From 891a7936395df34ded929485bd6b8094a4933843 Mon Sep 17 00:00:00 2001 From: Kaio Oliveira Date: Mon, 23 Mar 2026 17:31:26 -0300 Subject: [PATCH] fix: gate RESOURCE_SERVER and local resource management on gateway presence EDA server defaults RESOURCE_SERVER__URL to "https://localhost", which causes default.py to unconditionally override authentication classes to JWT-only, breaking session-based login for standalone deployments. This is due to a recent change in EDA server [1] that only allows authentication through gateway, except when EDA is ran in development mode, which essentially sets RESOURCE_SERVER_URL to None [2] We now introduce a `resource_server_url` variable (defaults to empty) and detect gateway deployments by checking both this variable and the EDA_RESOURCE_SERVER__URL entry that aap-gateway-operator injects via extra_settings. When EDA operator is deployed standalone: - EDA_RESOURCE_SERVER__URL is omitted; defaults.py `None` prevails - EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT is set to True When EDA is deployed via AAP: - EDA_RESOURCE_SERVER__URL is provided by the gateway operator extra_settings and rendered in the ConfigMap loop - EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT is omitted; defaults to False The previous version used RESOURCE_SERVER__URL (without EDA_ prefix), which Dynaconf ignores since it only reads EDA_-prefixed env vars. It also checked only the operator variable, which the gateway operator never sets, causing ALLOW_LOCAL_RESOURCE_MANAGEMENT to be True unconditionally, even behind gateway. [1] https://github.com/ansible/eda-server/pull/1495 [2] https://github.com/ansible/eda-server/blob/9e97dafb06149e5202d98ff1c6d04d2595beb53e/src/aap_eda/settings/development_defaults.py#L25-L26 --- roles/eda/defaults/main.yml | 4 ++++ roles/eda/templates/eda.configmap.yaml.j2 | 11 +++++++++++ 2 files changed, 15 insertions(+) diff --git a/roles/eda/defaults/main.yml b/roles/eda/defaults/main.yml index ccd7c840..ab125460 100644 --- a/roles/eda/defaults/main.yml +++ b/roles/eda/defaults/main.yml @@ -161,6 +161,10 @@ event_stream_mtls: "{{ event_stream.mtls | default(true) }}" event_stream_mtls_prefix_path: "mtls/{{ event_stream_prefix_path.strip('/') }}" event_stream_prefix_path: "{{ event_stream.prefix | default('/eda-event-streams') }}" +# Leave empty for standalone deployments (SessionAuth + local resource management). +# Set to gateway URL when deploying behind Gateway (JWT-only auth). +resource_server_url: '' + # Disable UI container's nginx ipv6 listener ipv6_disabled: false diff --git a/roles/eda/templates/eda.configmap.yaml.j2 b/roles/eda/templates/eda.configmap.yaml.j2 index 55f62f7b..0c45fb28 100644 --- a/roles/eda/templates/eda.configmap.yaml.j2 +++ b/roles/eda/templates/eda.configmap.yaml.j2 @@ -34,6 +34,17 @@ data: EDA_STATIC_URL: /api/eda/static/ + # Resource Server configuration + # Detect gateway deployment via either the operator variable or + # the extra_settings injected by the gateway-operator. +{% set _behind_gateway = (resource_server_url | default('') | length > 0) or (extra_settings | default([]) | selectattr('setting', 'equalto', 'EDA_RESOURCE_SERVER__URL') | list | length > 0) %} +{% if resource_server_url | default('') | length > 0 %} + EDA_RESOURCE_SERVER__URL: "{{ resource_server_url }}" +{% endif %} +{% if not _behind_gateway %} + EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT: "True" +{% endif %} + # Custom user variables {% for item in extra_settings | default([]) %} {{ item.setting | upper }}: "{{ item.value }}"