Provide a way to change the host used for endpoints

[shanedell]

Issue

When running using Contributing.md, once you get to running the CLI issues come up. This is due to everything running in docker so it is trying to use the keycloak docker service as a host. However, if you don't have access to the opentdf_platform and are running another docker container, the host cannot be accessed.

---

Possible fix

To get around this error I believe the sdk could be updated to allow the overriding of the host if specified. Meaning for example the CLI can make a new flag --endpoint-host that is passed to the New function for the SDK. Then the host is replaced with that value, or if its the same do nothing.

---

Steps to reproduce

Standup platform

git clone https://github.com/opentdf/platform.git
cd platform

./.github/scripts/init-temp-keys.sh -o kas-keys

docker-compose up -d --wait

cp opentdf-example.yaml opentdf.yaml

# keycloak data volue was added as the container fails to run without it
docker run --network opentdf_platform \
         -v "$(pwd)/opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml" \
         -v "$(pwd)/service/cmd/keycloak_data.yaml:/service/cmd/keycloak_data.yaml" \
         -it registry.opentdf.io/platform:nightly provision keycloak -e http://keycloak:8888/auth

docker run --network opentdf_platform \
      -d --name opentdf-platform \
      -p "127.0.0.1:8080:8080" \
      -v "$(pwd)/kas-keys/:/keys/" \
      -v "$(pwd)/opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml" \
      -it registry.opentdf.io/platform:nightly start

cd ../

Try testing with otdfctl

git clone https://github.com/opentdf/otdfctl.git
cd otdfctl

go run main.go auth client-credentials --host http://localhost:8080 opentdf secret

output received from go command:

Validating client credentials for http://localhost:8080... failed
   ERROR    An error occurred during login. Please check your credentials and try again: Get "http://keycloak:8888/auth/realms/opentdf/.well-known/openid-configuration": dial tcp: lookup keycloak: no such host
exit status 1

[shanedell]

I believe this would also be needed in the case of deploying the platform via a server in a cloud or on premise but trying to use the CLI or perhaps the SDK locally on a laptop. @dmihalcik-virtru @jakedoublev is this type of connection currently supported? Or is only using localhost and/or using keycloak docker service host currently supported?

[jakedoublev]

Hi @shanedell. Apologies, but I'm not totally sure I'm following.

If you replace all references of keycloak:8888 to localhost:8888, do you have success (including in your opentdf.yaml config file)?

The CLI (otdfctl) is more or less a wrapper around the Go SDK that makes gRPC requests as a Client, but any interactions it has with keycloak are driven by values exposed by the platform's well-known configuration (http://localhost:8080/.well-known/opentdf-configuration). Keycloak is used as a reference implementation integration with an identityProvider, but the platform is intended to be pluggable with different idPs.

[shanedell]

@jakedoublev If I change the instances of keycloak inside of opentdf.yaml to localhost the platform container is not able to run:

time=2024-12-04T22:52:57.158Z level=ERROR msg="issue creating opentdf server" error="failed to create authentication interceptor: Get \"http://localhost:8888/auth/realms/opentdf/.well-known/openid-configuration\": dial tcp [::1]:8888: connect: connection refused"
Error: issue creating opentdf server: failed to create authentication interceptor: Get "http://localhost:8888/auth/realms/opentdf/.well-known/openid-configuration": dial tcp [::1]:8888: connect: connection refused
time=2024-12-04T22:52:57.158Z level=ERROR msg="issue starting opentdf" error="issue creating opentdf server: failed to create authentication interceptor: Get \"http://localhost:8888/auth/realms/opentdf/.well-known/openid-configuration\": dial tcp [::1]:8888: connect: connection refused"

To try to work around this the --network flag value can be changed to host but this causes the port not to be able to publish and I believe this is also insecure. So, when doing it fully containerized it seems the keycloak docker service has to be used in the opentdf.yaml or it doesn't work. Changing keycloak to localhost after the platform is up doesn't resolve anything either.

Basically once everything is up and runnning it seems there is no way to connect with the CLI, the only way I can think of it working is running the CLI in a docker container that joins the docker network opentdf_network. This would also be the same for the SDK since to be able to access host keycloak for anything it would need to be connected to the docker network opentdf_network. But I assumed I should be able to run the CLI directly from my machine and be able to hit the platform or be able to connect to the SDK without making that client be containerized necessarily.

However, when running the platform via: go run github.com/opentdf/platform/service start and not inside of docker then everything seems to function perfectly fine.

---

The comment I left is about connecting a connect to a remote server instead of the same machine, for example:

Mac (otdfctl/sdk) -> Linux VM in Digital Ocean (platform)

Is that supported or not currently?

[shanedell]

@jakedoublev Pinging here in case there are some ideas on what I should try to fix my issue and/or info on remote connections.

[strantalis]

@shanedell I think the issue is that keycloak is setting the issuer to http://keycloak:8888. But that hostname is not resolvable outside the docker network. I think in keycloak v25 or v26 you can now have keycloak use an internal url. While frontend clients can access it on the one thats exposed.

https://www.keycloak.org/server/hostname#_utilizing_an_internal_url_for_communication_among_clients