lets enable authentication when running on kubernetes

[jstrachan]

e.g. using basic auth or something in lieu of an OAuth implementation integrated into kubernetes

[jstrachan]

we should be able to either configure the console to enable it; or have multiple apps folks can run for the console based on if using kubernetes with no auth, kubernetes with basic auth for the REST API, kubernetes with OAuth (e.g. GKE)

[saturnism]

just deployed fabric8 on GKE - no auth was enabled by default.

[antifragileer]

For GKE, would the recommended way to secure the fabric8 system be to use the firewall for now, until a proper authentication and authorization mechanism can be placed?

Weeks back when I first setup fabric8 in GKE I had to use the cluster username and password in order for me to access the fabric8 console though. It was a simple http authentication. What happened to that? It would happen if I accessed by IP instead of XIP or domain.

[jstrachan]

if the API server has basic auth we could force the console to be accessed through that yeah. I'd prefer to wire in an OAuth endpoint though really so we can start using OAuth everywhere

[jimmidyson]

Keycloak perhaps? Should be configurable afaik

[rawlingsj]

I got the Keycloak app going including persistence - it looked pretty nice! Might be worth seeing if it can be integrated with the console?

[jstrachan]

Definitely!!! Let's try that ASAP

[ghost]

Has anyone determined a way to resolve this adequately at this time? Fabric8 appears to be a wonderful project; very exciting to see. :)

UPDATE: You can access it behind k8s' default password-protected proxy: https://KUBE-IP/api/v1/proxy/namespaces/fabric8/services/fabric8

You'll likely then want to delete or in some way disable the fabric8-http & fabric8-https firewall rules.

[lngr]

FWIW, I was able to password protect fabric8 behind the ingress by disabling fabric8's nginx-ingress (gofabric --ingress=false or delete the deployment) and use gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.2 instead:

• $ helm install stable/nginx-ingress
• modify the Deployment to use gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.2 as image
• modify the Deployment and change --nginx-configmap to --configmap
• create basic auth secret as described here
• annotate the fabric8 ingress as described here

[shuang-x-zhao-qq]

@lngr i tried the ingress way to protect the console, but i just got 503 service temp unavailable which i suppose the ingress protection didn't work well, could you let me know more details on how you did that ? have you changed the deploy of new nginx-ingress and have you provided cm for it ?

[lngr]

@shuang-x-zhao-qq no idea, sorry. (I have since left that project). What I did is essentially described in the previous post.

[shuang-x-zhao-qq]

@lngr OK, thanks anyway