TUD and Traefik redirect issue

[rbeckwith-oddball]

The gateway application has been put up, but there is still a strange redirect occurring.

traefik is appending port :9000 to the host, which then causes the whole request to fail.

Trying to determine if traefik is redirecting to SSL, or if the browser is doing it.

Looking into traefik further to determine why it is redirecting and what it is supposed to be doing.

[holdenhinkle]

Applicable links:

Infrastructure directory - https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/tree/main/apps/vsp-identity/test-user-dashboard/utility

TUD readme (repo) - https://github.com/department-of-veterans-affairs/vsp-test-user-dashboard

[holdenhinkle]

Joe, Peter, Ryan Beckwith and I attended Ops Office Hours on Friday to talk about the problem. Matt Leclerc gave Ryan some direction.

Ryan, Darius and I are meeting later this hour to review the problem, the infrastructure architecture, Matt's suggestions, etc., then we're gonna mob on trying to get this fixed today.

[holdenhinkle]

After standup yesterday morning, Ryan, Darius, Peter and I met to discuss the problems with the TUD redirects.

Ryan shared the following posts:

• https://medium.com/kubernetes-tutorials/deploying-traefik-as-ingress-controller-for-your-kubernetes-cluster-b03a0672ae0c
• https://www.padok.fr/en/blog/traefik-kubernetes-certmanager

Here's a thread about the difficulties we experienced with the updates to the ingress.yaml not taking effect, etc. - https://dsva.slack.com/archives/CJYRZK2HH/p1643396659660269

I tried updating ingress.yaml to redirect from http to https per the documentation here - https://doc.traefik.io/traefik/routing/entrypoints/#redirection - but that didn't work.

PRs to update ingress.yaml:

• https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/pull/305
• https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/pull/308
• https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/pull/309
• https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/pull/310

Matt Leclerc posted this last night, which looks promising, and explains why the updates to ingress.yaml didn't work as expected:

Matt Leclerc:x: 13 hours ago
You are likely looking for something like this https://community.traefik.io/t/traefik-2-0-kubernetes-crd-force-ssl-http-to-https-redirect-how/4343/8 to implement a redirect, but you will need to modify said code to work for your needs. As in removing the namespace etc. The other thing to note is that a https ingressRoute will not work without a certificate of some sort. An example of which can be found in revproxy https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/blob/main/apps/vsp-operations/revproxy/dev/certificate.yaml and https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/[…]049e02bafc3e937eb/apps/vsp-operations/revproxy/dev/ingress.yaml

Matt Leclerc:x: 12 hours ago
Just to add to this, the implementation you were trying to deploy was not meant for k8s. In k8s we are using the ingressRoute crd which can be seen here https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/

Overall, things went super slow yesterday because we were not able to see the effects of our updates to ingress.yaml and didn't know why initially, and other problems we ran into which I'll let Ryan Beckwith outline.

We also discovered that the workflow for updating TUD dev that we inherited is broken. That needs to be fixed some day.

[pjhill]

We need to slow down and regroup after attempting a bunch of config changes in the past few days. Let's --

• Analyze logs from the changes that we attempted
• Develop an understanding of what went wrong and why
• Develop a context for traefik configuration by consuming the documentation that is available
• Create a plan to successfully configure an ingress route for traefik that enables https traffic to reach TUD without being redirected to :9000
• Detail the plan in this ticket
• Execute the plan and examine the results

[holdenhinkle]

It turned about part of this issue had to do with Gatsby and it not liking links that don't end with a trailing /.

Ryan discovered the fix was to simply add a trailing slash to the GitHub OAuth callback URL:

This:
'/oauth'

was changed to this:
'/oauth/'

GitHub was sending a request to /oauth?state=1234&code=5678 and Gatsby didn't like that. It wanted the request to be /oauth/?state=1234&code=5678 which is not the standard structure for a URL with query params.

There is quite a bit of confusion regarding Gatsby and how they implemented links and handle redirects. Examples:

• Clarification on trailing slashes, urls in sitemaps and canonical urls? gatsbyjs/gatsby#27889
• Preventing 301 redirects on URLs with no trailing slashes (Netlify) gatsbyjs/gatsby#9207

[rbeckwith-oddball]

The underlying problem did end up being gatsby. The secondary issue was not having tud use SSL when retrieving the OAUTH code from github (which has also been rectified).

[pjhill]

Hooray, this issue is resolved!