How allowedCIDRs works?

Sorry, I’m here again.

I don’t understand how allowedCIDRs works or mybe I don’t understand host authentication.

Before restricting network access with allowedCIDRs I was able to access the CrateDB UI both from the load balancer address and from the nginx reverse proxy (that manages HTTPS protocol and load balance three kubernetes nodes).

Now, using allowedCIDRs i receive the errors after trying the authentication: the login popup window appear but clicking the access button nothing happens; clicking the cancel button gives an error page.

Here the errors:
With “http://192.168.151.21:4200/” URL I receive:

No valid auth.host_based.config entry found for host "192.168.151.1", user "crate", protocol "http". Did you enable TLS in your client?

with the “https://crate.h5a.net/” URL I receive:

No valid auth.host_based.config entry found for host "192.168.151.33", user "crate", protocol "http". Did you enable TLS in your client?

I created the CrateDB cluster with crate-operator with these commands

kubectl create namespace crate-operator
kubectl create namespace for-crate
helm install crate-operator crate-operator/crate-operator --namespace crate-operator --set env.CRATEDB_OPERATOR_DEBUG_VOLUME_STORAGE_CLASS=longhorn --set env.CRATEDB_OPERATOR_DEBUG_VOLUME_SIZE=4GiB
kubectl --namespace for-crate create -f my-crate.yaml

where my-crate.yaml contains

apiVersion: cloud.crate.io/v1
kind: CrateDB
metadata:
  name: my-cluster
  namespace: for-crate
spec:
  cluster:
    imageRegistry: crate
    name: my-crate
    version: 5.8.1
    allowedCIDRs:
    - 192.168.151.0/24
    - 10.0.0.0/8
  nodes:
    data:
    - name: hot
      replicas: 3
      resources:
        limits:
          cpu: 4
          memory: 4Gi
        disk:
          count: 1
          size: 16GiB
          storageClass: longhorn
        heapRatio: 0.25

The services are

sysop@h5a-dev:~$ kubectl get svc -n for-crate
NAME                         TYPE           CLUSTER-IP     EXTERNAL-IP                                    PORT(S)                         AGE
crate-discovery-my-cluster   ClusterIP      None           <none>                                         4300/TCP,4200/TCP,5432/TCP      3d8h
crate-my-cluster             LoadBalancer   10.43.47.153   192.168.151.21,192.168.151.22,192.168.151.23   4200:31656/TCP,5432:30136/TCP   3d8h
sysop@h5a-dev:~$ 

So I’m trying to enable host authentication restricted to the “192.168.151.0/24” external network and “10.0.0.0/8” internal network

What I’m doing wrong?

Hi,

Are you using the system user with the password that comes out from running get secret as in Run CrateDB with Kubernetes Operator - CrateDB: Guide ?

1 Like

Yes
I got the password with

sysop@h5a-dev:~/h5a/h5a-certs$ kubectl get secret user-system-my-cluster -o json -n for-crate| jq -r '.data.password' | base64 -d
S9xsloAiGVvZ7iqaDQjtAzasmiFedEYlc1ajapZWDikhPbZTkjsysop@h5a-dev:~/h5a/h5a-certs$ 
sysop@h5a-dev:~/h5a/h5a-certs$ kubectl get service crate-my-cluster -o json -n for-crate | jq -r '.status.loadBalancer.ingress[0].ip'
192.168.151.21
sysop@h5a-dev:~/h5a/h5a-certs$

Before adding the allowedCIDRs restrictions I was able to login with the system user and the gathered password

But now I receive the errors; so I think that the cause is the added restriction.

Sorry I used the wrong password from a previous installation.

Gathering again the password and using the new value worked and I can access again the UI

1 Like