Skip to content

fix: set proxy url internal svc.cluster.local endpoint #956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: set proxy url internal svc.cluster.local endpoint #956

wants to merge 1 commit into from

Conversation

@allanice001
Copy link
Contributor

@allanice001 allanice001 commented Sep 30, 2025
edited by codiumai-pr-agent-free bot
Loading

PR Type

Bug fix

Description

  • Replace external domain URLs with internal cluster service endpoints

  • Update OAuth2 proxy authentication URLs to use svc.cluster.local

  • Fix ingress annotations across cluster-info, Grafana, and Vault applications

Diagram Walkthrough

flowchart LR
  A["External Domain URLs"] -- "Replace with" --> B["Internal Cluster Service"]
  B --> C["oauth2-proxy.glueops-core-oauth2-proxy.svc.cluster.local"]
  C --> D["Updated Ingress Annotations"]
Loading

File Walkthrough
Relevant files
Bug fix
application-cluster-info-page.yaml
Update cluster-info OAuth2 proxy URLs                                       

templates/application-cluster-info-page.yaml

  • Replace OAuth2 proxy URLs with internal cluster service endpoints
  • Update auth-signin and auth-url annotations to use svc.cluster.local
 +2/-2     
application-kube-prometheus-stack.yaml
Update Grafana OAuth2 proxy URLs                                                 

templates/application-kube-prometheus-stack.yaml

  • Replace OAuth2 proxy URLs with internal cluster service endpoints
  • Update Grafana ingress annotations to use svc.cluster.local
 +2/-2     
application-vault.yaml
Update Vault OAuth2 proxy URLs                                                     

templates/application-vault.yaml

  • Replace OAuth2 proxy URLs with internal cluster service endpoints
  • Update Vault ingress annotations to use svc.cluster.local
 +2/-2     

@codiumai-pr-agent-free
Copy link
Contributor

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ No major issues detected

@codiumai-pr-agent-free
Copy link
Contributor

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
Possible issue
Use public URL for browser redirects

Replace the internal service DNS in the auth-signin annotation with a publicly
accessible URL to ensure browser redirects for authentication work correctly.

templates/application-cluster-info-page.yaml [60-61]

-nginx.ingress.kubernetes.io/auth-signin: "http://oauth2-proxy.glueops-core-oauth2-proxy.svc.cluster.local/oauth2/start?rd=https://$host$request_uri"
+nginx.ingress.kubernetes.io/auth-signin: "http://oauth2.{{ .Values.captain_domain }}/oauth2/start?rd=https://$host$request_uri"
 nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.glueops-core-oauth2-proxy.svc.cluster.local/oauth2/auth"
  • Apply / Chat
Suggestion importance[1-10]: 10

__

Why: The suggestion correctly identifies a critical bug where using an internal service DNS for auth-signin would break the authentication flow, as this URL must be publicly accessible to the user's browser.

High
  • More

@venkatamutyala
Copy link
Contributor

venkatamutyala commented Oct 1, 2025
edited
Loading

@allanice001 were you able to successfully test this locally? If not, this was the issue i was expecting to have if we changed the urls. I don't think there is an easy way around it.

E.g. visit: grafana.captain and it redirects to the local cluster url

image image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@venkatamutyala venkatamutyala Awaiting requested review from venkatamutyala

Assignees

No one assigned

Labels

include-in-release-notes patch Review effort 1/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@allanice001 @venkatamutyala