Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PGadmin4 on Kubernetes: Session invalidated when using ELB

Tags:

flask

kubernetes

pgadmin-4

flask-session

I have a weird problem with PGAdmin4.

My setup

  • pgadmin 4.1 deployed on kubernetes using the chorss/docker-pgadmin4 image. One POD only to simplify troubleshooting;
  • Nginx ingress controller as reverse proxy on the cluster;
  • Classic ELB in front to load balance incoming traffic on the cluster.

ELB <=> NGINX <=> PGADMIN

From a DNS point of view, the hostname of pgadmin is a CNAME towards the ELB.

The problem

Application is correctly reachable, users can login and everything works just fine. Problem is that after a couple of (roughly 2-3) minutes the session is invalidated and users are requested to login again. This happens regardless of the fact that pgadmin is actively used or not.

After countless hours of troubleshooting, I found out that the problem happens when the DNS resolution of ELB's CNAME switches to another IP address.

In fact, I tried:

  • connecting to the pod directly by connecting to the k8s service's node port directly => session doesn't expire;
  • connecting to nginx (bypassing the ELB) directly => session doesn't expire;
  • mapping one of the ELB's IP addresses in my hosts file => session doesn't expire.

Given the above test, I'd conclude that the Flask app (PGAdmin4 is a Python Flask application apparently) is considering my cookie invalid after the remote address changes for my hostname.

Any Flask developer that can help me fix this problem? Any other idea about something I might be missing?

like image 830
whites11 Avatar asked Oct 30 '25 13:10

whites11

2 Answers

PGadmin 4 seems to use Flask-Security for authentication:

pgAdmin utilised the Flask-Security module to manage application security and users, and provides options for self-service password reset and password changes etc.

https://www.pgadmin.org/docs/pgadmin4/dev/code_overview.html

Flask-Security seems to use Flask-Login:

Many of these features are made possible by integrating various Flask extensions and libraries. They include: Flask-Login ...

https://pythonhosted.org/Flask-Security/

Flask-Login seems to have a feature called "session protection":

When session protection is active, each request, it generates an identifier for the user’s computer (basically, a secure hash of the IP address and user agent). If the session does not have an associated identifier, the one generated will be stored. If it has an identifier, and it matches the one generated, then the request is OK.

https://flask-login.readthedocs.io/en/latest/#session-protection

I would assume setting login_manager.session_protection = None would solve the issue, but unfortunately I don't know how to set it in PGadmin. Hope it might help you somehow.

like image 102
Pampy Avatar answered Nov 01 '25 04:11

Pampy

For those looking for a solution, You need to add below to config.py or config_distro.py or config_local.py

config_local.py

SESSION_PROTECTION = None
like image 23
Tarun Lalwani Avatar answered Nov 01 '25 04:11

Tarun Lalwani
Sign in to Comment

Related questions

Returning a response in Flask
Flask application: Using gunicorn on ECS Fargate , How to
Deploying a Flask app with root privileges

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!