Scripts not loading (404) on openid_error when Kiali is hosted in a subfolder (web_root: /kiali)

[stevensystems]

Describe the bug
When using a sub-directory to host kiali (e.g. web_root: /kiali), some statics files are still referenced using the root "/" path, and cannot be loaded (404).

Versions used
Kiali: v1.37.0
Istio: 1.10.3
Kubernetes flavour and version: (AKS V. 1.19.11)

To Reproduce
Steps to reproduce the behavior:

1. Install Kiali operator using Helm chart:

kubectl create namespace kiali-operator
helm install \
    --set cr.create=false \
    --set cr.namespace=istio-system \
    --namespace kiali-operator \
    --repo https://kiali.org/helm-charts \
    kiali-operator \
    kiali-operator

2. Setup Kiali with an openid provider and web_root "/kiali"

apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  name: kiali
  annotations:
    ansible.sdk.operatorframework.io/verbosity: "1"
spec:
  version: "default" 
  istio_namespace: "istio-system"
  api:
    namespaces:     
      exclude:
      - "istio-operator"
      - "kube-.*"
      - "kiali-operator"
      - "cert-manager"
  auth:
    strategy: "openid"
    openid:
      client_id: "<client id>"
      issuer_uri: "https://sts.windows.net/<tenant id>/"
      username_claim: preferred_username
      api_token: "access_token"     
      additional_request_params:
        resource: "6dae42f8-4368-4678-94ff-3960e28e3630"
  secret_name: "kiali"
  deployment:
    ingress_enabled: false
    image_pull_policy: "IfNotPresent"
    namespace: "monitoring-system"
    replicas: 1
    logger:
      log_level: info
      log_format: text
      sampler_rate: "1"

    view_only_mode: true
    external_services:
      custom_dashboards:
        enabled: true
    server:
      metrics_enabled: true
      metrics_port: 9090
      port: 20001
      web_root: /kiali
      web_fqdn: mykialihost.****azure.com
      web_port: 443
      web_schema: "https"

3. Create a new user on your openid provider, that has no access to kiali.
4. Open the developer toolbar of your browser and start tracing network traffic
5. Login to "Kiali" with the newly created user from step 3.
6. Verify network traffic:
   Static resources and env.js are loaded from root "/" and returning with an 404 (not found).

It might be that this behavior is not only related to open_id configurations, but I didn't check that.

Expected behavior
The resources are referenced using the configured sub-directory (web_root) and loading correctly.

[jmazzitelli]

Just to confirm - in your step 2 - that is a snippet from your Kiali CR correct? You set spec.server.web_root in the Kiali CR which the operator processes. In other words, you are not directly editing the ConfigMap correct?

[stevensystems]

Just to confirm - in your step 2 - that is a snippet from your Kiali CR correct? You set spec.server.web_root in the Kiali CR which the operator processes. In other words, you are not directly editing the ConfigMap correct?

Yes, that is absolutly correct. It's a part of my Kilai CR, that is processed by the kiali operator.

[stevensystems]

Just to confirm - in your step 2 - that is a snippet from your Kiali CR correct? You set spec.server.web_root in the Kiali CR which the operator processes. In other words, you are not directly editing the ConfigMap correct?

Yes, that is absolutly correct. It's a part of my Kilai CR, that is processed by the kiali operator.

I updated step 2, and included the complete Kiali CR. Openid has been setup with Azure AD following the steps in https://kiali.io/documentation/latest/configuration/authentication/openid/#_using_with_azure_aks_and_aad.

Maybe it's also important to known, that I am using an Istio gateway as ingress:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: monitoring-gateway
  namespace: monitoring-system
spec:
  selector:
    istio: ingressgateway-monitoring
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
      - "mykialihost.****azure.com"
    tls:
      httpsRedirect: true    
  - port:
      number: 443
      name: https-443
      protocol: https
    tls:            
      mode: SIMPLE
      credentialName: ingress-cert-monitoring
    hosts:      
      - mykialihost.****azure.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:                                                                                                                                                                                                       
  name: kiali
  namespace: monitoring-system
spec:
  hosts:  
  - "mykialihost.****azure.com"
  gateways:
  - monitoring-gateway
  http:
  - headers:
      request:
        set:
          X-Forwarded-Port: "443"
    match:
    - uri:
        prefix: "/kiali"
    route:
    - destination:
        host: kiali.monitoring-system.svc.cluster.local
        port:
          number: 20001
    timeout: 30s

[jmazzitelli]

Maybe it's also important to known, that I am using an Istio gateway as ingress:

Yes, that would be important to know. I suspect you need to set web_fqdn. See:

• https://kiali.io/documentation/latest/installation-guide/#_customize_the_kiali_ui_web_context_root
• https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml#L900-L907

@israel-hdez might have more insights - he's more familiar with the openid integration.

[stevensystems]

Maybe it's also important to known, that I am using an Istio gateway as ingress:

Yes, that would be important to know. I suspect you need to set web_fqdn. See:

• https://kiali.io/documentation/latest/installation-guide/#_customize_the_kiali_ui_web_context_root
• https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml#L900-L907

@israel-hdez might have more insights - he's more familiar with the openid integration.

I gave it a short try and added web_fqdn, web_port and web_schema and got the same results. Must be something else...

[jmazzitelli]

Post the kiali pod's logs - look for messages of any kind related to the authentication stuff.

[stevensystems]

Post the kiali pod's logs - look for messages of any kind related to the authentication stuff.

Hi @jmazzitelli , don't get me wrong, authentication is not the problem, it works. It's only that the error message coming from the openid provider are not display correctly (as web page), since the static files cannot be found.

[jmazzitelli]

Oh. OK. I missed the forest through the trees. I'll wait for @israel-hdez to chime in before I make things worse :)

[israel-hdez]

I saw this issue last week on minikube, but I thought it was only I.
I think we can qualify this as a bug.

Looks like the serveIndexFile function is not correctly replacing the <base> tag if the OpenID Server calls back with an error.

If I remember correctly, this can be replicated easily by adding ?error=foo&error_description=bar to the Kiali base URL :-/

[israel-hdez]

This can be replicated with anonymous auth strategy. Go to http://{kiali_root_url}/?error=foo&error_description=bar (or https) and it won't load.

[jmazzitelli]

This can be replicated with anonymous auth strategy. Go to http://{kiali_root_url}/?error=foo&error_description=bar (or https) and it won't load.

that sounds easy to fix then ;) This would be very good to fix by Friday so it gets into the next release.

[jmazzitelli]

BTW: it looks like it is only a problem with a non-/ web root.

If I set spec.server.web_root to /, it works. http://localhost:20001/?error=foo&error_description=bar works for example

If I set it to /kiali, it doesn't work. http://localhost:20001/kiali?error=foo&error_description=bar fails for example.

I can see this using the hack/run-kiali.sh hack script starting it locally (hack/run-kiali.sh -kc current)

[israel-hdez]

@jmazzitelli I think that's implied in the title of the issue.
But I'll check that case to avoid fixing one and breaking the other :-)