Comments (14)
There are many issues with these manifests.
- There is no reason for the apache pod. The ingress is already doing reverse proxying.
- The pvc should be read write many.
- The containers shouldn't run as root for a variety of reasons. (incompatible with most shared storage solutions, bad practice security wise)
- The cron container should be run as a cron job in k8s
- The seeder should be run as an init container or a k8s job.
- Stuff in the entrypoint should probably also be done in the same place as the seeder is run.
A helm chart or jsonnet library to construct the config would probably make it easier for new users. If the above issues are fixed you could probably add some HPA's for the web and worker pods to make it autoscale.
The 504 is probably because the container tries to talk https on an http connection (tries to upgrade) by default. Explicitly disabling https and hsts fixed it for me.
from openproject-deploy.
Hello @Dan6erbond, OpenProject does support S3 attachments so you can configure that for a multi-container setup and remove the opdata PVC altogether.
Will update the README accordingly.
from openproject-deploy.
@machisuji thank you for the response. I saw that and recently tried to deploy OpenProject with S3 and the multi-container setup, but came across issues with the proxy - both Apache and Nginx give me a 504 response and I'm not sure why. I follow the configuration pretty much 1:1 but am using Terraform for the configuration.
from openproject-deploy.
Hi Im also getting a 504 but using traefik for ingress, All my pods are running in their own namespaces
from openproject-deploy.
@mackaybe
I'm may have this error about https. Where should i disable https ? In service ?
from openproject-deploy.
For testing you need to set the env variables to disable https and hsts with the container they provide. If you run in behind properly configured reverse proxy which terminates SSL it works fine though. k8s example deployment is below, but if you're using an https ingress it's not needed. This example only shows the init container (I do the seeding there) but it is the same for the web and worker.
apiVersion: v1
kind: Secret
metadata:
name: openproject-env-config
stringData:
OPENPROJECT_HTTPS: "false"
OPENPROJECT_HSTS: "false"
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
openproject.service: web
name: web
spec:
replicas: 1
selector:
matchLabels:
openproject.service: seeder-web
strategy:
type: Recreate
template:
metadata:
labels:
openproject.service: seeder-web
spec:
initContainers:
- name: seeder
args:
- ./docker/prod/seeder
image: openproject/community:12.3.0
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: openproject-env-config
from openproject-deploy.
Thank you for your help :)
I can now access openproject with a port forwarding on proxy pod :)
Checking for ingress now.
from openproject-deploy.
@mackaybe
I'm still in trouble with the ingress.
To avoid any DNS problem, i try a wget from ingress pod.
For one of my custom project wget http://CUTOMPROJECT-SERVICE-IP:80/
or wget http://CUTOMPROJECT-ENDPOINT-IP:80/
works well
But wget http://OPENPROJECT-SERVICE-IP:80/
or wget http://OPENPROJECT-ENDPOINT-IP:80/
is block on Connecting to IP
I've tried to add this in proxy deployment, no change :
env:
- name: OPENPROJECT_HTTPS
value: "false"
- name: OPENPROJECT_HSTS
value: "false"
from openproject-deploy.
The proxy pod is totally unnecessary if using ingress. This example works without disabling https or hsts for me using ingress-nginx (it also has annotations to use oauth2-proxy for authentication and exposes the api without requiring oidc; my opinion their oidc implementation even in the "enterprise" version is totally unusable in a modern configuration):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.example.com/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.example.com/oauth2/start?rd=https://$host
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Groups,X-Auth-Request-Email,X-Auth-Request-Preferred-Username
spec:
tls:
- hosts:
- op.example.com
secretName: wildcard
rules:
- host: op.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
- path: /api/docs
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-ingress
spec:
tls:
- hosts:
- op.example.com
secretName: wildcard
rules:
- host: op.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
---
apiVersion: v1
kind: Service
metadata:
name: web
labels:
openproject.service: web
spec:
type: ClusterIP
selector:
openproject.service: seeder-web
ports:
- name: web
protocol: TCP
port: 8080
targetPort: 8080
from openproject-deploy.
I have not used their proxy pod but perhaps it is configured to use https
from openproject-deploy.
Thank You for your help.
I still can't access openproject with ingress !
curl http://SERVICE_IP:8080 does not work from other pods, but works from openproject pods (cron for example).
I can't see any log on web pod when curl does not work.
Not that in the service definition, i have change this :
selector:
openproject.service: seeder-web
by
selector:
openproject.service: web
(their is no pod with label seeder-web).
If i try a https curl from cron pod, i'm having directly this error :
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
error that i don't have from the infress pod for example.
My guess is thes service is going wrong.
My conf :
apiVersion: v1
kind: Service
metadata:
name: web
namespace: openproject
uid: d49fee0e-5a74-43cc-989b-f9edb597dd7f
resourceVersion: '6150915440'
creationTimestamp: '2022-11-23T13:12:43Z'
labels:
openproject.service: web
selfLink: /api/v1/namespaces/openproject/services/web
status:
loadBalancer: {}
spec:
ports:
- name: web
protocol: TCP
port: 8080
targetPort: 8080
selector:
openproject.service: web
clusterIP: 10.3.144.27
clusterIPs:
- 10.3.144.27
type: ClusterIP
sessionAffinity: None
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster
Do you see anything wrong ?
from openproject-deploy.
Problem resolved !
I've deleted the networkPolicy, and all went fine :)
from openproject-deploy.
Yes I mentioned earlier I put the seeder in an init pod for the web deployment hence the change in name. I forgot about the deletion of the network policy.
from openproject-deploy.
Problem resolved !
I've deleted the networkPolicy, and all went fine :)
Same here, I guess that's because when you use external ingress controller, the controller pod should also be annotated with 'frontend' network policy for it be able to forward traffic to OpenProject's 'proxy' (apache2) pod.
I didn't test that though, just deleted the NetworkPolicy for simplicity.
from openproject-deploy.
Related Issues (20)
- OPF-deploy
- Invalid interpolation format error in compose
- Upgrading from 12 to 13 with external Postgres DB v15
- Can not upgrade from 12 to 13
- Problem with postgres docker image version
- Large size after installation
- Autoheal continuously restarting openproject HOT 1
- docker-compose.yml still referencing old docker image. HOT 1
- Instruction error - docker-compose should be docker compose
- Export feature doesn't work (missing volume) HOT 2
- exec /usr/local/bin/proxy-entrypoint.sh: no such file or directory HOT 4
- Seeder-1 Keeps looping Exectuing "database migration and database seed..." docker compose TAG=14 HOT 1
- Compose: First login on fresh install fails due to wrong file permissions in mounted assets folder. HOT 3
- white window after update HOT 12
- At the first start up it fails at connecting with the db
- Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time. HOT 2
- compose-stack: upgrade from 13 to 14? HOT 1
- An error occurred while sending mail (Net::ReadTimeout with #<TCPSocket:(closed)>)
- openproject/proxy repository does not exist HOT 2
- [Error 403] You do not have access to this page.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openproject-deploy.