Preflight checklist
Describe the bug
Brief
Trying to open the signup page.
Get page "An error occurred" with message "connect ECONNREFUSED ::1:80"
The projects are deployed in kubernetes with Ingress.
Using deployment from: https://github.com/ory/k8s/tree/v0.26.1
Error
{
"message": "connect ECONNREFUSED ::1:80",
"name": "Error",
"stack": "Error: connect ECONNREFUSED ::1:80\n at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1161:16)",
"config": {
"url": "kratos-public.default.svc.cluster.local/self-service/registration/flows?id=e1cf779a-7d9e-4936-b25a-32653d46b4ad",
"method": "get",
"headers": {
"Accept": "application/json, text/plain, */*",
"User-Agent": "axios/0.21.4"
},
"transformRequest": [
null
],
"transformResponse": [
null
],
"timeout": 0,
"xsrfCookieName": "XSRF-TOKEN",
"xsrfHeaderName": "X-XSRF-TOKEN",
"maxContentLength": -1,
"maxBodyLength": -1,
"transitional": {
"silentJSONParsing": true,
"forcedJSONParsing": true,
"clarifyTimeoutError": false
}
},
"code": "ECONNREFUSED"
}
I tried to get the page via wget from kratos-selfservice-ui-node pod inside kubernetes network but I got code 403:
wget -q -S -O - kratos-public.default.svc.cluster.local/self-service/registration/flows?id=168189ff-b9c3-44fa-8c8f-c7af9753157a 2>&1
HTTP/1.1 403 Forbidden
wget: server returned error: HTTP/1.1 403 Forbidden
But if I change the host to one available outside the kubernetes network, I can get the data from that url in the browser.
(url: http://public.kratos.localhost/self-service/registration/flows?id=cf0d88b4-2b7e-40f7-961e-829ad87af929)
{"id":"cf0d88b4-2b7e-40f7-961e-829ad87af929","type":"browser","expires_at":"2022-11-16T16:19:28.99898Z","issued_at":"2022-11-16T15:19:28.99898Z","request_url":"http://public.kratos.localhost/self-service/registration/browser?return_to=","ui":{"action":"https://kratos-587fd8b856-w2cjp:4433/self-service/registration?flow=cf0d88b4-2b7e-40f7-961e-829ad87af929","method":"POST","nodes":[{"type":"input","group":"default","attributes":{"name":"csrf_token","type":"hidden","value":"1lUykvKiVulRyRSsGlq7I57OYg14NRQ7lwWEP+2V5UMdeX4GwPbLac53oeHrqD6CM1le3VTDvlKnk4Kw1RSw8g==","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.username","type":"text","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"password","type":"password","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070001,"text":"Password","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"traits.email","type":"email","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070002,"text":"E-Mail","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"traits.name.first","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.name.last","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.favorite_animal","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.accepted_tos","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"method","type":"submit","value":"password","disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1040001,"text":"Sign up","type":"info","context":{}}}}]}}
Config
kratos config
My own file: "values/kratos.yaml"
ingress:
admin:
enabled: true
className: ""
annotations:
{}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: admin.kratos.localhost
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
public:
enabled: true
className: ""
annotations:
{}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: public.kratos.localhost
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
kratos:
config:
serve:
public:
cors:
enabled: false
allowed_origins:
- http://ui.kratos.localhost
hashers:
argon2:
parallelism: 1
memory: 37MB
iterations: 1
salt_length: 16
key_length: 16
dsn: postgres://mikhailgorbachev666:82M3TLiz7SttMrLu2bTe&@chart-service-account-postgresql-db-postgresql-sa-service.default.svc.cluster.local:5432/db_service_account?sslmode=disable
secrets:
default:
- dolore occaecat nostrud Ut
- sit et commodoaute ut voluptate consectetur Duis
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/identity.default.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
selfservice:
default_browser_return_url: http://ui.kratos.localhost/
flows:
login:
ui_url: http://ui.kratos.localhost/login
registration:
ui_url: http://ui.kratos.localhost/registration
error:
ui_url: http://ui.kratos.localhost/error
automigration:
enabled: true
identitySchemas:
"identity.default.schema.json": |
{
"$id": "http://mydomain.com/schemas/v2/customer.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "A customer (v2)",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"username": {
"type":"string",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
}
}
},
"email": {
"title": "E-Mail",
"type": "string",
"format": "email",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"type": "string"
},
"last": {
"type": "string"
}
}
},
"favorite_animal": {
"type": "string"
},
"accepted_tos": {
"type": "string"
}
},
"required": ["username", "email"],
"additionalProperties": false
}
}
}
kratos-selfservice-ui-node config
# Default values for kratos-selfservice-ui-node.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Number of replicas in deployment
replicaCount: 1
# -- Deployment image settings
image:
# SELFSERVICE image
repository: oryd/kratos-selfservice-ui-node
# -- ORY KRATOS VERSION
tag: v0.10.1
pullPolicy: IfNotPresent
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- Service configuration
service:
type: ClusterIP
port: 80
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- Ingress configration
ingress:
enabled: true
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: ui.kratos.localhost
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# -- Deployment level securityContext
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
# -- Deployment configuration
deployment:
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- Array of extra envs to be passed to the deployment. Kubernetes format is expected
# - name: FOO
# value: BAR
extraEnv: []
