Helm charts should include airbyte-proxy to secure API and webapp

[evantahler]

After #17694 is merged in, we should add airbyte-proxy to all OSS Helm charts and K8s deployments.

TODO:

• Add to helm charts
• Update Docs
• ?

[evantahler]

cc @nicor88

[supertopher]

@davinchia I don't think I understand the upsides to this change. On some level I understand having a layer of basic auth. More context on what we want to get out of this would help me prioritize ProdEng's effort here

[evantahler]

I can chime in!

We want to provide OSS Airbyte users with a layer of auth by default. Yes, we tell folks they are responsible for securing their server, but folks will always forget, and so we've adopted a "secure by default" product principal going forward.

The long-term goal is to add users and APIKeys to OSS Airbyte, just like we have for cloud. In the short term, I threw up this Nginx proxy to do... something. Auth is configured via environment variables now, and this works for docker-compose OSS users, but not K8s users. This story is provide the same experience for K8s users (although you don't have to use the same tools if there's something better for K8s)

• By default, the Airbyte webapp and API are protected behind basic auth. A random password is best, but a static password is OK
• Users can easily configure the name & password by which they authenticate

[davinchia]

Thanks Evan!

@supertopher the simplest way to explain this is to try and run Airbyte Docker locally. You've noticed a password page. We want to enable the same flow in Airbyte Kubernetes.

In addition to this, @benmoriceau is hoping to also leverage the Airbyte Proxy container to blue/green deploy controller changes as we convert the server over to micronaut. He's blocked by the lack of this in Kube for now.

Doing so will:

1. Bring Airbyte Kube security inline with Airbyte Docker
2. Allow the old/new controller implementations to live side by side and let Benoit merge in code piecemeal instead of having a long running feature branch as he slowly converts routes.

[fabianofpena]

This is really missing! I'm using airbyte on Kubernetes due to scalability. But the security is poor.

[czomo]

Hi @evantahler ! I've created draft for airbyte-proxy helm chart.

airbytehq/airbyte-platform#228

[evantahler]

I'm probably not the correct person to take a look at this, so I've asked @davinchia and @marcosmarxm to review your PR!

[octavia-squidington-iii]

At Airbyte, we seek to be clear about the project priorities and roadmap. This issue has not had any activity for 180 days, suggesting that it's not as critical as others. It's possible it has already been fixed. It is being marked as stale and will be closed in 20 days if there is no activity. To keep it open, please comment to let us know why it is important to you and if it is still reproducible on recent versions of Airbyte.

[marcosmarxm]

Closing as airbyte-proxy won't be add to Helm deployment instead it will be add a Keycloack layer.

[dantonbertuol]

Closing as airbyte-proxy won't be add to Helm deployment instead it will be add a Keycloack layer.

Hi @marcosmarxm, Any predictions for this implementation? It is an issue that the community has expressed a lot of interest in.

[marcosmarxm]

Yes, this feature is almost ready. It will likely be included in upcoming releases. Stay updated.

[dantonbertuol]

Yes, this feature is almost ready. It will likely be included in upcoming releases. Stay updated.

@marcosmarxm, just one more thing, will it work on the community version?

[dantonbertuol]

Yes, this feature is almost ready. It will likely be included in upcoming releases. Stay updated.

Hi @marcosmarxm, any news about it?