-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(backend): Support running behind a corporate proxy [RHIDP-2217] #1225
feat(backend): Support running behind a corporate proxy [RHIDP-2217] #1225
Conversation
Skipping CI for Draft Pull Request. |
e85e296
to
1eb2003
Compare
The image is available at: |
1eb2003
to
3d6bec8
Compare
The image is available at: |
3d6bec8
to
5f2c044
Compare
The image is available at: |
5f2c044
to
e9457bc
Compare
The image is available at: |
e9457bc
to
57c4990
Compare
The image is available at: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any tests expected?
This will make sense as E2E tests, which are going to be covered in https://issues.redhat.com/browse/RHIDP-1955. |
57c4990
to
27b84b9
Compare
The image is available at: |
@rm3l I think that the Local development and Full Test instructions that you wrote in the description for this pull request would be a great addition to a |
Per [1], global-agent addresses node-fetch proxying, while undici afects the native fetch. [1] https://github.com/backstage/backstage/blob/master/contrib/docs/tutorials/help-im-behind-a-corporate-proxy.md
Command used for reference: 'yarn add --dev @types/global-agent' Otherwise, we get the following errors when building the container images: //:tsc: cache miss, executing 7cdd96a5dd9f08b5 //:tsc: $ tsc //:tsc: packages/backend/src/index.ts:20:27 - error TS7016: Could not find a declaration file for module 'global-agent'. '/opt/app-root/src/node_modules/global-agent/dist/index.js' implicitly //:tsc: Try `npm i --save-dev @types/global-agent` if it exists or add a new declaration (.d.ts) file containing `declare module 'global-agent';` //:tsc: //:tsc: ~~~~~~~~~~~~~~ //:tsc: //:tsc: //:tsc: Found 1 error in packages/backend/src/index.ts:20 //:tsc: //:tsc: error Command failed with exit code 1. //:tsc: info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command. //:tsc: ERROR: command finished with error: command (/opt/app-root/src/) /tmp/yarn--1714731744742-0.9188035523240228/yarn run tsc exited (1) //#tsc: command (/opt/app-root/src/) /tmp/yarn--1714731744742-0.9188035523240228/yarn run tsc exited (1)
…he container image Setting it to an empty value allows global-agent to rely on the rather conventional HTTP(S)_PROXY and NO_PROXY env vars. [1] Otherwise, users would need to configure both GLOBAL_AGENT_HTTP(S)_PROXY and HTTP(S)_PROXY to make proxying work with both global-agent and other libs. Also, it might be a bit confusing for the user to have to set it explicitly to an empty value. We can set it the other way around, but users can still override it if needed. [1] https://github.com/gajus/global-agent#what-is-the-reason-global-agentbootstrap-does-not-use-http_proxy
This would simplify the merging process in case of upstream changes Co-authored-by: Gennady Azarenkov <gazarenkov@redhat.com>
…fault config Co-authored-by: Gennady Azarenkov <gazarenkov@redhat.com>
…s/proxy.md' file Co-authored-by: Corey Daley <cdaley@redhat.com>
…e supported libraries for HTTP data fetching Co-authored-by: Kim Tsao <ktsao@redhat.com>
Co-authored-by: Corey Daley <cdaley@redhat.com>
0c7c9be
to
37ae9ed
Compare
Quality Gate passedIssues Measures |
Rebased and force-pushed to fix a conflict with the following files:
|
/cc @gashcrumb |
The image is available at: |
/test e2e-tests |
/approve |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kim-tsao The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
This PR allows running the Showcase app behind a corporate proxy, which was the root cause of a login failure using the GitHub auth behind a proxy.
It does so per the upstream instructions provided on this page: https://github.com/backstage/backstage/blob/master/contrib/docs/tutorials/help-im-behind-a-corporate-proxy.md
This way, it can honor the conventional
HTTP_PROXY
,HTTPS_PROXY
, andNO_PROXY
environment variables (and their lowercase equivalents).The
undici
andglobal-agent
packages added here allow covering settings for the nativefetch
andnode-fetch
respectively. Note that even ifnode-fetch
is recommended for HTTP data fetching by Backstage packages [ADR013], we identified a couple of plugins making use of other libraries like Axios (like the Keycloak backend plugin - see RHIDP-2217 for the full list). Axios reportedly already honors the proxy environment variables above [doc].I tested the Keycloak backend plugin as an example to ensure this.
Which issue(s) does this PR fix
PR acceptance criteria
Please make sure that the following steps are complete:
How to test changes / Special notes to the reviewer
Local Development
You can run locally with
yarn
:Full test
For a more complete test, the most challenging part of testing the changes here is to set up an environment where an application is forbidden access to the public Internet except through a given proxy.
We can simulate such an environment in a Kubernetes namespace with the help of Network Policies to control ingress/egress traffic.
For example:
Make sure the network plugin in your Kubernetes cluster supports network policies. I created a cluster with k3d (
k3d cluster create
), and it supports Network Policies out of the box.Create a separate
proxy
namespace, and deploy a Squid-based proxy application there:quay.io/janus-idp/backstage-showcase:pr-1225
). I tested this using the RHDH Operator, but it should work with the Helm Chart as well. For example, to only test the GitHub login issue:a. Follow the instructions to create a GitHub app
b. Make sure to use the image from this PR (
spec.application.image
field if using the Operator).c. GitHub login should fail unless the
HTTP(S)_PROXY
environment variables are set, like so: