fix: gate RESOURCE_SERVER and local resource management on gateway presence#331
Open
fix: gate RESOURCE_SERVER and local resource management on gateway presence#331
Conversation
…esence
EDA server defaults RESOURCE_SERVER__URL to "https://localhost",
which causes default.py to unconditionally override authentication
classes to JWT-only, breaking session-based login for standalone
deployments. This is due to a recent change in EDA server [1] that only
allows authentication through gateway, except when EDA is ran in
development mode, which essentially sets RESOURCE_SERVER_URL to None [2]
We now introduce a `resource_server_url` variable (defaults to empty)
and detect gateway deployments by checking both this variable and the
EDA_RESOURCE_SERVER__URL entry that aap-gateway-operator injects via
extra_settings.
When EDA operator is deployed standalone:
- EDA_RESOURCE_SERVER__URL is omitted; defaults.py `None` prevails
- EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT is set to True
When EDA is deployed via AAP:
- EDA_RESOURCE_SERVER__URL is provided by the gateway operator
extra_settings and rendered in the ConfigMap loop
- EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT is omitted; defaults to False
The previous version used RESOURCE_SERVER__URL (without EDA_ prefix),
which Dynaconf ignores since it only reads EDA_-prefixed env vars.
It also checked only the operator variable, which the gateway operator
never sets, causing ALLOW_LOCAL_RESOURCE_MANAGEMENT to be True
unconditionally, even behind gateway.
[1] ansible/eda-server#1495
[2] https://github.com/ansible/eda-server/blob/9e97dafb06149e5202d98ff1c6d04d2595beb53e/src/aap_eda/settings/development_defaults.py#L25-L26
|
This was referenced Mar 24, 2026
dsavineau
reviewed
Mar 24, 2026
Comment on lines
+40
to
+46
| {% set _behind_gateway = (resource_server_url | default('') | length > 0) or (extra_settings | default([]) | selectattr('setting', 'equalto', 'EDA_RESOURCE_SERVER__URL') | list | length > 0) %} | ||
| {% if resource_server_url | default('') | length > 0 %} | ||
| EDA_RESOURCE_SERVER__URL: "{{ resource_server_url }}" | ||
| {% endif %} | ||
| {% if not _behind_gateway %} | ||
| EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT: "True" | ||
| {% endif %} |
Contributor
There was a problem hiding this comment.
I'm not sure about this logic
we shouldn't have to redefine EDA_RESOURCE_SERVER__URL since it's already injected via extra setting, it doesn't really make sense to have some logic here
for EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT we can probably just do what we're already doing for all operators and rely on public_base_url instead
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
EDA server defaults
RESOURCE_SERVER__URLto"https://localhost",which causes default.py to unconditionally override authentication
classes to JWT-only, breaking session-based login for standalone
deployments. This is due to a recent change in EDA server [1] that only
allows authentication through gateway, except when EDA is run in
development mode, which essentially sets
RESOURCE_SERVER_URLtoNone[2]We now introduce a
resource_server_urlvariable (defaults to empty)and detect gateway deployments by checking both this variable and the
EDA_RESOURCE_SERVER__URLentry that aap-gateway-operator injects viaextra_settings.
When EDA operator is deployed standalone:
EDA_RESOURCE_SERVER__URLis omitted; defaults.pyNoneprevailsEDA_ALLOW_LOCAL_RESOURCE_MANAGEMENTis set toTrueWhen EDA is deployed via AAP:
EDA_RESOURCE_SERVER__URLis provided by the gateway operatorextra_settings and rendered in the ConfigMap loop
EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENTis omitted; defaults toFalseThe previous version used
RESOURCE_SERVER__URL(without EDA_ prefix),which Dynaconf ignores since it only reads EDA_-prefixed env vars.
It also checked only the operator variable, which gateway operator
never sets, causing
ALLOW_LOCAL_RESOURCE_MANAGEMENTto be Trueunconditionally, even behind gateway.
[1] ansible/eda-server#1495
[2] https://github.com/ansible/eda-server/blob/9e97dafb06149e5202d98ff1c6d04d2595beb53e/src/aap_eda/settings/development_defaults.py#L25-L26