Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable CORS for k8s Metacat Deployments #2050

Open
artntek opened this issue Jan 21, 2025 · 1 comment
Open

Enable CORS for k8s Metacat Deployments #2050

artntek opened this issue Jan 21, 2025 · 1 comment
Assignees
@artntek
Labels
k8s Kubernetes/Helm Related
Milestone
3.2.0

Comments

@artntek
Copy link
Contributor

artntek commented Jan 21, 2025
edited
Loading

We need to allow MetacatUI instances to have hostnames that do not match the corresponding metacat installation's hostname.

See backend meeting discussion 1/21/25.

Example Use Case

(Abridged from 2/5/25 Slack thread - Matt & Robyn)

(MBJ) We had a user report trouble getting to PNDB data files for this PNDB dataset, and sure enough, when I try to access the landing page I see a bunch of CORS errors for PNDB, KNB, ARCTIC and other nodes in the console. Screenshot below.

Image

Interestingly, I can access the resource map from PNDB without error

(RTB) The issue is with the CORS config on the PNDB server. CORS restrictions don't apply to direct requests for a resource, e.g. navigating to the resource map directly in your browser. You can see this for yourself with curl:

curl -i -X GET "https://pndb.fr/metacat/d1/mn/v2/object/resource_map_urn:uuid:2d9baf2c-62c8-41b2-9178-dd68af3b3379" \
     -H "Origin: https://dataone.org/"

result:

HTTP/2 403 
content-type: text/plain
content-length: 0
date: Wed, 05 Feb 2025 15:42:27 GMT

Compare to a direct request without origin:

curl -i -X GET "https://pndb.fr/metacat/d1/mn/v2/object/resource_map_urn:uuid:2d9baf2c-62c8-41b2-9178-dd68af3b3379"

result: success

Also requests from the same origin work. This returns the resource map:

curl -i -X GET "https://pndb.fr/metacat/d1/mn/v2/object/resource_map_urn:uuid:2d9baf2c-62c8-41b2-9178-dd68af3b3379" \
     -H "Origin: https://pndb.fr/"

PNDB needs to add a CORS config like: Access-Control-Allow-Origin: https://dataone.org/
@artntek artntek self-assigned this Jan 21, 2025
@artntek artntek added the k8s Kubernetes/Helm Related label Jan 21, 2025
@artntek artntek added this to the 3.2.0 milestone Jan 21, 2025
@artntek artntek mentioned this issue Jan 24, 2025
Draft
@artntek
Copy link
Contributor Author

artntek commented Jan 24, 2025
edited
Loading

See values already tried, in helm/examples/values-dev-cluster-arctic-example.yaml in branch feature-2050-cors-k8s-ingress. Retry after nginx is upgraded to latest

NOTES

Here's what we have in the Apache setup for ADC, for reference:

  Header always append X-Frame-Options SAMEORIGIN
  SetEnvIf Origin "^(.*)$" ORIGIN_DOMAIN=$1
  #RequestHeader set Expect "100-continue"
  Header set Access-Control-Allow-Origin "%{ORIGIN_DOMAIN}e" env=ORIGIN_DOMAIN
  Header set Access-Control-Allow-Headers "Authorization, Content-Type, Origin, Cache-Control"
  Header set Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS"
  Header set Access-Control-Allow-Credentials "true"

However, nginx doesn't like to support wildcard values for Access-Control-Allow-Origin at the same time Access-Control-Allow-Credentials is being used (which is why it works only when you aren't logged in).

Found several different workarounds; see example links:

...but couldn't get any of them to work. I think this might be because our version of nginx is old, and has bugs which have since been fixed.

ingress-nginx versions:

For example, see these links:

Other useful links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@artntek artntek

Labels
k8s Kubernetes/Helm Related
Projects
Metacat Releases
Status: No status
Milestone
3.2.0
Development

No branches or pull requests
1 participant
@artntek