-
Notifications
You must be signed in to change notification settings - Fork 447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
production incident: Nginx new port setup is broken #1860
Comments
when trying to set the ports back to the same ports it was using before,
we get the following error: Using deprecated password for user _internal. |
after trying to rollback only nginx tag to 7.71.11,
we get the following:
|
for the reference, the good colleagues from support helped me to figure out and it seems to be related to this line charts/stable/artifactory/values.yaml Line 1633 in c4bad2b
I will leave this issue open, but the i'm closing the ticket. please feel free to close this issue. |
Hi @EvertonSA Problem Description: Following changing Nginx internal Ports to 8080/8443 in Artifactory Helm Charts, the value of Wrong X-JFrog-Override-Base-Url/X-Forwarded-Port which is based on “$server_port” changed when "nginx.service.ssloffload" is false (default) https://github.com/jfrog/charts/blob/master/stable/artifactory/values.yaml#L1630
As a result, clients like Docker will redirect the requests to $host:$server_port while the "server_port" will reflect the internal port (8443/8080) which is not accessible as it is different from the external port (80/443) What is the expected behavior? The internal port should not impact the value of these headers. Workaround: Add the whole artifactoryConf section to your custom values.yaml and replace the if-else-end section with:
|
Hi, recently jfrog changed nginx ports from 80 and 443 to 8080 and 8443.
it looks good, but i don't think it was tested. when reaching for a docker remote, jfrog artifactory issues the client back to registry auth, but instead of doing it on 443, it issues back to 8443.
and 8443 is not exposed on the nginx service (only 80 and 443, mapping to 8080 and 8443).
I'm facing a huge production incident and I have opened ticket number 285150.
I tried to set the nginx ports back to 80 and 443 but nginx does not start, it throws permission denied.
this is what jfrog clients see on their kubernetes clusters:
Failed to pull image "jfrog-xxxx.xxxx.com/registry-1.docker.io/xxxx": rpc error: code = DeadlineExceeded desc = failed to pull and unpack image "jfrog-xxxx.xxxx.com/registry-1.docker.io/xxxx": failed to resolve reference "jfrog-xxxx.xxxx.com/registry-1.docker.io/xxxx": failed to authorize: failed to fetch oauth token: Post "https://jfrog-xxxx.xxxx.com:8443/artifactory/api/docker/registry-1.docker.io/v2/token": dial tcp 10.xxxx:8443: i/o timeout
we were able to workaround a few client clusters by adding manually the following
but this only works for clients that allow external access to 8443. if they only allow 80 and 443, they still have issues and I have no control over their firewall egress rules.
please fix asap, either by allowing reverting back to 80 and 443, or make artifactory redirect auth requests to the same port the client issued the initial tcp connection.
The text was updated successfully, but these errors were encountered: