Add kubeappsapis behind nginx #2901
Conversation
There was a problem hiding this comment.
Note that -currently- it uses a privileged SA to list everything, but it is not a production-ready thing and we soon change are changing it to use the user's credentials, it's not a big deal.
Right, I'll feel better about this once the kubeappsapis service requires a --unsafe-use-demo-svc-account or similar to use the service account. Currently it uses it by default for easy testing and because it's not (wasn't) exposed, but as long as that's one of the first changes you'll make to the kubeappsapis service, I'm happy :)
| @@ -139,6 +139,22 @@ data: | |||
| {{- end }} | |||
| } | |||
|
|
|||
| {{- if .Values.featureFlags.kubeappsAPIsServer }} | |||
| location ~* /api/kubeappsapis { | |||
There was a problem hiding this comment.
Could we just use /kubeappsapis or even /apis given that the full paths would then be things like /apis/core/packages/v1alpha1/...
What do you think? It's still behind a featureflag so I've no problem changing it later.
There was a problem hiding this comment.
Good idea indeed, shorter and more concise. Changing right away!
Regarding the SA flag, yep, totally agree. Of course, we are not gonna release a new official version as it is right now,
However, let's see how this flag can be passed through, I'm struggling with passing information towards the plugins. I Will let you know in another PR.
Description of the change
This PR simply adds (if the feature flag is enabled) the current kubeapps-apis behind the nginx reverse proxy. This way, we can pass through the authentication token as in the rest of the services.
Benefits
Besides paving the way for #2851, it also allows using the API without any port-forwarding.
Possible drawbacks
Note that -currently- it uses a privileged SA to list everything, but it is not a production-ready thing and we soon change are changing it to use the user's credentials, it's not a big deal.
Applicable issues
N/A
Additional information
I hope to be sending the auth PR soon :S