Open ca-scribner opened 5 months ago
Thank you for reporting us your feedback!
The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5228.
This message was autogenerated
Notes from an initial meeting between Kubeflow and Identity teams:
Thanks for the summary!
IMO the main pain point we have right now is that the AuthService is unmaintained. So unless we would have a solution that would replace AuthService as well, I don't see much value in just replacing Dex. There's not burning need or issues with Dex right now from our side.
Then some concerns I had from the above:
https from browser
: This will create a very bad UX for users that just spin out KF to play around locallyin-cluster tls
: This cycle we are going full on with more Istio support, which also includes mTLS between the pods in the Istio mesh. Then there's going to be the mesh team that will also take a stab at the mTLS problem. I feel it's too soon to commit, since the moving pieces we need (Istio down the road from another team) might clash with decisions currently in the Identity CharmsIngress story
: Another pain point, as we'd either
So from our side, in my mind, the requirements to integrate with Identity team's charms are:
cc @ca-scribner @DnPlas @shipperizer
@kimwnasptd
I think we can kinda fix that by either having a good local ACME setup for certificates or we could add some machinery to accept self signed certificates and create a local DNS record in the /etc/hosts
file
other solution would be to have it all in dev mode, IDP included (as pointed out by @nsklikas and Massi) but this makes me wonder if that is the use case we want to cater for
I do think that for some stuff our solution is overkill (local development) but for other it should be the go-to one (production)
Using a publicly trusted certificate provider would bypass the problem but as said, this is true in production deployments I guess, locally it won't unless someone is happy to depart with 10$ a year minimum for their own domain
Networking wise, I don't see a major problem in getting it working as long as the requirements we have for istio deployment (ability to spin up a load balancer, DNS management and domain ownership) can be extended to traefik
anyway, happy to have another chat if needed
Context
This is a tracking issue for replacing Dex in the Charmed Kubeflow bundle with the Canonical Identity Platform. The goal of this effort is to no longer provide an authentication integration solution in Charmed Kubeflow itself, but instead to rely on a general solution provided by the Canonical Identity team.
What needs to get done
Definition of Done