Proxy processor

[msftcoderdjw]

Hi @Haishi2016 , I want to make sure my understanding is correct on this change. This PR is trying to avoid stage / campaign users to do malicious operation with Symphony control plane permissions.

The changes include,

1. We introduced optional proxy field to StageSpec in Campaign, so there's a potential API contract change.
2. When users specify proxy option to hint Symphony control plane. Symphony control plane will invoke a REST call to another process to do operations. And this process can be a standalone Symphony agent with different privilege.
3. If users don't specify proxy option, it will still follow previous route and share Symphony control plane privilege.

For this part, should we authenticate the remote processor? What if remote processor injects some malicious data? And do we expect end-users to deploy this processor agent and control its security?

Is there any misunderstanding here?

[Haishi2016]

1. Authentication should be the same as we authenticate with the API server (it's the same code base so when the authentication mechanism is available, we can leverage it)
2. Yes, user needs to deploy the "stage runner" container/process - we can include in our Helm chart to provide a default "stage runner", and we can extend maestro tool to help users to deploy additional runners.
3. With the isolation, and advisory can still certainly inject invalid data. However, as long as we guard against things like script injection we have a much smaller attack surface.