Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OAuth to external endpoints #140

Merged
merged 30 commits into from
Nov 28, 2023
Merged

Add OAuth to external endpoints #140

merged 30 commits into from
Nov 28, 2023

Conversation

ruivieira
Copy link
Member

@ruivieira ruivieira commented Nov 6, 2023
edited
Loading

Add authentication to external endpoints (Route) for the TrustyAI service.

Each TrustyAI service will now require authentication for both browser and direct HTTP access.
When using from the browser, a login page will be presented (if the user is not already logged in).
When using direct HTTP access, a user token can be used for authentication.

Implementation

The operator now deploys an oauth-proxy sidecar container to each TrustyAI service.
The operator also provides a service account for each oauth-proxy with permissions for tokenreviews and subjectaccessreviews.
The route will now direct traffic to oauth-proxy which authenticate provided user credentials (user tokens for HTTP access).

Example (HTTP)

Assuming a TrustyAI service named trustyai-service in namespace test:

TOKEN=$(oc whoami -t)
curl -v -k https://trustyai-service-test.apps-crc.testing/q/metrics  # access not allowed
curl -v -k -H "Authorization: Bearer ${TOKEN}" https://trustyai-service-test.apps-crc.testing/q/metrics # access allowed

@ruivieira ruivieira added the kind/enhancement New feature or request label Nov 6, 2023
@ruivieira ruivieira requested review from danielezonca and a team November 6, 2023 10:45
@ruivieira ruivieira self-assigned this Nov 6, 2023
@ruivieira ruivieira requested review from tteofili and RobGeada and removed request for a team November 6, 2023 10:45
@ruivieira ruivieira linked an issue Nov 6, 2023 that may be closed by this pull request
Enable oauth-proxy for service's endpoints #135
Closed
@ruivieira ruivieira added this to the Release 1.12.0 (Operator) milestone Nov 6, 2023
@ruivieira ruivieira changed the title [WIP] Add OAuth to external endpoints Add OAuth to external endpoints Nov 8, 2023
@ruivieira
Merge remote-tracking branch 'upstream/main' into issue-135-oauth-proxy
a8a9202 
# Conflicts:
#	config/rbac/kustomization.yaml
#	controllers/suite_test.go
@ruivieira ruivieira mentioned this pull request Nov 15, 2023
Closed
@openshift-ci openshift-ci bot added the lgtm label Nov 20, 2023
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 20, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tteofili

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ruivieira ruivieira mentioned this pull request Nov 20, 2023
Merged
@openshift-ci openshift-ci bot removed the lgtm label Nov 27, 2023
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 27, 2023

New changes are detected. LGTM label has been removed.

@ruivieira
Copy link
Member Author

/test all

@ruivieira
Copy link
Member Author

/test all

@ruivieira ruivieira merged commit 3af6912 into trustyai-explainability:main Nov 28, 2023
3 checks passed
ruivieira pushed a commit to ruivieira/trustyai-service-operator that referenced this pull request Jan 5, 2025
@github-actions
Merge pull request trustyai-explainability#140 from red-hat-data-serv…
3253b6b 
…ices/konflux/component-updates/ta-lmes-driver-216

chore(deps): update ta-lmes-driver-216 to 18a9e67
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tteofili tteofili tteofili approved these changes

@danielezonca danielezonca Awaiting requested review from danielezonca

@RobGeada RobGeada Awaiting requested review from RobGeada RobGeada was automatically assigned from trustyai-explainability/developers

Assignees

@ruivieira ruivieira

@tteofili tteofili

Labels
kind/enhancement New feature or request ok-to-test
Projects
None yet
Milestone
Release 1.13.0 (Operator)
Development

Successfully merging this pull request may close these issues.

Enable oauth-proxy for service's endpoints
3 participants
@ruivieira @tteofili @openshift-merge-robot