Bad http redirect on web-api page

UnixSH · April 9, 2025, 3:28pm

Problem:
Logging in on the web api redirect me to http in the browser, when the endpoint is supposed to be https. It is preventing usage of any link on the home page or login. I’ve checked settings.py, which is properly configured with https. The thing is, it was working before a redeploy, the configuration hasn’t been changed, and I’m able to use the web api if I change the url to https everytime.

Does this reminds of something to someone ?

Expected outcome:
All the redirections should be https

Pulpcore version:
3.75.0

Operating system - distribution and version:
Openshift 4.16

x9c4 · April 10, 2025, 9:04am

Can you extend on how you deploy your installation?

UnixSH · April 10, 2025, 9:22am

Here is an example of manifest

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: pulp
  namespace: pulp
spec:
  host: pulp.apps.mycluster.local
  port:
    targetPort: web
  tls:
    termination: edge
  to:
    name: pulp-web
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: pulp-api
  namespace: pulp
spec:
  host: pulp-api.apps.mycluster.local
  port:
    targetPort: api
  tls:
    termination: edge
  to:
    name: pulp-api
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pulp-storage
  namespace: pulp
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 100Gi
  storageClassName: thin-csi
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: pulp
  namespace: pulp
  annotations:
    io.kubernetes.cri-o.Devices: "/dev/fuse"
spec:
  selector:
     matchLabels:
       app: pulp
  replicas: 1
  template:
    metadata:
      labels:
        app: pulp
    spec:
      initContainers:
      - name: setup
        image: docker.io/busybox:stable
        command: ["/bin/sh", "-c"]
        args:
          - |
            echo "CONTENT_ORIGIN = 'https://pulp.apps.mycluster.local'" > /etc/pulp/settings.py
            echo "TOKEN_SERVER = 'https://pulp-api.apps.mycluster.local/token'" >> /etc/pulp/settings.py
            echo "TOKEN_SIGNATURE_ALGORITHM = 'ES256'" >> /etc/pulp/settings.py
            echo "PUBLIC_KEY_PATH = '/etc/pulp/certs/token_public_key.pem'" >> /etc/pulp/settings.py
            echo "PRIVATE_KEY_PATH = '/etc/pulp/certs/token_private_key.pem'" >> /etc/pulp/settings.py
        volumeMounts:
          - mountPath: /etc/pulp
            name: pulp-storage
            subPath: settings
      containers:
      - name: stack
        image: docker.io/pulp/pulp:3.75.0
        ports:
          - containerPort: 80
            name: web
          - containerPort: 24817
            name: api
        lifecycle:
          postStart:
            exec:
              command: ["bash", "-c", "pulpcore-manager reset-admin-password -p admin"]
        volumeMounts:
          - mountPath: /etc/pulp
            name: pulp-storage
            subPath: settings
          - mountPath: /var/lib/pulp
            name: pulp-storage
            subPath: storage
          - mountPath: /var/lib/pgsql
            name: pulp-storage
            subPath: pgsql
          - mountPath: /var/lib/containers
            name: pulp-storage
            subPath: containers
      volumes:
      - name: pulp-storage
        persistentVolumeClaim:
          claimName: pulp-storage
---
apiVersion: v1
kind: Service
metadata:
  name: pulp-api
  namespace: pulp
spec:
  selector:
    app: pulp
  ports:
  - name: api
    protocol: TCP
    port: 24817
    targetPort: api
---
apiVersion: v1
kind: Service
metadata:
  name: pulp-web
  namespace: pulp
spec:
  selector:
    app: pulp
  ports:
  - name: web
    protocol: TCP
    port: 8080
    targetPort: web

x9c4 · April 10, 2025, 9:25am

There’s this configuration file for the ui, but i don’t see right away how it could be related to your issue.

github.com

pulp/pulp-ui/blob/main/pulp-ui-config.json

{
  "API_BASE_PATH": "/pulp/api/v3/",
  "UI_BASE_PATH": "/ui/",
  "UI_EXTERNAL_LOGIN_URI": null,
  "EXTRA_VERSION": ""
}

UnixSH · April 10, 2025, 9:29am

Just to avoid confusion, I’m talking about the endpoint with /pulp/api/v3/, not /ui/

hyagi · April 10, 2025, 11:38am

Hi @UnixSH

Checking the manifest provided, I could see that:

this is an installation running in an OpenShift cluster
you are not installing Pulp using pulp-operator, but through a “custom” (homemade) StatefulSet
the installation is deploying the single container image (all Pulp components, including DB and proxy are running in the same container)
you are redirecting the pulp-api.apps.mycluster.local requests to pulp-api service and the pulp.apps.mycluster.local requests to pulp-web service (both services will eventually get into the same pod, but the requests to the pulpcore-content will have the overhead of a double reverse proxy)

As a workaround, what if you configure the route with spec.tls.insecureEdgeTerminationPolicy: Redirect? For example:

---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: pulp
  namespace: pulp
spec:
  host: pulp.apps.mycluster.local
  port:
    targetPort: web
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    name: pulp-web
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: pulp-api
  namespace: pulp
spec:
  host: pulp-api.apps.mycluster.local
  port:
    targetPort: api
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    name: pulp-api

I understand that it was working before without such configuration … the idea of this workaround is to avoid more downtime while we investigate the issue.

To get a better idea of what is going on, would you mind collecting and sending us a HAR file with the wrong redirects? This would be helpful for us to get a better understanding if this is something that is happening because of a configuration on k8s side or maybe something on pulpcore code/config.

In the meantime, I will see if I can reproduce this in my lab env.
@gerrod, any ideas if there is something in the single container image that could be causing this?

note: this is an installation we don’t support. For k8s/ocp installations, we recommend using pulp-operator.

UnixSH · April 10, 2025, 3:07pm

This is now working properly.

pulp.har

{

“log”: {

"version": "1.2",

"creator": {

  "name": "WebInspector",

  "version": "537.36"

},

"pages": [

  {

    "startedDateTime": "2025-04-10T15:02:44.757Z",

    "id": "page_1",

    "title": "http://pulp.apps.mycluster.local/pulp/api/v3/access_policies/",

    "pageTimings": {

      "onContentLoad": 550.1819999772124,

      "onLoad": 550.99199997494

    }

  }

],

"entries": [

  {

    "_connectionId": "267037",

    "_initiator": {

      "type": "other"

    },

    "_priority": "VeryHigh",

    "_resourceType": "document",

    "cache": {},

    "connection": "80",

    "pageref": "page_1",

    "request": {

      "method": "GET",

      "url": "http://pulp.apps.mycluster.local/pulp/api/v3/access_policies/",

      "httpVersion": "HTTP/1.1",

      "headers": [

        {

          "name": "Accept",

          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"

        },

        {

          "name": "Accept-Encoding",

          "value": "gzip, deflate"

        },

        {

          "name": "Accept-Language",

          "value": "en-US,en;q=0.9"

        },

        {

          "name": "Connection",

          "value": "keep-alive"

        },

        {

          "name": "Host",

          "value": "pulp.apps.mycluster.local"

        },

        {

          "name": "Sec-Fetch-Dest",

          "value": "document"

        },

        {

          "name": "Sec-Fetch-Mode",

          "value": "navigate"

        },

        {

          "name": "Sec-Fetch-Site",

          "value": "cross-site"

        },

        {

          "name": "Sec-Fetch-User",

          "value": "?1"

        },

        {

          "name": "Upgrade-Insecure-Requests",

          "value": "1"

        },

        {

          "name": "User-Agent",

          "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"

        },

        {

          "name": "sec-ch-ua",

          "value": "\"Chromium\";v=\"134\", \"Not:A-Brand\";v=\"24\", \"Google Chrome\";v=\"134\""

        },

        {

          "name": "sec-ch-ua-mobile",

          "value": "?0"

        },

        {

          "name": "sec-ch-ua-platform",

          "value": "\"Windows\""

        }

      ],

      "queryString": [],

      "cookies": [],

      "headersSize": 874,

      "bodySize": 0

    },

    "response": {

      "status": 503,

      "statusText": "Service Unavailable",

      "httpVersion": "HTTP/1.0",

      "headers": [

        {

          "name": "Cache-Control",

          "value": "private, max-age=0, no-cache, no-store"

        },

        {

          "name": "Connection",

          "value": "close"

        },

        {

          "name": "Content-Type",

          "value": "text/html"

        },

        {

          "name": "Date",

          "value": "Thu, 10 Apr 2025 15:02:45 GMT"

        },

        {

          "name": "Pragma",

          "value": "no-cache"

        },

        {

          "name": "X-RBT-CLI",

          "value": "Name=qDCLIEdbn02; Ver=9.9.2;"

