Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Task] Place auth-proxy in front of split storage and database deployments #115

Closed
Tracked by #110
andrewazores opened this issue Jan 18, 2024 · 4 comments
Closed
Tracked by #110
Labels
blocked question Further information is requested

Comments

@andrewazores
Copy link
Member

andrewazores commented Jan 18, 2024

See https://github.com/cryostatio/cryostat-operator/wiki/Security-and-Authz#scenario , #114

@andrewazores andrewazores moved this to Todo in 3.0.0 release Feb 13, 2024
@andrewazores andrewazores moved this from Todo to Stretch Goals in 3.0.0 release Mar 19, 2024
@andrewazores
Copy link
Member Author

cryostat-db should also be placed into its own Deployment with its own auth proxy.

Need to determine what that means for auth. The db, and for now the storage, should only be accessible by Cryostat. This can be done with a network policy restricting traffic only to the one Cryostat instance in the same namespace, but should also be done at the auth level. In the OpenShift case, would Cryostat just use its own k8s serviceaccount token? In the oauth2_proxy case would we generate an htpasswd and use Basic auth?

@andrewazores andrewazores moved this to Backlog in 4.0.0 release Jun 7, 2024
@andrewazores andrewazores self-assigned this Aug 14, 2024
@andrewazores andrewazores moved this from Backlog to In progress in 4.0.0 release Aug 14, 2024
andrewazores added a commit to andrewazores/cryostat-storage that referenced this issue Aug 16, 2024
andrewazores added a commit to andrewazores/cryostat-storage that referenced this issue Aug 20, 2024
andrewazores added a commit to cryostatio/cryostat-storage that referenced this issue Sep 6, 2024
mergify bot pushed a commit to cryostatio/cryostat-storage that referenced this issue Sep 9, 2024
andrewazores added a commit to cryostatio/cryostat-storage that referenced this issue Sep 9, 2024
…23) (#24)

fix(startup): improve startup detection for bucket creation (#23)

See #4
Related to cryostatio/cryostat-helm#115

(cherry picked from commit ff64237)

Co-authored-by: Andrew Azores <aazores@redhat.com>
@andrewazores
Copy link
Member Author

Both the Storage and DB containers are already set up with simple authentication using generated Secrets. Adding an oauth2 proxy in Basic mode in front to enforce authentication doesn't seem like it adds anything new. Using the OpenShift oauth proxy in front to use the Cryostat serviceaccount instead of generated credentials might be nice, but probably only works for the HTTP-based Storage and adds a hard dependency on OpenShift.

Using kube-rbac-proxy instead for authentication and k8s serviceaccount authorization would be nice, but this also seems like it likely only works for HTTP-based storage and not the JDBC database. Also, kube-rbac-proxy requires TLS configuration, so this would mean either we require the user to supply TLS configuration via Secrets, or else we have to add a dependency on something like cert-manager to automate this.

Related: #168

@andrewazores andrewazores added question Further information is requested blocked labels Oct 28, 2024
@andrewazores andrewazores removed their assignment Oct 28, 2024
@andrewazores andrewazores changed the title [Task] Move cryostat-storage into its own Deployment with its own oauth2-proxy [Task] Place auth-proxy in front of split storage and database deployments Oct 28, 2024
@andrewazores
Copy link
Member Author

There are actually TLS-related Helm functions available:

https://helm.sh/docs/chart_template_guide/function_list/#cryptographic-and-security-functions

These look like a reasonable alternative to cert-manager for the Helm chart's purposes.

@andrewazores
Copy link
Member Author

Closing - the remaining viable ideas here are a duplicate of #168.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked question Further information is requested
Projects
Status: Done
Status: Stretch Goals
Development

No branches or pull requests

1 participant