Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Halyard: Login flow redirects to `http` instead of `https` #2414
Migrated from https://github.com/spinnaker/halyard/issues/720
Opened by: @greenkiwi (2018-02-02 19:27:06) I am experiencing an issue where the login redirection flow results in a URL that is not https.
During the sign in process, spinnaker redirects to an
Login proceeds if I manually update the address to be
This is the gate.yml file attached to the pod
This is the gate configuration from
It looks like there is some place that isn't respecting either the scheme or the url.
Slack discussion: https://spinnakerteam.slack.com/archives/C3YBRLG8H/p1505025367000045
@lwander (2017-10-02 20:50:24): Is the google apps auth config pointing at the right redirect URL?
@greenkiwi (2017-10-03 17:41:33): So:
Is the only Authorized Redirect URI.
It seems as if this problem is happening inside of spinnaker. For example, if I open a new tab and connect to: https://spinnaker.r.u
The next request is the following
Is this deck interpreting the
This is the URL that goes to google's oath:
It clearly says go back to
@greenkiwi (2017-10-04 20:32:01): I have found a workaround that will let me continue. Instead of having the following mapping:
I split out gate
This allows me to add an apache service listing on
Still seeing the redirect to http, but it now redirects to https, so it's functioning.
Creating a simple apache container with a redirect all to
@FaHeymann (2017-10-06 14:49:39): Did you try patching your gate tomcat so that it respects the ELB forward headers?
@nneul (2017-11-05 22:07:28): That does appear to have helped.
@greenkiwi (2017-11-07 06:30:44): This has worked now in two different deployments.
@bhumarevb (2017-11-29 11:28:41): Thanks You guys!! ... I had same redirection problem... got resolved after adding given value in gate-local.yml file
@mnalsup (2018-02-02 19:27:06): This does not seem to fix the issue in my set up. Has anyone validated against a distributed deployment?
I have this issue. And I think I use all the tricks. We are using GKE, terminate SSL on load balancer AND use istio as our ingress controller
logging into gate container I see following configurations which hal applied:
spin-gate-f7b895cd7-ccj4j:/opt/spinnaker/config$ cat spinnaker.yml
And Istio ingress config
And if I login I end up on this address
which is correct except http at the beginning . If I manually change it to https all works.
@lwander I'm seeing the same issue with 1.8.0 :(
EDIT: it seems that it fails only the first time. After the first GH authorization, it works as expected.
Did you every end up finding a workaround for your issue?
I fixed it by adding --pre-established-redirect-uri=https://api.my-spinnaker.com/login to my oauth2 config: