Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Task] Place auth-proxy in front of split storage and database deployments #115

Closed
Tracked by #110
andrewazores opened this issue Jan 18, 2024 · 4 comments
Closed
Tracked by #110

[Task] Place auth-proxy in front of split storage and database deployments #115

andrewazores opened this issue Jan 18, 2024 · 4 comments
Labels
blocked question Further information is requested

Comments

@andrewazores
Copy link
Member

andrewazores commented Jan 18, 2024
edited
Loading

See https://github.com/cryostatio/cryostat-operator/wiki/Security-and-Authz#scenario , #114
This was referenced Jan 18, 2024
Closed
Merged
@andrewazores andrewazores moved this to Todo in 3.0.0 release Feb 13, 2024
@andrewazores andrewazores moved this from Todo to Stretch Goals in 3.0.0 release Mar 19, 2024
@andrewazores
Copy link
Member Author

cryostat-db should also be placed into its own Deployment with its own auth proxy.

Need to determine what that means for auth. The db, and for now the storage, should only be accessible by Cryostat. This can be done with a network policy restricting traffic only to the one Cryostat instance in the same namespace, but should also be done at the auth level. In the OpenShift case, would Cryostat just use its own k8s serviceaccount token? In the oauth2_proxy case would we generate an htpasswd and use Basic auth?

@andrewazores andrewazores moved this to Backlog in 4.0.0 release Jun 7, 2024
@tthvo tthvo mentioned this issue Jul 15, 2024
Merged
@andrewazores andrewazores self-assigned this Aug 14, 2024
@andrewazores andrewazores moved this from Backlog to In progress in 4.0.0 release Aug 14, 2024
This was referenced Aug 14, 2024
Merged
Closed
andrewazores added a commit to andrewazores/cryostat-storage that referenced this issue Aug 16, 2024
@andrewazores
fix(startup): improve startup detection for bucket creation
240485d 
See cryostatio#4
Related to cryostatio/cryostat-helm#115
@andrewazores andrewazores mentioned this issue Aug 16, 2024
Merged
7 tasks
andrewazores added a commit to andrewazores/cryostat-storage that referenced this issue Aug 20, 2024
@andrewazores
fix(startup): improve startup detection for bucket creation
61509a8 
See cryostatio#4
Related to cryostatio/cryostat-helm#115
andrewazores added a commit to cryostatio/cryostat-storage that referenced this issue Sep 6, 2024
@andrewazores
fix(startup): improve startup detection for bucket creation (#23)
ff64237 
See #4
Related to cryostatio/cryostat-helm#115
mergify bot pushed a commit to cryostatio/cryostat-storage that referenced this issue Sep 9, 2024
@andrewazores @mergify
fix(startup): improve startup detection for bucket creation (#23)
8c3ff15 
See #4
Related to cryostatio/cryostat-helm#115

(cherry picked from commit ff64237)
@mergify mergify bot mentioned this issue Sep 9, 2024
Merged
7 tasks
andrewazores added a commit to cryostatio/cryostat-storage that referenced this issue Sep 9, 2024
@mergify @andrewazores
fix(startup): improve startup detection for bucket creation (backport #…
17045f9 
…23) (#24)

fix(startup): improve startup detection for bucket creation (#23)

See #4
Related to cryostatio/cryostat-helm#115

(cherry picked from commit ff64237)

Co-authored-by: Andrew Azores <[email protected]>
@andrewazores
Copy link
Member Author

Both the Storage and DB containers are already set up with simple authentication using generated Secrets. Adding an oauth2 proxy in Basic mode in front to enforce authentication doesn't seem like it adds anything new. Using the OpenShift oauth proxy in front to use the Cryostat serviceaccount instead of generated credentials might be nice, but probably only works for the HTTP-based Storage and adds a hard dependency on OpenShift.

Using kube-rbac-proxy instead for authentication and k8s serviceaccount authorization would be nice, but this also seems like it likely only works for HTTP-based storage and not the JDBC database. Also, kube-rbac-proxy requires TLS configuration, so this would mean either we require the user to supply TLS configuration via Secrets, or else we have to add a dependency on something like cert-manager to automate this.

Related: #168

@andrewazores andrewazores added question Further information is requested blocked labels Oct 28, 2024
@andrewazores andrewazores removed their assignment Oct 28, 2024
@andrewazores andrewazores changed the title [Task] Move cryostat-storage into its own Deployment with its own oauth2-proxy [Task] Place auth-proxy in front of split storage and database deployments Oct 28, 2024
@andrewazores
Copy link
Member Author

There are actually TLS-related Helm functions available:

https://helm.sh/docs/chart_template_guide/function_list/#cryptographic-and-security-functions

These look like a reasonable alternative to cert-manager for the Helm chart's purposes.

@andrewazores
Copy link
Member Author

Closing - the remaining viable ideas here are a duplicate of #168.

@github-project-automation github-project-automation bot moved this from In progress to Done in 4.0.0 release Oct 31, 2024
@andrewazores andrewazores mentioned this issue Oct 31, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked question Further information is requested
Projects
4.0.0 release
Status: Done
3.0.0 release
Status: Stretch Goals
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewazores