Local test deployment unable to get token

[LarsKumbier]

I've followed the BETA-setup with the tags WICKED_1_0 and 1.0.0.beta11 and in local data-container-mode for the api repository.

Reproduce

1. follow the beta-tutorial - do not change anything in the kickstarter-UI beside using the local data-container-mode in deployment.
2. start via docker-compose up -d
3. go to https://portal.local

Expected: The normal wicked API portal welcome-page
Actual: An error page showing: {"error_description":"The access token is invalid or has expired","error":"invalid_token"}'

Same happens when trying to access the "applications" or the "APIs" menu point.

Cause

The portal-auth container is unable to get an IP for the api.portal.local dns entry, as shown in the logs:

portal-auth_1             | {"date":"2018-12-20T09:37:53.596Z","module":"portal-auth:generic-router","message":{"issueAsJson":false,"status":500,"oauthError":"server_error","internalError":{"errno":"ENOTFOUND","code":"ENOTFOUND","syscall":"getaddrinfo","hostname":"api.portal.local","host":"api.portal.local","port":443}},"delta":8577,"level":"error"}
portal-auth_1             | {"date":"20/Dec/2018:09:37:53 +0000","method":"POST","url":"/auth/local/api/portal-api/token","remote-addr":"172.19.0.8","version":"1.1","status":"500","content-length":"92","referrer":"-","response-time":"23.552","correlation-id":"a910c7df-8b7d-4c31-80c3-f6039a33cca3"}

The ip has been added to the docker hosts /etc/hosts file, but that file is ignored from the dns resolver inside the docker containers.

Solution

Change the resulting docker-compose.yml to contain the extra_hosts field:

services:
  [...]
  portal-auth:
  [...]
    extra_hosts:
    - "portal.local:10.1.64.73"
    - "api.portal.local:10.1.64.73"

Replace the ip with the same ip you added to your docker hosts /etc/hosts file.

[DonMartin76]

Thanks! One of the things which need to be polished for the 1.0.0. Leaving this open so that it can be fixed more thoroughly, in code and/or in docs.

[LarsKumbier]

Addendum: This behavior is not reproducible under Docker for Windows. I am on Ubuntu 18.10:

$ docker version
Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.4
 Git commit:        e68fc7a
 Built:             Wed Sep 26 01:43:33 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       e68fc7a
  Built:            Mon Sep 24 22:42:19 2018
  OS/Arch:          linux/amd64
  Experimental:     false

[DonMartin76]

Aha! Yes, when you're saying it, I actually checked on macOS that the /etc/hosts entries goes through to the containers, which should then make this behavior not occur. Good to know it works on Windows as well.

Running things on Linux locally (and apparently also locally dockerized) are a little different from the other operating systems; if you run into more of these issues (rights for example), feel free to open additional issues.

[DonMartin76]

I think I have found one issue here which I will fix, partly using the host.docker.internal virtual DNS entry which Docker for Mac and Windows includes. Building on that, it might be a good idea to be able to insert this IP address from the outside into the containers which need it, as, typically, Docker for Linux does not support host.docker.internal(see docker/for-linux#264).

[DonMartin76]

I will adapt the Beta tutorial to the new 1.0.0-rc.1 release due either today or next week. This will be the easiest way to get it up and running as soon as the release is done:

$ npm install -g wicked-cli
$ wicked tags set 1.0.0-rc.1
$ # cd into an empty directory
$ # make sure Docker can mount $(pwd) into containers
$ wicked kickstart . --new
$ # press ctrl-c
$ wicked box postgres start
$ # find local IP address; this is only on Linux! Can be left out on Mac and Windows
$ wicked box start --docker-host=<ip address>

Then wicked should run locally on http://localhost:3000. For the impatient, use wicked tags set next instead for the bleeding edge build of wicked (instead of 1.0.0-rc.1).

If you have a configuration from a previous (beta) version of wicked, you should be able to use that configuration instead of creating a new one. cd into the directory where the static configuration directory resides, and run wicked kickstart ., leaving out the --new flag. This will create a new environment called box, which is used for running wicked-in-a-box.

The main use case of this is to be able to locally use the Authorization Server and Kong as a Gateway. To map services to the locally running machine, specify ${DOCKER_HOST} as host name for the service; this will always (try to) map to the docker host machine's IP/DNS entry. On Mac and Windows, this defaults to host.docker.internal, but unfortunately this alias does not exist for Linux, thus you need to pass it in from the outside using the --docker-host parameter for the wicked box start command.

Hope this helps, and if you find anything else, feel free to add new issues. Closing this for now.