issue is that the error did not have a message.
Starting in the cloud SDK release tomorrow, the reason for whatever error (billing issue, not enough quota, whatever) will be displayed, so please try to get the newer cloud SDK tomorrow.
For me I hadn't enabled billing in Compute > Compute Engine > VM instances on my Google Console project. It works now!
If you have appcfg.py installed, you can run that to deploy and it will give the exact error message, I found mine to be an invalid api_version for the java runtime (to which i can't find the valid number and 1 isn't it)
My initial deployment was fine and after I uploaded the update, it started to fail and get the same errors as you did. I found the issue with oauth. Logout from google and running:
$ gcloud auth login
After relogin, I was able to deploy. No re-coding or Managed VM setting changes were done.