Permalink
Switch branches/tags
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
52 lines (32 sloc) 1.84 KB

API Server Proxy

Overview

The Kyma API Server Proxy is a core component that uses JWT authentication to secure access to the Kubernetes API server. It is based on the kube-rbac-proxy project. This Helm chart outlines the component's installation.

Prerequisites

Use these tools to work with the API Server Proxy:

Details

This section describes:

  • How to run the controller locally
  • How to build the Docker image for the production environment
  • How to use the environment variables
  • How to test the Kyma API Server Proxy

Run the component locally

Run Minikube to use the API Server Proxy locally. Run this command to run the application without building the binary:

$ go run cmd/proxy/main.go

API Server Proxy configuration

You can use command-line flags to configure the API Server Proxy. Use these flags to secure the Kubernetes API Server with JWT authentication:

	--upstream="https://kubernetes.default"		 	The upstream URL to proxy to once requests have successfully been authenticated and authorized.
	--oidc-issuer="https://dex.{{ DOMAIN }}"		The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
	--oidc-clientID="								The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
	--oidc-ca-file="path/to/cert/file"				If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.

Find more details about available flags here

Test

Run all tests:

$ go test -v ./...