Admin UI CORS issue

1

Dear Team,

We successfully deployed MOSIP 1.2.2.0 on GKE (Kubernetes v1.30). While the deployment went well, we encountered a few challenges due to GCP’s lack of TLS termination support on internal/L4 load balancers. To address this, we configured TLS termination on each gateway, and all endpoints are now reachable.

However, the following issues persist:

  1. CORS Errors:
    When accessing the Admin UI, requests from https://admin.radiant-mosip.org to https://api-internal.radiant-mosip.org are being blocked due to missing headers. Attempts to handle CORS at the virtual service level have not been successful.
  2. Service Accessibility:
    Services are inconsistently accessible in the same browser window. Only one or two services are reachable at a time, which is unusual.

We would appreciate your assistance in resolving these issues. Please let us know if you need any further details.

Thank you for your support.

2

@ali_shaik can you please share here the gateway description of admin ui along with virtualservice of admin ui and service both to analyse?

3

Hi @ckm007, thanks for your response. Please find the required details below

Admin-ui gateway

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  annotations:
    meta.helm.sh/release-name: admin-ui
    meta.helm.sh/release-namespace: admin
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: admin-gateway
  namespace: admin
spec:
  selector:
    istio: ingressgateway-internal
  servers:
  - hosts:
    - admin.xxx-mosip.org
    port:
      name: http
      number: 80
      protocol: HTTP
  - hosts:
    - admin.xxx-mosip.org
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: mosip-tls-secret
      mode: SIMPLE

Admin UI Virtual service

Name:         admin-ui
Namespace:    admin
Labels:       app.kubernetes.io/component=mosip
              app.kubernetes.io/instance=admin-ui
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=admin-ui
              helm.sh/chart=admin-ui-12.0.1
Annotations:  meta.helm.sh/release-name: admin-ui
              meta.helm.sh/release-namespace: admin
API Version:  networking.istio.io/v1
Kind:         VirtualService
Metadata:
  Creation Timestamp:  2024-11-09T18:11:50Z
  Generation:          1
  Resource Version:    3701581
  UID:                 d93bfeaa-a0e5-4640-a2a8-7ff7c7ac2c12
Spec:
  Gateways:
    admin-gateway
  Hosts:
    *
  Http:
    Headers:
      Request:
        Set:
          X - Forwarded - Proto:  https
    Match:
      Uri:
        Prefix:  /
    Route:
      Destination:
        Host:  admin-ui
        Port:
          Number:  80
Events:            <none>

Admin UI service

ame:                     admin-ui
Namespace:                admin
Labels:                   app.kubernetes.io/component=mosip
                          app.kubernetes.io/instance=admin-ui
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=admin-ui
                          helm.sh/chart=admin-ui-12.0.1
Annotations:              cloud.google.com/neg: {"ingress":true}
                          meta.helm.sh/release-name: admin-ui
                          meta.helm.sh/release-namespace: admin
Selector:                 app.kubernetes.io/instance=admin-ui,app.kubernetes.io/name=admin-ui
Type:                     ClusterIP
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       34.118.238.191
IPs:                      34.118.238.191
Port:                     http  80/TCP
TargetPort:               8080/TCP
Endpoints:                10.60.5.23:8080
Session Affinity:         None
Internal Traffic Policy:  Cluster
Events:                   <none>
4

Can you also share the virtualservice of admin services ?

5

Here is the admin service’s virtual service manifest

Name: admin-service
Namespace: admin
Labels: app.kubernetes.io/component=mosip
app.kubernetes.io/instance=admin-service
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=admin-service
helm.sh/chart=admin-service-12.0.1
Annotations: meta.helm.sh/release-name: admin-service
meta.helm.sh/release-namespace: admin
API Version: networking.istio.io/v1
Kind: VirtualService
Metadata:
Creation Timestamp: 2024-11-09T18:08:09Z
Generation: 1
Resource Version: 3698647
UID: bc42d1f7-a2a3-4644-8f28-7754841adb9e
Spec:
Gateways:
istio-system/internal
Hosts:
*
Http:
Cors Policy:
Allow Credentials: true
Allow Headers:
Accept
Accept-Encoding
Accept-Language
Connection
Content-Type
Cookie
Host
Referer
Sec-Fetch-Dest
Sec-Fetch-Mode
Sec-Fetch-Site
Sec-Fetch-User
Origin
Upgrade-Insecure-Requests
User-Agent
sec-ch-ua
sec-ch-ua-mobile
sec-ch-ua-platform
x-xsrf-token
xsrf-token
Allow Methods:
GET
POST
PATCH
PUT
DELETE
Allow Origins:
Prefix: https://admin.radiant-mosip.org
Headers:
Request:
Set:
X - Forwarded - Proto: https
Match:
Uri:
Prefix: /v1/admin
Route:
Destination:
Host: admin-service
Port:
Number: 80
Events:

6

I am not able to see this in proper format.

Can you paste both the virtualservices in codeblock using `.

eg.

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  annotations:
    meta.helm.sh/release-name: admin-service
    meta.helm.sh/release-namespace: admin
  creationTimestamp: '2024-10-09T17:51:05Z'
  generation: 1
  labels:
    app.kubernetes.io/component: mosip
    app.kubernetes.io/instance: admin-service
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: admin-service
    helm.sh/chart: admin-service-12.0.1
  managedFields:
    - apiVersion: networking.istio.io/v1alpha3
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:meta.helm.sh/release-name: {}
            f:meta.helm.sh/release-namespace: {}
          f:labels:
            .: {}
            f:app.kubernetes.io/component: {}
            f:app.kubernetes.io/instance: {}
            f:app.kubernetes.io/managed-by: {}
            f:app.kubernetes.io/name: {}
            f:helm.sh/chart: {}
        f:spec:
          .: {}
          f:gateways: {}
          f:hosts: {}
          f:http: {}
      manager: helm
      operation: Update
      time: '2024-10-09T17:51:05Z'
  name: admin-service
  namespace: admin
  resourceVersion: '739905'
  uid: 4351add2-f347-445d-8255-94b41db29bb5
spec:
  gateways:
    - istio-system/internal
  hosts:
    - '*'
  http:
    - corsPolicy:
        allowCredentials: true
        allowHeaders:
          - Accept
          - Accept-Encoding
          - Accept-Language
          - Connection
          - Content-Type
          - Cookie
          - Host
          - Referer
          - Sec-Fetch-Dest
          - Sec-Fetch-Mode
          - Sec-Fetch-Site
          - Sec-Fetch-User
          - Origin
          - Upgrade-Insecure-Requests
          - User-Agent
          - sec-ch-ua
          - sec-ch-ua-mobile
          - sec-ch-ua-platform
          - x-xsrf-token
          - xsrf-token
        allowMethods:
          - GET
          - POST
          - PATCH
          - PUT
          - DELETE
        allowOrigins:
          - prefix: https://admin.dev-int.mosip.net
      headers:
        request:
          set:
            x-forwarded-proto: https
      match:
        - uri:
            prefix: /v1/admin
      route:
        - destination:
            host: admin-service
            port:
              number: 80
7

Here are the admin virtual services

apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
  kind: VirtualService
  metadata:
    annotations:
      meta.helm.sh/release-name: admin-hotlist
      meta.helm.sh/release-namespace: admin
    creationTimestamp: "2024-12-02T05:42:04Z"
    generation: 1
    labels:
      app.kubernetes.io/component: mosip
      app.kubernetes.io/instance: admin-hotlist
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: admin-hotlist
      helm.sh/chart: admin-hotlist-12.0.1
    name: admin-hotlist
    namespace: admin
    resourceVersion: "29012670"
    uid: 84d253d5-ec48-441a-8539-f47d36f98f25
  spec:
    gateways:
    - istio-system/internal
    hosts:
    - '*'
    http:
    - headers:
        request:
          set:
            x-forwarded-proto: https
      match:
      - uri:
          prefix: /v1/hotlist
      route:
      - destination:
          host: admin-hotlist
          port:
            number: 80
---

- apiVersion: networking.istio.io/v1
  kind: VirtualService
  metadata:
    annotations:
      meta.helm.sh/release-name: admin-service
      meta.helm.sh/release-namespace: admin
    creationTimestamp: "2024-12-02T05:42:10Z"
    generation: 1
    labels:
      app.kubernetes.io/component: mosip
      app.kubernetes.io/instance: admin-service
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: admin-service
      helm.sh/chart: admin-service-12.0.1
    name: admin-service
    namespace: admin
    resourceVersion: "29012790"
    uid: 008f03b2-33ff-4e42-b611-8c82c2970b79
  spec:
    gateways:
    - istio-system/internal
    hosts:
    - '*'
    http:
    - corsPolicy:
        allowCredentials: true
        allowHeaders:
        - Accept
        - Accept-Encoding
        - Accept-Language
        - Connection
        - Content-Type
        - Cookie
        - Host
        - Referer
        - Sec-Fetch-Dest
        - Sec-Fetch-Mode
        - Sec-Fetch-Site
        - Sec-Fetch-User
        - Origin
        - Upgrade-Insecure-Requests
        - User-Agent
        - sec-ch-ua
        - sec-ch-ua-mobile
        - sec-ch-ua-platform
        - x-xsrf-token
        - xsrf-token
        allowMethods:
        - GET
        - POST
        - PATCH
        - PUT
        - DELETE
        allowOrigins:
        - prefix: https://admin.radiant-mosip.org
      headers:
        request:
          set:
            x-forwarded-proto: https
      match:
      - uri:
          prefix: /v1/admin
      route:
      - destination:
          host: admin-service
          port:
            number: 80
---

- apiVersion: networking.istio.io/v1
  kind: VirtualService
  metadata:
    annotations:
      meta.helm.sh/release-name: admin-ui
      meta.helm.sh/release-namespace: admin
    creationTimestamp: "2024-12-02T05:46:11Z"
    generation: 1
    labels:
      app.kubernetes.io/component: mosip
      app.kubernetes.io/instance: admin-ui
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: admin-ui
      helm.sh/chart: admin-ui-12.0.1
    name: admin-ui
    namespace: admin
    resourceVersion: "29015971"
    uid: e4f218f8-3e60-4c2e-a7ca-938e142068cf
  spec:
    gateways:
    - admin-gateway
    hosts:
    - '*'
    http:
    - headers:
        request:
          set:
            x-forwarded-proto: https
      match:
      - uri:
          prefix: /
      route:
      - destination:
          host: admin-ui
          port:
            number: 80
kind: List
metadata:
  resourceVersion: ""
8

@ali_shaik

can you please provide the error you observed while accessingthe admin UI?

9 
Access to XMLHttpRequest at 'https://api-internal.radiant-mosip.org/v1/admin/authorize/admin/validateToken' from origin 'https://admin.radiant-mosip.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

image
image1905×888 59.8 KB

10

@ali_shaik it seems your config is set properly,however we are unable to replicate this error on our end.Could you send the logs from the pods here, for us to analyse further.

11

Hello @Mahesh-Binayak , the issue seems with GCP set up and we managed to resolve it. Thanks for your time and patience. :slight_smile:

12

Thanks @ali_shaik for the confirmation.

Happy to hear we were able to resolve the issue.

Can you please share your resolution here so, that it helps others as well to resolve the same issue in case they encounter it in their setup with GCP.

1 Like
13

@ali_shaik Can you please share the fix or issue so the community could use it in the future if they deploy in GCP