Apologies for the somewhat belated notification of this change. We merged this change on November 27th.

As part of our ongoing work to reduce the divergence between the Phalanx TAP service and the CADC releases, we’ve changed the Phalanx configuration for the TAP services to use the CADC OpenID Connect authentication model. This affects the tap, ssotap, and livetap Phalanx applications. Those services, in the current Phalanx configuration, will look for an OpenID Connect authentication at the root URL of the Phalanx deployment and then use that userinfo endpoint to get user information.

What this means for you is that the Gafaelfawr OpenID Connect server must be enabled for the TAP services to work. This requires setting config.oidcServer.enabled to true.

When you do this, you will also need to set the oidc-server-secrets key in the Gafaelfawr secret, however you maintain your Phalanx services. If you have no other clients of the OpenID Connect server, you can set the value of this secret to [] (the empty JSON list), but it must be present.

(Details for those who care: the TAP services aren’t really OpenID Connect clients in that they don’t do a full OpenID Connect authentication, which is why they don’t have to be set up in the secret as a valid client. They are just reusing the userinfo route and configuration auto-discovery to get user metadata in a format that they know how to parse. Doing this via the configuration and route for the OpenID Connect server is a bit of a hack, but it was the most expedient way to support this pattern.)

Hello,
We (UK RSP) found that on setting oidcServer: enabled in our values.yaml and adding oidc-server-secrets to the Gafaelfawr secret, Gafaelfawr then would not run without a `signing-key. On setting this to an RSA key Gafaelfawr worked.
TAP now gets past the issue with looking for an OIDC server, but is still not working.
The current issue is TAP gives the error “Communications link failure”.

org.springframework.jdbc.CannotGetJdbcConnectionException: Failed to obtain JDBC Connection; nested exception is com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure

Is it expected that this change would require a full Phalanx re-install, or is there more configuration required that can be done on a live instance?

Thanks

I think the TAP error is unrelated to the Gafaelfawr changes. I’m not sure what’s causing that. It sounds like an error the TAP server encountered trying to connect to its underlying database (either the actual data, or the UWS or TAP_SCHEMA databases).

Incidentally, if you had to manually add signing-key, that probably means that you aren’t using the Phalanx secrets management tooling or at least didn’t think to run a phalanx secrets sync. That secret should have been automatically generated and added to Vault as soon as you ran phalanx secrets sync after changing the Gafaelfawr configuration.