🌱 proxy: Optionally enable token auth #2178
Conversation
hardys
force-pushed
the
proxy_auth_methods2
branch
from
ebc6bf0
to
a9c3233
Compare
|
/cc @sttts we discussed this recently and I added some questions, feedback welcome! This is just a first step to enable multi-user dev-testing via the proxy, we can easily add other proxy auth methods e.g OIDC now this is refactored to use |
|
/hold pending discussion re questions and e2e-sharded is not passing |
openshift-ci
bot
added
the
do-not-merge/hold
hardys
force-pushed
the
proxy_auth_methods2
branch
from
a9c3233
to
ff9088d
Compare
|
The e2e-sharded failure is real - it's because the e2e test enables token auth at the shard, but with this PR we'll need to also enable the same token file at the front proxy (since |
hardys
force-pushed
the
proxy_auth_methods2
branch
2 times, most recently
from
8c63d50
to
11d93ae
Compare
|
/retitle 🌱 proxy: Optionally enable token auth |
openshift-ci
bot
changed the title
|
/retitle [WIP] seedling proxy: Optionally enable token auth Marking this WIP - the e2e-sharded job is still failing, but for a different reason. The syncer in the e2e tests uses a bearer token that can't be authenticated via the |
openshift-ci
bot
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
hardys
changed the title
hardys
force-pushed
the
proxy_auth_methods2
branch
from
11d93ae
to
459e071
Compare
|
/assign @s-urbaniak |
|
There was some discussion on slack about the e2e-sharded failure, summary:
I think there are two possible solutions:
Currently I'm thinking (1) is preferable so we can avoid the duplicated authentication, but this is probably only workable if there are a small number of additional headers required - any opinions on this welcome! :) |
hardys
force-pushed
the
proxy_auth_methods2
branch
from
459e071
to
f12a20c
Compare
|
Turns out there is already support for passing userInfo.Extra via headers in the requestheader authenticator (which the shard already enables, but we need a new arg to enable parsing the extra prefix) That fixes the subset of tests I've been iterating on locally, but will leave this WIP until we get confirmation e2e-sharded is passing |
Currently this still only enables ClientCert authentication but will enable other auth methods to be added more easily in future
For dev/CI testing token auth is a useful option, this enables proxy auth to use this method
Since the proxy now supports token auth, we need this enabled at the proxy API
This is needed for the e2e tests wherer the syncer uses the proxy endpoint and authenticates via a ServiceAccount bearer token
hardys
force-pushed
the
proxy_auth_methods2
branch
from
f12a20c
to
47ac7b5
Compare
This is required for some e2e tests, specifically the syncer uses a service account token to connect via the proxy
The requestheader authenticator enabled at the shard can interpret extra headers when configured to parse headers with a specific prefix, so add these headers and configure the sharded test server to consume them
hardys
force-pushed
the
proxy_auth_methods2
branch
from
47ac7b5
to
5a1a764
Compare
|
/retitle :seedling proxy: Optionally enable token auth The e2e-sharded job is now passing, so removing WIP and this is ready for review. We'll also want to add OIDC, but given this PR already contains several commits I'm planning to propose that as a follow-up (with some details on how to test with a local test OIDC server) One thing to mention - if any additional auth methods are enabled, we require auth at the proxy (but if neither token or service-account auth args are passed, the existing behavior is maintained). I discussed previously that with @sttts and I'm not certain if we view that as acceptable (opt-in to the new "require auth" behavior by specifying auth methods in addition to client-cert), or if we want an explicit "require auth" flag, thoughts on that are welcome! |
|
/retitle 🌱 proxy: Optionally enable token auth |
openshift-ci
bot
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/hold cancel |
openshift-ci
bot
changed the title
openshift-ci
bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retitle 🌱 proxy: Optionally enable token auth |
openshift-ci
bot
changed the title
This is a partial revert of kcp-dev#2178 - which passed e2e-sharded, but there are reports of that job now taking twice as long with these new auth methods enabled. I'm reverting the Makefile changes to restore the CI job to the previous behavior, and will investigate locally why performance is impacted.
Summary
If we want to use the front-proxy as the gateway to shard APIs, we need to enable more auth methods beyond client cert, e.g for dev/CI we probably want token auth, and for production deployments we probably want to enable OIDC.
This will allow us to reject requests which can't be authenticated before they hit any shard apiserver, and may enable future features such as rate-limiting at the proxy where we need information from authentication.
For testing the first step is to enable token auth, then we can test multiple users etc in the same way existing e2e tests do, e.g for development/CI we can now do this:
In future we can easily add e.g OIDC and any other auth methods supported by the kubeapiserver code