Admin UI CORS issue

Dear Team,

We successfully deployed MOSIP 1.2.2.0 on GKE (Kubernetes v1.30). While the deployment went well, we encountered a few challenges due to GCP’s lack of TLS termination support on internal/L4 load balancers. To address this, we configured TLS termination on each gateway, and all endpoints are now reachable.

However, the following issues persist:

  1. CORS Errors:
    When accessing the Admin UI, requests from https://admin.radiant-mosip.org to https://api-internal.radiant-mosip.org are being blocked due to missing headers. Attempts to handle CORS at the virtual service level have not been successful.
  2. Service Accessibility:
    Services are inconsistently accessible in the same browser window. Only one or two services are reachable at a time, which is unusual.

We would appreciate your assistance in resolving these issues. Please let us know if you need any further details.

Thank you for your support.

@ali_shaik can you please share here the gateway description of admin ui along with virtualservice of admin ui and service both to analyse?

Hi @ckm007, thanks for your response. Please find the required details below

Admin-ui gateway

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  annotations:
    meta.helm.sh/release-name: admin-ui
    meta.helm.sh/release-namespace: admin
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: admin-gateway
  namespace: admin
spec:
  selector:
    istio: ingressgateway-internal
  servers:
  - hosts:
    - admin.xxx-mosip.org
    port:
      name: http
      number: 80
      protocol: HTTP
  - hosts:
    - admin.xxx-mosip.org
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: mosip-tls-secret
      mode: SIMPLE

Admin UI Virtual service

Name:         admin-ui
Namespace:    admin
Labels:       app.kubernetes.io/component=mosip
              app.kubernetes.io/instance=admin-ui
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=admin-ui
              helm.sh/chart=admin-ui-12.0.1
Annotations:  meta.helm.sh/release-name: admin-ui
              meta.helm.sh/release-namespace: admin
API Version:  networking.istio.io/v1
Kind:         VirtualService
Metadata:
  Creation Timestamp:  2024-11-09T18:11:50Z
  Generation:          1
  Resource Version:    3701581
  UID:                 d93bfeaa-a0e5-4640-a2a8-7ff7c7ac2c12
Spec:
  Gateways:
    admin-gateway
  Hosts:
    *
  Http:
    Headers:
      Request:
        Set:
          X - Forwarded - Proto:  https
    Match:
      Uri:
        Prefix:  /
    Route:
      Destination:
        Host:  admin-ui
        Port:
          Number:  80
Events:            <none>

Admin UI service

ame:                     admin-ui
Namespace:                admin
Labels:                   app.kubernetes.io/component=mosip
                          app.kubernetes.io/instance=admin-ui
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=admin-ui
                          helm.sh/chart=admin-ui-12.0.1
Annotations:              cloud.google.com/neg: {"ingress":true}
                          meta.helm.sh/release-name: admin-ui
                          meta.helm.sh/release-namespace: admin
Selector:                 app.kubernetes.io/instance=admin-ui,app.kubernetes.io/name=admin-ui
Type:                     ClusterIP
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       34.118.238.191
IPs:                      34.118.238.191
Port:                     http  80/TCP
TargetPort:               8080/TCP
Endpoints:                10.60.5.23:8080
Session Affinity:         None
Internal Traffic Policy:  Cluster
Events:                   <none>

Can you also share the virtualservice of admin services ?

Here is the admin service’s virtual service manifest

Name: admin-service
Namespace: admin
Labels: app.kubernetes.io/component=mosip
app.kubernetes.io/instance=admin-service
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=admin-service
helm.sh/chart=admin-service-12.0.1
Annotations: meta.helm.sh/release-name: admin-service
meta.helm.sh/release-namespace: admin
API Version: networking.istio.io/v1
Kind: VirtualService
Metadata:
Creation Timestamp: 2024-11-09T18:08:09Z
Generation: 1
Resource Version: 3698647
UID: bc42d1f7-a2a3-4644-8f28-7754841adb9e
Spec:
Gateways:
istio-system/internal
Hosts:
*
Http:
Cors Policy:
Allow Credentials: true
Allow Headers:
Accept
Accept-Encoding
Accept-Language
Connection
Content-Type
Cookie
Host
Referer
Sec-Fetch-Dest
Sec-Fetch-Mode
Sec-Fetch-Site
Sec-Fetch-User
Origin
Upgrade-Insecure-Requests
User-Agent
sec-ch-ua
sec-ch-ua-mobile
sec-ch-ua-platform
x-xsrf-token
xsrf-token
Allow Methods:
GET
POST
PATCH
PUT
DELETE
Allow Origins:
Prefix: https://admin.radiant-mosip.org
Headers:
Request:
Set:
X - Forwarded - Proto: https
Match:
Uri:
Prefix: /v1/admin
Route:
Destination:
Host: admin-service
Port:
Number: 80
Events:

I am not able to see this in proper format.

Can you paste both the virtualservices in codeblock using `.

eg.

