Skip to content

Document Tenzir Gateway CORS and TLS certificate configuration #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lava wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Document Tenzir Gateway CORS and TLS certificate configuration #232

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion src/content/docs/guides/platform-setup/configure-internal-services.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,4 +152,22 @@ in the identity provider configuration guide.

## Tenzir Gateway

The Tenzir Gateway doesn't offer any user-controlled settings at the moment.
### CORS

When the Tenzir UI frontend connects directly to the Tenzir Gateway from the
browser—the default when `TENZIR_PLATFORM_USE_INTERNAL_WS_PROXY` is `false`—
and the UI and gateway are served from different origins (for example, on
different ports or domains), the browser enforces Cross-Origin Resource Sharing
(CORS) restrictions. You must explicitly allow the UI's origin by setting
`CORS_ALLOWED_ORIGINS` on the `websocket-gateway` service in your
`docker-compose.yaml`:

```yaml
services:
websocket-gateway:
environment:
- CORS_ALLOWED_ORIGINS=https://app.platform.example:3000
```

Specify the full origin including scheme and port. Separate multiple allowed
origins with commas.
19 changes: 19 additions & 0 deletions src/content/docs/guides/platform-setup/configure-reverse-proxy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,25 @@ services:
- ./ssl/ca.pem:/ssl/ca.pem
```

:::caution[Browser certificate trust for direct gateway connections]
When the browser connects directly to the gateway (the default when
`TENZIR_PLATFORM_USE_INTERNAL_WS_PROXY` is `false`) and the gateway uses a
self-signed certificate, the browser must explicitly trust that certificate.
Because users do not navigate to the gateway port directly, the browser never
shows its usual untrusted-certificate warning page. The only visible symptom is
a vague message such as "Unable to fetch pipelines." The actual cause appears
only in the browser developer console, where it shows a failed connection to the
gateway URL.

To resolve this, open the gateway URL directly in your browser (for example,
`https://nodes.platform.example`) and accept the security exception. After
accepting the certificate, reload the platform UI.

Alternatively, set `TENZIR_PLATFORM_USE_INTERNAL_WS_PROXY=true` to route
gateway traffic through the UI backend. The browser then only needs to trust
the UI certificate, not the gateway certificate.
:::

#### Platform API

To enable TLS serving for the Platform API, mount the certificate into the
Expand Down
Loading