Protect the backend

[aliok]

Currently it is expected to have the backend accessible without any authn/authz by the plugin. However, we need to protect the backend with some mechanism.

For example the Kubernetes plugin expects an API Server token in the Backstage configuration.

IMO, we should by default enable this protection, but also allow no protection for trying-it-out purposes.

[aliok]

What kind of protection?

Some examples:

• 3scale plugin passes the 3scale API key+secret, as it is a SaaS
• Kubernetes plugin passes the SA token to the Kubernetes API server (it talks to Kube API Server directly)
• ...

In our case, we also have a SA:

https://github.com/knative-extensions/backstage-plugins/blob/408beed6455b648286e4873647a859fd150cdd94/backends/config/100-eventmesh/200-controller-service-account.yaml

But it is directly used by the controller:

https://github.com/knative-extensions/backstage-plugins/blob/408beed6455b648286e4873647a859fd150cdd94/backends/config/100-eventmesh/500-controller.yaml#L28

On the backend, we can expect a token along with the request and validate that token against the SA we're using.

ie: https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/

There can be a better way though.

[aliok]

cc @pierDipi @matzew

[ahmetcihank]

/assign

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.