CORS error prevents creating a deployment key

[akuzminsky]

Observed on version 0.7.0.

The server responds with a 403 when I try to create a deployment key.
request:

POST /management/deploykey/infrahouse-bookstack-aws HTTP/1.1
X-Forwarded-For: 23.123.142.164
X-Forwarded-Proto: https
X-Forwarded-Port: 443
Host: registry.infrahouse.com
X-Amzn-Trace-Id: Root=1-664fd265-7f9d22b3739dae9e74f069e0
Content-Length: 0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br, zstd
referer: https://registry.infrahouse.com/management
origin: https://registry.infrahouse.com/
dnt: 1
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
priority: u=1
cookie: q_auth_742...

response

HTTP/1.1 403 CORS Rejected - Invalid origin
content-length: 0

The behavior is the same regardless the options

-Dquarkus.http.cors=false

or

-Dquarkus.http.cors=true -Dquarkus.http.cors.origins=https://registry.infrahouse.com

[PacoVK]

Hey @akuzminsky thanks for raising this again,, i guess this is the same as in #373 right? So the error occurs, when e.g Tapir has been deployed to ECS with an ALB in front. Did you set REGISTRY_HOSTNAME correctly?

[akuzminsky]

@PacoVK I forgot I made that comment :-)
Right, the issue seems the same.
Back then, I worked around it by disabling CORS (-Dquarkus.http.cors=false). I ran the latest Tapir image (pacovk/tapir). A few days ago, I noticed the problem again. Tapir was running some 0.7 version.
I played with different CORS settings, but nothing helped.

REGISTRY_HOSTNAME is set :

$ docker inspect 0d8c9ca73d93 | grep REGISTRY_HOSTNAME
                "REGISTRY_HOSTNAME=registry.infrahouse.com",

Besides, the HTTP headers include:

origin: https://registry.infrahouse.com/

I saw some bug discussions about this in quarkus itself. Probably, the root cause is somewhere there.

To make the situation more confusing, the docker image 0.7.0 doesn't have that problem. My current configuration is

$ docker images | grep tapir
pacovk/tapir                0.7.0          50b25ce7268a   2 months ago   632MB

$ docker inspect fd0d2742693a | jq .[0].Config.Env | grep JAVA
  "JAVA_OPTS=-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dquarkus.http.cors=true -Dquarkus.http.cors.origins=https://registry.infrahouse.com",
  "JAVA_HOME=/usr/lib/jvm/default-jvm",
  "JAVA_APP_JAR=/tf/registry/tapir.jar"

🤷‍♂️

[akuzminsky]

i take it back. 0.7.0 fails.

[PacoVK]

@akuzminsky thanks I need to investigate that, hopefully I am able to reproduce.

[akuzminsky]

I might have a clue. I tried to pass the quarks configuration via environment variable

-    {
-      name : "JAVA_OPTS"
-      value : "-Dquarkus.http.host=0.0.0.0 -Dquarkus.http.cors=false"
     }

I think, I was inspired by Dockerfile.

ENV JAVA_OPTS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"

It seems to me, quarks doesn't pick up this configuration.

When I put the quarks setting to the docker command directly - works like a charm. I was able to disable CORS as well as configure it with the right origin:

  container_command = [
    "-Dquarkus.http.host=0.0.0.0", "-Dquarkus.http.cors=true", "-Dquarkus.http.cors.origins=https://registry.infrahouse.com", "-jar", "/tf/registry/tapir.jar"
  ]

[PacoVK]

@all-contributors please add @akuzminsky for bug

[allcontributors]

@PacoVK

I've put up a pull request to add @akuzminsky! 🎉

[PacoVK]

I just released 0.8.0, it now provides a setting for CORS, i hope this solves the issue, and relieves from hacking the command