Login issues with mender 3.2 on kubernetes

I think the issue is the /me request following the login request does not use the JWT returned by the login request, my guess it issue with the frontend code?
image

aha! this has to be some problem with the configuration of the api-gateway and ingress. how are we accessing the cluster? what stands between the api-gateway pod and the outside? what is the configuration?

pg

an service loadbalancer:

apiVersion: v1
kind: Service
metadata:
  name: mender-api-lb
spec:
  selector:
    app.kubernetes.io/name: api-gateway
  type: LoadBalancer
  ports:
  - name: http
    port: 80
    targetPort: 80
  - name: https
    port: 443
    targetPort: 80

before I comment on this, in the browser developer tools network tab, you do get a JWT in response to POST to /login, right?
(it comes back as a plain response, i.e.: not in json, just a string, no quotes)
could I have a screenshot with the response to POST to /login (erase the confidentials)

pg

yes, JWT response from login is a plain response

ok, I have to engage someone from the frontend team, as I do not understand how it could happen that the JWT is returned, but not used in subsequent calls.
is there anything on the javascript console during login?

peter

last thing I am going to ask before handling it over, could you get me:

kubectl exec mender-gui-pod -- cat /var/www/mender-gui/dist/env.js

remember to erase the confidential values.

peter

as my dear colleague Fabio pointed out to me just now: why are we using http? this will only work over https.

peter

when I try https, it gives me a 404 page not found

 mender_environment = {
    hostAddress: "",
    hostedAnnouncement: "",
    isDemoMode: "",
    features: {
      hasAddons: "",
      hasAuditlogs: "",
      hasDeviceConfig: "true",
      hasDeviceConnect: "true",
      hasMonitor: "",
      hasMultitenancy: "",
      hasReporting: "",
      isEnterprise: "",
      isHosted: ""
    },
    trackerCode: "",
    recaptchaSiteKey: "",
    stripeAPIKey: "",
    integrationVersion: "3.2.1",
    menderVersion: "3.2.1",
    menderArtifactVersion: "3.6.0",
    metaMenderVersion: "",
    services: {
      deploymentsVersion: "",
      deviceauthVersion: "",
      guiVersion: "3.2.0",
      inventoryVersion: ""
    },
    demoArtifactPort: "",
    disableOnboarding: ""
  }

hostAddress has to be:

 hostAddress: "your-full-hostname:443",

this has to be set in gui pod in env:

GATEWAY_IP='your-full-hostname'
GATEWAY_PORT='443'

in case of hosted.mender.io correct settings are:

  GATEWAY_IP: hosted.mender.io
  GATEWAY_PORT: "443"

peter

Hi Peter, since I’m following this installation process using helm-cart on K8S

When in this process do I set there env:s as none of the
GATEWAY_IP or GATEWAY_PORT are mention in the instruction

they both need to be present in the mender-gui pod env, for now you can just put them there, in the deployment manifest:

      containers:
      - env:
        - name: GATEWAY_IP
          value: "hosted.mender.io"
        - name: GATEWAY_PORT
          value: "443"
        image: mendersoftware/gui:yourtaghere

let see how it works, and then I can review the docs.

peter

so now with with the env:s set env.js is changed to, where xx.xxx.xx.xx is my public ip.

but the issues are not resolved
https gives me a 404 page not found and
/me gives 401

  mender_environment = {
    hostAddress: "xx.xxx.xx.xxx:443",
    hostedAnnouncement: "",
    isDemoMode: "",
    features: {
      hasAddons: "",
      hasAuditlogs: "",
      hasDeviceConfig: "true",
      hasDeviceConnect: "true",
      hasMonitor: "",
      hasMultitenancy: "",
      hasReporting: "",
      isEnterprise: "",
      isHosted: ""
    },
    trackerCode: "",
    recaptchaSiteKey: "",
    stripeAPIKey: "",
    integrationVersion: "3.2.1",
    menderVersion: "3.2.1",
    menderArtifactVersion: "3.6.0",
    metaMenderVersion: "",
    services: {
      deploymentsVersion: "",
      deviceauthVersion: "",
      guiVersion: "3.2.0",
      inventoryVersion: ""
    },
    demoArtifactPort: "",
    disableOnboarding: ""
  }

ok, this has to be related to the ingress configuration, have you tried something along these lines:

cat >mender-ingress.yml <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: mender-ingress
  annotations:
    cert-manager.io/issuer: "letsencrypt"
spec:
  tls:
  - hosts:
    - ${MENDER_SERVER_DOMAIN}
    secretName: mender-ingress-tls
  rules:
  - host: "${MENDER_SERVER_DOMAIN}"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: mender-api-gateway
            port:
              number: 80
EOF

kubectl apply -f mender-ingress.yml

peter

Hi Peter,

I resolved this one be configuring an ingress using self-managed certificates as I don’t have a domain for evaluation right now. Following is the ingress manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: mender-ingress
spec:
  tls:
  - secretName: mender-ingress-key
  defaultBackend:
    service:
      name: mender-api-gateway
      port:
        number: 80

Thank you for the support!

great to hear it!
thanks and good luck! feel free to reach out anytime.

have a good day!
peter