Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POC: OpenShift k8s API proxy as HTTP gateway for DevWorkspace operator #18154

Closed
skabashnyuk opened this issue Oct 21, 2020 · 3 comments
Closed

POC: OpenShift k8s API proxy as HTTP gateway for DevWorkspace operator #18154

skabashnyuk opened this issue Oct 21, 2020 · 3 comments
Assignees
@metlos
Labels
area/che-server kind/task Internal things, technical debt, and to-do tasks to be performed.
Milestone
7.22

Comments

@skabashnyuk
Copy link
Contributor

Is your task related to a problem? Please describe.

We want to expose K8s api to the dashboard. #17307 (comment)
So clients can directly communicate with DevWorkspace operator by creating/updating/reading CR
or other workspace related k8s resources

Describe the solution you'd like

Describe alternatives you've considered

n/a

Additional context

#17307
@skabashnyuk skabashnyuk added the kind/task Internal things, technical debt, and to-do tasks to be performed. label Oct 21, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Oct 21, 2020
@themr0c themr0c added area/platform and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Oct 23, 2020
@skabashnyuk skabashnyuk added this to the 7.22 milestone Oct 29, 2020
@metlos
Copy link
Contributor

metlos commented Oct 30, 2020
edited
Loading

I'm looking for a ready-made solution that we could use without needing to maintain code ourselves.

Here are the requirements I have on the solution:

  • ability to work with different oauth2 providers (the ability to use openshift oauth is mandatory here)
  • ability to work on plain k8s as well as openshift

So far I have identified 2 candidate solutions:

OpenShift Console

I have tried to directly use the openshift console (with a replaced "frontend"). This should work well with openshift but is lacking good support for other identity providers or even OpenID Connect due to for example hardcoded oauth scopes or token name. Also, the backend code of OpenShift console is taking care of much more stuff (monitoring, etc.) that we don't require from this solution.

OAuth2 Proxy

This is a generic, highly configurable authenticating reverse proxy that can be made to work with variety of identity providers including keycloak, github, gitlab, azure, etc.

It seems to be capable of everything oauth-related but is lacking in the routing. It can handle multiple "upstreams" and distinguish between them based on the request URL path, but it needs to have another path rewriting proxy before or after it to support proper more advanced routing (like prefix stripping etc). Not sure if we need the routing capabilities though, nor if solving it with another reverse proxy in the chain would be acceptable.

I have not yet tried it with OpenShift OAuth directly without a middleman like keycloak.

@metlos
Copy link
Contributor

metlos commented Nov 9, 2020

There's a project with my testing deployments: https://github.com/metlos/k8s-api-proxy-poc

@metlos
Copy link
Contributor

metlos commented Nov 10, 2020

This is postponed until after we implement #18326.

@metlos metlos closed this as completed Nov 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@metlos metlos

Labels
area/che-server kind/task Internal things, technical debt, and to-do tasks to be performed.
Projects
None yet
Milestone
7.22
Development

No branches or pull requests
4 participants
@metlos @themr0c @skabashnyuk @che-bot