        }

      ],

      "cookies": [],

      "content": {

        "size": 2503,

        "mimeType": "text/html",

        "compression": 0,

        "text": "<html>\r\n  <head>\r\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\r\n\r\n    <style type=\"text/css\">\r\n      body {\r\n        font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\r\n        line-height: 1.66666667;\r\n        font-size: 16px;\r\n        color: #333;\r\n        background-color: #fff;\r\n        margin: 2em 1em;\r\n      }\r\n      h1 {\r\n        font-size: 28px;\r\n        font-weight: 400;\r\n      }\r\n      p {\r\n        margin: 0 0 10px;\r\n      }\r\n      .alert.alert-info {\r\n        background-color: #F0F0F0;\r\n        margin-top: 30px;\r\n        padding: 30px;\r\n      }\r\n      .alert p {\r\n        padding-left: 35px;\r\n      }\r\n      ul {\r\n        padding-left: 51px;\r\n        position: relative;\r\n      }\r\n      li {\r\n        font-size: 14px;\r\n        margin-bottom: 1em;\r\n      }\r\n      p.info {\r\n        position: relative;\r\n        font-size: 20px;\r\n      }\r\n      p.info:before, p.info:after {\r\n        content: \"\";\r\n        left: 0;\r\n        position: absolute;\r\n        top: 0;\r\n      }\r\n      p.info:before {\r\n        background: #0066CC;\r\n        border-radius: 16px;\r\n        color: #fff;\r\n        content: \"i\";\r\n        font: bold 16px/24px serif;\r\n        height: 24px;\r\n        left: 0px;\r\n        text-align: center;\r\n        top: 4px;\r\n        width: 24px;\r\n      }\r\n\r\n      @media (min-width: 768px) {\r\n        body {\r\n          margin: 6em;\r\n        }\r\n      }\r\n    </style>\r\n  </head>\r\n  <body>\r\n    <div>\r\n      <h1>Application is not available</h1>\r\n      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>\r\n\r\n      <div class=\"alert alert-info\">\r\n        <p class=\"info\">\r\n          Possible reasons you are seeing this page:\r\n        </p>\r\n        <ul>\r\n          <li>\r\n            <strong>The host doesn't exist.</strong>\r\n            Make sure the hostname was typed correctly and that a route matching this hostname exists.\r\n          </li>\r\n          <li>\r\n            <strong>The host exists, but doesn't have a matching path.</strong>\r\n            Check if the URL path was typed correctly and that the route was created using the desired path.\r\n          </li>\r\n          <li>\r\n            <strong>Route and path matches, but all pods are down.</strong>\r\n            Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.\r\n          </li>\r\n        </ul>\r\n      </div>\r\n    </div>\r\n  </body>\r\n</html>\r\n"

      },

      "redirectURL": "",

      "headersSize": 231,

      "bodySize": 2503,

      "_transferSize": 2734,

      "_error": null,

      "_fetchedViaServiceWorker": false

    },

    "serverIPAddress": "100.64.1.24",

    "startedDateTime": "2025-04-10T15:02:44.754Z",

    "time": 466.3359999638386,

    "timings": {

      "blocked": 6.05500001135841,

      "dns": 0.014000000000000234,

      "ssl": -1,

      "connect": 1.189,

      "send": 0.25700000000000056,

      "wait": 458.01800000805406,

      "receive": 0.8029999444261193,

      "_blocked_queueing": 3.02100001135841,

      "_blocked_proxy": 2.6950000000000003,

      "_workerStart": -1,

      "_workerReady": -1,

      "_workerFetchStart": -1,

      "_workerRespondWithSettled": -1

    }

  },

  {

    "_connectionId": "267043",

    "_initiator": {

      "type": "other"

    },

    "_priority": "High",

    "_resourceType": "other",

    "cache": {},

    "connection": "80",

    "pageref": "page_1",

    "request": {

      "method": "GET",

      "url": "http://pulp.apps.mycluster.local/favicon.ico",

      "httpVersion": "HTTP/1.1",

      "headers": [

        {

          "name": "Accept",

          "value": "image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"

        },

        {

          "name": "Accept-Encoding",

          "value": "gzip, deflate"

        },

        {

          "name": "Accept-Language",

          "value": "en-US,en;q=0.9"

        },

        {

          "name": "Connection",

          "value": "keep-alive"

        },

        {

          "name": "Host",

          "value": "pulp.apps.mycluster.local"

        },

        {

          "name": "Referer",

          "value": "http://pulp.apps.mycluster.local/pulp/api/v3/access_policies/"

        },

        {

          "name": "Sec-Fetch-Dest",

          "value": "image"

        },

        {

          "name": "Sec-Fetch-Mode",

          "value": "no-cors"

        },

        {

          "name": "Sec-Fetch-Site",

          "value": "same-origin"

        },

        {

          "name": "User-Agent",

          "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"

        },

        {

          "name": "sec-ch-ua",

          "value": "\"Chromium\";v=\"134\", \"Not:A-Brand\";v=\"24\", \"Google Chrome\";v=\"134\""