# -- If you want to mount external volume
# For example, mount a secret containing Certificate root CA to verify database
# TLS connection.
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# foo: bar
# -- Configure node tolerations.
tolerations: []
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: kratos-selfservice-ui-node
# app.kubernetes.io/instance: kratos-selfservice-ui-node
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. type: app
annotations: {}
# If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# e.g. sidecar.istio.io/rewriteAppHTTPProbers: "true"
# https://github.com/kubernetes/kubernetes/issues/57601
automountServiceAccountToken: false
affinity: {}
# -- Set this to ORY Kratos's Admin URL
kratosAdminUrl: "kratos-admin.default.svc.cluster.local"
# -- Set this to ORY Kratos's public URL
kratosPublicUrl: "kratos-public.default.svc.cluster.local"
# -- Set this to ORY Kratos's public URL accessible from the outside world.
kratosBrowserUrl: "http://public.kratos.localhost/"
# -- The baseUrl
baseUrl: ""
# -- The jwksUrl
jwksUrl: "http://oathkeeper-api"
projectName: "SecureApp"
Logs
kratos-selfservice-ui-node logs:
{"level":"info","message":"HTTP GET /health/ready","meta":{"req":{"headers":{"accept":"*/*","connection":"close","host":"10.244.0.157:3000","user-agent":"kube-probe/1.24"},"httpVersion":"1.1","method":"GET","originalUrl":"/health/ready","query":{},"url":"/health/ready"},"res":{"statusCode":200},"responseTime":1}}
{"level":"info","message":"HTTP GET /health/alive","meta":{"req":{"headers":{"accept":"*/*","connection":"close","host":"10.244.0.157:3000","user-agent":"kube-probe/1.24"},"httpVersion":"1.1","method":"GET","originalUrl":"/health/alive","query":{},"url":"/health/alive"},"res":{"statusCode":200},"responseTime":2}}
{"level":"info","message":"HTTP GET /registration","meta":{"req":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","host":"ui.kratos.localhost","referer":"http://ui.kratos.localhost/welcome","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0","x-forwarded-for":"172.18.0.1","x-forwarded-host":"ui.kratos.localhost","x-forwarded-port":"80","x-forwarded-proto":"http","x-forwarded-scheme":"http","x-real-ip":"172.18.0.1","x-request-id":"062b8b2d72fd63a17f49ba3fd20d6ae9","x-scheme":"http"},"httpVersion":"1.1","method":"GET","originalUrl":"/registration","query":{},"url":"/registration"},"res":{"statusCode":303},"responseTime":2}}
Error: connect ECONNREFUSED ::1:80
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1161:16)
{"level":"info","message":"HTTP GET /registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a","meta":{"req":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","host":"ui.kratos.localhost","referer":"http://ui.kratos.localhost/","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"cross-site","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0","x-forwarded-for":"172.18.0.1","x-forwarded-host":"ui.kratos.localhost","x-forwarded-port":"80","x-forwarded-proto":"http","x-forwarded-scheme":"http","x-real-ip":"172.18.0.1","x-request-id":"abd3f0b0bdf663d31712e9807f412be3","x-scheme":"http"},"httpVersion":"1.1","method":"GET","originalUrl":"/registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a","query":{"flow":"e1a80d6e-2aa8-4412-89a6-fd166cf21a8a"},"url":"/registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a"},"res":{"statusCode":500},"responseTime":19}}
Kratos logs:
time=2022-11-15T19:07:36Z level=warning msg=Configuration key serve.public.base_url was left empty. Optimistically guessing the server's base URL. Please set a value to avoid problems with redirects and cookies. audience=application service_name=Ory Kratos service_version=v0.10.1
time=2022-11-15T19:07:36Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". referer:http://ui.kratos.localhost/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 x-forwarded-for:172.18.0.1 x-forwarded-host:public.kratos.localhost x-forwarded-port:80 x-forwarded-proto:http x-forwarded-scheme:http x-real-ip:172.18.0.1 x-request-id:edb5cce2d7ede56ef8e411bf30a968b5 x-scheme:http] host:public.kratos.localhost method:GET path:/self-service/registration/browser query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:10.244.0.8:59178 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:http://ui.kratos.localhost/registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a vary:Cookie] size:108 status:303 text_status:See Other took:7.169415ms]
time=2022-11-15T19:07:45Z level=info msg=started handling request http_request=map[headers:map[accept:*/* connection:close user-agent:kube-probe/1.24] host:10.244.0.155:4434 method:GET path:/admin/health/ready query:<nil> remote:10.244.0.1:53354 scheme:http]
Reproducing the bug
- Install database
- Install kratos and ui
helm install kratos --debug \
helm/charts/kratos \
-f values/kratos.yaml
helm install kratos-ui --debug \
helm/charts/kratos-selfservice-ui-node
- Open http://ui.kratos.localhost.
- Press "Sign up" button.
- Get page "An error occurred"
Relevant log output
No response
Relevant configuration
No response
Version
v0.10.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response