I deployed an ory hydra instance in my k8s cluster...
# talk-hydra
c
I deployed an ory hydra instance in my k8s cluster, and I'm trying to control it with the hydra cli I'm port forwarding the port 4445 in my localhost and I try this:
Copy code
podman run --rm -e HYDRA_URL=<http://host.containers.internal:4445/> oryd/hydra clients list
and the response I get back is this:
Copy code
The request failed with the following error message:
{
  "error": "error",
  "error_description": "The error is unrecognizable"
}
Relevant logs:
Copy code
time=2022-05-23T18:10:46Z level=info msg=started handling request http_request=map[headers:map[accept:application/json accept-encoding:gzip user-agent:Go-http-client/1.1] host:host.containers.internal:4445 method:GET path:/clients query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:127.0.0.1:53800 scheme:http]
time=2022-05-23T18:10:46Z level=warning msg=Could not serve http connection audience=application error=map[message:neither remote address nor any x-forwarded-for values match CIDR ranges [10.0.0.0/8 172.16.0.0/12 192.168.0.0/16]: [127.0.0.1], ranges, check)] http_request=map[headers:map[accept:application/json accept-encoding:gzip user-agent:Go-http-client/1.1] host:host.containers.internal:4445 method:GET path:/clients query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:127.0.0.1:53800 scheme:http] service_name=Ory Hydra service_version=v1.11.8
time=2022-05-23T18:10:46Z level=error msg=An error occurred while handling a request audience=application error=map[message:can not serve request over insecure http] http_request=map[headers:map[accept:application/json accept-encoding:gzip user-agent:Go-http-client/1.1] host:host.containers.internal:4445 method:GET path:/clients query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:127.0.0.1:53800 scheme:http] http_response=map[status_code:502] service_name=Ory Hydra service_version=v1.11.8
time=2022-05-23T18:10:46Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json accept-encoding:gzip user-agent:Go-http-client/1.1] host:host.containers.internal:4445 method:GET path:/clients query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:127.0.0.1:53800 scheme:http] http_response=map[headers:map[content-type:application/json] size:68 status:502 text_status:Bad Gateway took:1.089788ms]
Any ideas?
f
An error occurred while handling a request audience=application error=map[message:can not serve request over insecure http]
I don't see anything specific in the configuration we're running, but the configuration does have
SERVE_PUBLIC_TLS_ALLOW_TERMINATION_FROM
in there, so it does have some concept of requiring access via HTTPS.
c
Can this be disabled? I'm accessing the admin api through a kubectl port forward and tls termination happens outside on ingress level. I do not want to expose the admin api through the ingress
Ah I found it! Seems that adding tls: allow_termination_from: + - 127.0.0.1/32 in config does the trick