Dear Team,
We successfully deployed MOSIP 1.2.2.0 on GKE (Kubernetes v1.30). While the deployment went well, we encountered a few challenges due to GCP’s lack of TLS termination support on internal/L4 load balancers. To address this, we configured TLS termination on each gateway, and all endpoints are now reachable.
However, the following issues persist:
CORS Errors:
When accessing the Admin UI, requests from https://admin.radiant-mosip.org
to https://api-internal.radiant-mosip.org
are being blocked due to missing headers. Attempts to handle CORS at the virtual service level have not been successful.
Service Accessibility:
Services are inconsistently accessible in the same browser window. Only one or two services are reachable at a time, which is unusual.
We would appreciate your assistance in resolving these issues. Please let us know if you need any further details.
Thank you for your support.
ckm007
November 29, 2024, 9:20am
2
@ali_shaik can you please share here the gateway description of admin ui along with virtualservice of admin ui and service both to analyse?
Hi @ckm007 , thanks for your response. Please find the required details below
Admin-ui gateway
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
annotations:
meta.helm.sh/release-name: admin-ui
meta.helm.sh/release-namespace: admin
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: admin-gateway
namespace: admin
spec:
selector:
istio: ingressgateway-internal
servers:
- hosts:
- admin.xxx-mosip.org
port:
name: http
number: 80
protocol: HTTP
- hosts:
- admin.xxx-mosip.org
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: mosip-tls-secret
mode: SIMPLE
Admin UI Virtual service
Name: admin-ui
Namespace: admin
Labels: app.kubernetes.io/component=mosip
app.kubernetes.io/instance=admin-ui
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=admin-ui
helm.sh/chart=admin-ui-12.0.1
Annotations: meta.helm.sh/release-name: admin-ui
meta.helm.sh/release-namespace: admin
API Version: networking.istio.io/v1
Kind: VirtualService
Metadata:
Creation Timestamp: 2024-11-09T18:11:50Z
Generation: 1
Resource Version: 3701581
UID: d93bfeaa-a0e5-4640-a2a8-7ff7c7ac2c12
Spec:
Gateways:
admin-gateway
Hosts:
*
Http:
Headers:
Request:
Set:
X - Forwarded - Proto: https
Match:
Uri:
Prefix: /
Route:
Destination:
Host: admin-ui
Port:
Number: 80
Events: <none>
Admin UI service
ame: admin-ui
Namespace: admin
Labels: app.kubernetes.io/component=mosip
app.kubernetes.io/instance=admin-ui
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=admin-ui
helm.sh/chart=admin-ui-12.0.1
Annotations: cloud.google.com/neg: {"ingress":true}
meta.helm.sh/release-name: admin-ui
meta.helm.sh/release-namespace: admin
Selector: app.kubernetes.io/instance=admin-ui,app.kubernetes.io/name=admin-ui
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 34.118.238.191
IPs: 34.118.238.191
Port: http 80/TCP
TargetPort: 8080/TCP
Endpoints: 10.60.5.23:8080
Session Affinity: None
Internal Traffic Policy: Cluster
Events: <none>
ckm007
November 29, 2024, 11:17am
4
Can you also share the virtualservice of admin services ?
Here is the admin service’s virtual service manifest
Name: admin-service
Namespace: admin
Labels: app.kubernetes.io/component=mosip
app.kubernetes.io/instance=admin-service
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=admin-service
helm.sh/chart=admin-service-12.0.1
Annotations: meta.helm.sh/release-name: admin-service
meta.helm.sh/release-namespace: admin
API Version: networking.istio.io/v1
Kind: VirtualService
Metadata:
Creation Timestamp: 2024-11-09T18:08:09Z
Generation: 1
Resource Version: 3698647
UID: bc42d1f7-a2a3-4644-8f28-7754841adb9e
Spec:
Gateways:
istio-system/internal
Hosts:
*
Http:
Cors Policy:
Allow Credentials: true
Allow Headers:
Accept
Accept-Encoding
Accept-Language
Connection
Content-Type
Cookie
Host
Referer
Sec-Fetch-Dest
Sec-Fetch-Mode
Sec-Fetch-Site
Sec-Fetch-User
Origin
Upgrade-Insecure-Requests
User-Agent
sec-ch-ua
sec-ch-ua-mobile
sec-ch-ua-platform
x-xsrf-token
xsrf-token
Allow Methods:
GET
POST
PATCH
PUT
DELETE
Allow Origins:
Prefix: https://admin.radiant-mosip.org
Headers:
Request:
Set:
X - Forwarded - Proto: https
Match:
Uri:
Prefix: /v1/admin
Route:
Destination:
Host: admin-service
Port:
Number: 80
Events:
ckm007
December 4, 2024, 7:25am
6
I am not able to see this in proper format.
Can you paste both the virtualservices in codeblock using `.
eg.
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: admin-service
meta.helm.sh/release-namespace: admin
creationTimestamp: '2024-10-09T17:51:05Z'
generation: 1
labels:
app.kubernetes.io/component: mosip
app.kubernetes.io/instance: admin-service
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: admin-service
helm.sh/chart: admin-service-12.0.1
managedFields:
- apiVersion: networking.istio.io/v1alpha3
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:labels:
.: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/instance: {}
f:app.kubernetes.io/managed-by: {}
f:app.kubernetes.io/name: {}
f:helm.sh/chart: {}
f:spec:
.: {}
f:gateways: {}
f:hosts: {}
f:http: {}
manager: helm
operation: Update
time: '2024-10-09T17:51:05Z'
name: admin-service
namespace: admin
resourceVersion: '739905'
uid: 4351add2-f347-445d-8255-94b41db29bb5
spec:
gateways:
- istio-system/internal
hosts:
- '*'
http:
- corsPolicy:
allowCredentials: true
allowHeaders:
- Accept
- Accept-Encoding
- Accept-Language
- Connection
- Content-Type
- Cookie
- Host
- Referer
- Sec-Fetch-Dest
- Sec-Fetch-Mode
- Sec-Fetch-Site
- Sec-Fetch-User
- Origin
- Upgrade-Insecure-Requests
- User-Agent
- sec-ch-ua
- sec-ch-ua-mobile
- sec-ch-ua-platform
- x-xsrf-token
- xsrf-token
allowMethods:
- GET
- POST
- PATCH
- PUT
- DELETE
allowOrigins:
- prefix: https://admin.dev-int.mosip.net
headers:
request:
set:
x-forwarded-proto: https
match:
- uri:
prefix: /v1/admin
route:
- destination:
host: admin-service
port:
number: 80
Here are the admin virtual services
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: admin-hotlist
meta.helm.sh/release-namespace: admin
creationTimestamp: "2024-12-02T05:42:04Z"
generation: 1
labels:
app.kubernetes.io/component: mosip
app.kubernetes.io/instance: admin-hotlist
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: admin-hotlist
helm.sh/chart: admin-hotlist-12.0.1
name: admin-hotlist
namespace: admin
resourceVersion: "29012670"
uid: 84d253d5-ec48-441a-8539-f47d36f98f25
spec:
gateways:
- istio-system/internal
hosts:
- '*'
http:
- headers:
request:
set:
x-forwarded-proto: https
match:
- uri:
prefix: /v1/hotlist
route:
- destination:
host: admin-hotlist
port:
number: 80
---
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: admin-service
meta.helm.sh/release-namespace: admin
creationTimestamp: "2024-12-02T05:42:10Z"
generation: 1
labels:
app.kubernetes.io/component: mosip
app.kubernetes.io/instance: admin-service
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: admin-service
helm.sh/chart: admin-service-12.0.1
name: admin-service
namespace: admin
resourceVersion: "29012790"
uid: 008f03b2-33ff-4e42-b611-8c82c2970b79
spec:
gateways:
- istio-system/internal
hosts:
- '*'
http:
- corsPolicy:
allowCredentials: true
allowHeaders:
- Accept
- Accept-Encoding
- Accept-Language
- Connection
- Content-Type
- Cookie
- Host
- Referer
- Sec-Fetch-Dest
- Sec-Fetch-Mode
- Sec-Fetch-Site
- Sec-Fetch-User
- Origin
- Upgrade-Insecure-Requests
- User-Agent
- sec-ch-ua
- sec-ch-ua-mobile
- sec-ch-ua-platform
- x-xsrf-token
- xsrf-token
allowMethods:
- GET
- POST
- PATCH
- PUT
- DELETE
allowOrigins:
- prefix: https://admin.radiant-mosip.org
headers:
request:
set:
x-forwarded-proto: https
match:
- uri:
prefix: /v1/admin
route:
- destination:
host: admin-service
port:
number: 80
---
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: admin-ui
meta.helm.sh/release-namespace: admin
creationTimestamp: "2024-12-02T05:46:11Z"
generation: 1
labels:
app.kubernetes.io/component: mosip
app.kubernetes.io/instance: admin-ui
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: admin-ui
helm.sh/chart: admin-ui-12.0.1
name: admin-ui
namespace: admin
resourceVersion: "29015971"
uid: e4f218f8-3e60-4c2e-a7ca-938e142068cf
spec:
gateways:
- admin-gateway
hosts:
- '*'
http:
- headers:
request:
set:
x-forwarded-proto: https
match:
- uri:
prefix: /
route:
- destination:
host: admin-ui
port:
number: 80
kind: List
metadata:
resourceVersion: ""
@ali_shaik
can you please provide the error you observed while accessingthe admin UI?
Access to XMLHttpRequest at 'https://api-internal.radiant-mosip.org/v1/admin/authorize/admin/validateToken' from origin 'https://admin.radiant-mosip.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.