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  annotations:
    meta.helm.sh/release-name: admin-service
    meta.helm.sh/release-namespace: admin
  creationTimestamp: '2024-10-09T17:51:05Z'
  generation: 1
  labels:
    app.kubernetes.io/component: mosip
    app.kubernetes.io/instance: admin-service
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: admin-service
    helm.sh/chart: admin-service-12.0.1
  managedFields:
    - apiVersion: networking.istio.io/v1alpha3
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:meta.helm.sh/release-name: {}
            f:meta.helm.sh/release-namespace: {}
          f:labels:
            .: {}
            f:app.kubernetes.io/component: {}
            f:app.kubernetes.io/instance: {}
            f:app.kubernetes.io/managed-by: {}
            f:app.kubernetes.io/name: {}
            f:helm.sh/chart: {}
        f:spec:
          .: {}
          f:gateways: {}
          f:hosts: {}
          f:http: {}
      manager: helm
      operation: Update
      time: '2024-10-09T17:51:05Z'
  name: admin-service
  namespace: admin
  resourceVersion: '739905'
  uid: 4351add2-f347-445d-8255-94b41db29bb5
spec:
  gateways:
    - istio-system/internal
  hosts:
    - '*'
  http:
    - corsPolicy:
        allowCredentials: true
        allowHeaders:
          - Accept
          - Accept-Encoding
          - Accept-Language
          - Connection
          - Content-Type
          - Cookie
          - Host
          - Referer
          - Sec-Fetch-Dest
          - Sec-Fetch-Mode
          - Sec-Fetch-Site
          - Sec-Fetch-User
          - Origin
          - Upgrade-Insecure-Requests
          - User-Agent
          - sec-ch-ua
          - sec-ch-ua-mobile
          - sec-ch-ua-platform
          - x-xsrf-token
          - xsrf-token
        allowMethods:
          - GET
          - POST
          - PATCH
          - PUT
          - DELETE
        allowOrigins:
          - prefix: https://admin.dev-int.mosip.net
      headers:
        request:
          set:
            x-forwarded-proto: https
      match:
        - uri:
            prefix: /v1/admin
      route:
        - destination:
            host: admin-service
            port:
              number: 80

Here are the admin virtual services

apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
  kind: VirtualService
  metadata:
    annotations:
      meta.helm.sh/release-name: admin-hotlist
      meta.helm.sh/release-namespace: admin
    creationTimestamp: "2024-12-02T05:42:04Z"
    generation: 1
    labels:
      app.kubernetes.io/component: mosip
      app.kubernetes.io/instance: admin-hotlist
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: admin-hotlist
      helm.sh/chart: admin-hotlist-12.0.1
    name: admin-hotlist
    namespace: admin
    resourceVersion: "29012670"
    uid: 84d253d5-ec48-441a-8539-f47d36f98f25
  spec:
    gateways:
    - istio-system/internal
    hosts:
    - '*'
    http:
    - headers:
        request:
          set:
            x-forwarded-proto: https
      match:
      - uri:
          prefix: /v1/hotlist
      route:
      - destination:
          host: admin-hotlist
          port:
            number: 80
---

- apiVersion: networking.istio.io/v1
  kind: VirtualService
  metadata:
    annotations:
      meta.helm.sh/release-name: admin-service
      meta.helm.sh/release-namespace: admin
    creationTimestamp: "2024-12-02T05:42:10Z"
    generation: 1
    labels:
      app.kubernetes.io/component: mosip
      app.kubernetes.io/instance: admin-service
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: admin-service
      helm.sh/chart: admin-service-12.0.1
    name: admin-service
    namespace: admin
    resourceVersion: "29012790"
    uid: 008f03b2-33ff-4e42-b611-8c82c2970b79
  spec:
    gateways:
    - istio-system/internal
    hosts:
    - '*'
    http:
    - corsPolicy:
        allowCredentials: true
        allowHeaders:
        - Accept
        - Accept-Encoding
        - Accept-Language
        - Connection
        - Content-Type
        - Cookie
        - Host
        - Referer
        - Sec-Fetch-Dest
        - Sec-Fetch-Mode
        - Sec-Fetch-Site
        - Sec-Fetch-User
        - Origin
        - Upgrade-Insecure-Requests
        - User-Agent
        - sec-ch-ua
        - sec-ch-ua-mobile
        - sec-ch-ua-platform
        - x-xsrf-token
        - xsrf-token
        allowMethods:
        - GET
        - POST
        - PATCH
        - PUT
        - DELETE
        allowOrigins:
        - prefix: https://admin.radiant-mosip.org
      headers:
        request:
          set:
            x-forwarded-proto: https
      match:
      - uri:
          prefix: /v1/admin
      route:
      - destination:
          host: admin-service
          port:
            number: 80
---

- apiVersion: networking.istio.io/v1
  kind: VirtualService
  metadata:
    annotations:
      meta.helm.sh/release-name: admin-ui
      meta.helm.sh/release-namespace: admin
    creationTimestamp: "2024-12-02T05:46:11Z"
    generation: 1
    labels:
      app.kubernetes.io/component: mosip
      app.kubernetes.io/instance: admin-ui
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: admin-ui
      helm.sh/chart: admin-ui-12.0.1
    name: admin-ui
    namespace: admin
    resourceVersion: "29015971"
    uid: e4f218f8-3e60-4c2e-a7ca-938e142068cf
  spec:
    gateways:
    - admin-gateway
    hosts:
    - '*'
    http:
    - headers:
        request:
          set:
            x-forwarded-proto: https
      match:
      - uri:
          prefix: /
      route:
      - destination:
          host: admin-ui
          port:
            number: 80
kind: List
metadata:
  resourceVersion: ""

@ali_shaik

can you please provide the error you observed while accessingthe admin UI?

Access to XMLHttpRequest at 'https://api-internal.radiant-mosip.org/v1/admin/authorize/admin/validateToken' from origin 'https://admin.radiant-mosip.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.