        },

        {

          "name": "sec-ch-ua-mobile",

          "value": "?0"

        },

        {

          "name": "sec-ch-ua-platform",

          "value": "\"Windows\""

        }

      ],

      "queryString": [],

      "cookies": [],

      "headersSize": 819,

      "bodySize": 0

    },

    "response": {

      "status": 503,

      "statusText": "Service Unavailable",

      "httpVersion": "HTTP/1.0",

      "headers": [

        {

          "name": "Cache-Control",

          "value": "private, max-age=0, no-cache, no-store"

        },

        {

          "name": "Connection",

          "value": "close"

        },

        {

          "name": "Content-Type",

          "value": "text/html"

        },

        {

          "name": "Date",

          "value": "Thu, 10 Apr 2025 15:02:45 GMT"

        },

        {

          "name": "Pragma",

          "value": "no-cache"

        },

        {

          "name": "X-RBT-CLI",

          "value": "Name=qDCLIEdbn02; Ver=9.9.2;"

        }

      ],

      "cookies": [],

      "content": {

        "size": 2503,

        "mimeType": "text/html",

        "compression": 0,

        "text": "<html>\r\n  <head>\r\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\r\n\r\n    <style type=\"text/css\">\r\n      body {\r\n        font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\r\n        line-height: 1.66666667;\r\n        font-size: 16px;\r\n        color: #333;\r\n        background-color: #fff;\r\n        margin: 2em 1em;\r\n      }\r\n      h1 {\r\n        font-size: 28px;\r\n        font-weight: 400;\r\n      }\r\n      p {\r\n        margin: 0 0 10px;\r\n      }\r\n      .alert.alert-info {\r\n        background-color: #F0F0F0;\r\n        margin-top: 30px;\r\n        padding: 30px;\r\n      }\r\n      .alert p {\r\n        padding-left: 35px;\r\n      }\r\n      ul {\r\n        padding-left: 51px;\r\n        position: relative;\r\n      }\r\n      li {\r\n        font-size: 14px;\r\n        margin-bottom: 1em;\r\n      }\r\n      p.info {\r\n        position: relative;\r\n        font-size: 20px;\r\n      }\r\n      p.info:before, p.info:after {\r\n        content: \"\";\r\n        left: 0;\r\n        position: absolute;\r\n        top: 0;\r\n      }\r\n      p.info:before {\r\n        background: #0066CC;\r\n        border-radius: 16px;\r\n        color: #fff;\r\n        content: \"i\";\r\n        font: bold 16px/24px serif;\r\n        height: 24px;\r\n        left: 0px;\r\n        text-align: center;\r\n        top: 4px;\r\n        width: 24px;\r\n      }\r\n\r\n      @media (min-width: 768px) {\r\n        body {\r\n          margin: 6em;\r\n        }\r\n      }\r\n    </style>\r\n  </head>\r\n  <body>\r\n    <div>\r\n      <h1>Application is not available</h1>\r\n      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>\r\n\r\n      <div class=\"alert alert-info\">\r\n        <p class=\"info\">\r\n          Possible reasons you are seeing this page:\r\n        </p>\r\n        <ul>\r\n          <li>\r\n            <strong>The host doesn't exist.</strong>\r\n            Make sure the hostname was typed correctly and that a route matching this hostname exists.\r\n          </li>\r\n          <li>\r\n            <strong>The host exists, but doesn't have a matching path.</strong>\r\n            Check if the URL path was typed correctly and that the route was created using the desired path.\r\n          </li>\r\n          <li>\r\n            <strong>Route and path matches, but all pods are down.</strong>\r\n            Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.\r\n          </li>\r\n        </ul>\r\n      </div>\r\n    </div>\r\n  </body>\r\n</html>\r\n"

      },

      "redirectURL": "",

      "headersSize": 231,

      "bodySize": 2503,

      "_transferSize": 2734,

      "_error": null,

      "_fetchedViaServiceWorker": false

    },

    "serverIPAddress": "100.64.1.24",

    "startedDateTime": "2025-04-10T15:02:45.312Z",

    "time": 476.40299998229744,

    "timings": {

      "blocked": 8.758000000663102,

      "dns": 0.01100000000000012,

      "ssl": -1,

      "connect": 1.0710000000000002,

      "send": 0.363,

      "wait": 464.80299999618904,

      "receive": 1.3969999854452908,

      "_blocked_queueing": 6.987000000663102,

      "_blocked_proxy": 1.479,

      "_workerStart": -1,

      "_workerReady": -1,

      "_workerFetchStart": -1,

      "_workerRespondWithSettled": -1

    }

  }

]

}

There seems to be a confusion on my side however, we can login.