Implement header authorization header auth for the dashboard

[menardorama]

Feature Request

Permit authentication in the dashboard based on authorisation header.

What problem are you trying to solve?

Use central authentication mechanism (such as Keycloak) which give users full access to objects they are granted using RBACs.

How should the problem be solved?

Implement Header authorisation token like in the kubernetes dashboard.
Then you can use dex or keycloak or any Oauth server to provide secure access

[grampelberg]

This would be fantastic to get. I wonder if this could be wired up with linkerd dashboard to work on clusters that don't use oauth for k8s accounts.

[StupidScience]

Hi @grampelberg.
I'd like to give it a try.
I've investigated a bit and it looks like it's possible to reuse some of kubernetes-dashboard packages for this feature.
Can you please help me to understand full scope of this task and maybe decompose it a bit.

As i can see:

1. Implement Authorization header usage;
2. Add some flag for installation (helm variable as well) so linkerd-dashboard will run as service account with minimal vital permissions;
3. Add documentation for this and add some examples of configuration (e.g. with nginx-ingress + oauth2-proxy);
4. Add login screen so auth with token/kubeconfig will be available (looks like out of scope).

WDYT?

[grampelberg]

Sounds like the right list, just a couple comments:

Add some flag for installation (helm variable as well) so linkerd-dashboard will run as service account with minimal vital permissions;

This is already covered by --restrict-dashboard-privileges.

Add login screen so auth with token/kubeconfig will be available (looks like out of scope).

Let's leave this out of scope right now.

[grampelberg]

@StupidScience I'd split this into at least a couple PRs as it'll take more than just implementing the header usage (you'll need to get impersonation working as well). You'll want to get a POC and short design together before doing any serious polishing.