search

munnerz / kube-plex

Scalable Plex Media Server on Kubernetes -- dispatch transcode jobs as pods on your cluster!
Apache License 2.0
1.23k stars 191 forks source link

Create authentication proxy sidecar container #13

Open munnerz opened 6 years ago

munnerz commented 6 years ago

In order to remove the requirement to authorise the pod network universally without authentication, and to simplify the string replacement performed in the kube-plex binary, we can create an authenticating proxy sidecar container that is run alongside each instance of Plex New Transcoder.

This should listen in 127.0.0.1:32400, and simply proxy requests to the main Plex transcoder if they don't already contain auth headers. This should wrap the problematic ffmpeg call to plex-media-server:32400/.../manifest properly, thus removing the need to allow unauthenticated connections from the rest of the cluster.

rmb938 commented 5 years ago

@munnerz Do you have an example on what the auth headers are and what they should contain? It seems like the plex whitelist only allows RFC 1918 ips however my kubernetes clusters is deployed with 100.64/10 ips so the whitelist doesn't work.