Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add allow_oauth_origin discussion to README.md #270

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add allow_oauth_origin discussion to README.md #270

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions on-prem-docs/builder-automate.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,8 @@ To authenticate with Chef Automate, create a patch with the Chef Automate comman
```

1. Edit `bldr.env`:
* You must have version chef/automate-builder-api-proxy/0.1.0/20230111051525 or higher of builder-api-proxy, you can check by viewing the hab package storage area on your system
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If they are using builder-api-proxy via the automate wrapped chef/automate-builder-api-proxy then they are using an integrated automate bundled builder which should have the same origin domain as automate and should not suffer the cross-origin issue. This becomes an issue when using a separate standalone on-prem builder.

* You must set the following setting. Replace AUTOMATE-FQDN with the FQDN of your Automate system: **allow_oauth_origin** should have the value https://AUTOMATE-FQDN/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the on-prem installer should automatically set ALLOW_OAUTH_ORIGIN if you are specifying chef-automate as the oauth provider. However if they simply update their builder-api-proxy package without running the installer then this is a good callout but we should b clear that it should be set under the [nginx] toml table in /hab/user/builder-api-proxy/config/user.toml. Also it needs to be uppercase.

* SSL must be enabled in Builder in order to authenticate against Automate, use `APP_SSL_ENABLED=true` and a `APP_URL` beginning with `https`.
* Set `OAUTH_PROVIDER` to `chef-automate`.
* Set the values of `OAUTH_USERINFO_URL`, `OAUTH_AUTHORIZE_URL`, and `OAUTH_TOKEN_URL` to the example values provided in the `sample.bldr.env` file substituting `<your.automate.domain>` with your Automate server or domain name.
Expand Down Expand Up @@ -191,3 +193,17 @@ Rename the custom Builder certificates cert file as `ssl-certificate.crt` and th
## Next Steps

[Bootstrap Core Origin](./bootstrap-core.md)

## Troubleshooting

When the builder is not correctly configured with the **allow_oauth_origin**, or the builder is too old to support the config paramter, you will see error messages like the following even when the rest of the configuration is correct.

```
currently only Habitat Builder is supported for Oauth2 integration. expected bldr client_id: automate-builder-api, actual client_id: YZqk2jC47VVyRhhT"
```

or

```
failed to pass valid redirect_uri for client_id: automate-builder-api, expected: /bldr, registered for client: https://SOME-BUILDER-SOMEWHERE/
```