search

openshift / origin

Conformance test suite for OpenShift
http://www.openshift.org
Apache License 2.0
8.49k stars 4.7k forks source link

Clientauth for services #16521

Open mar1ged opened 7 years ago

mar1ged commented 7 years ago

This is more a feature request than an issue.

I know it is possible to use client certificate base authentication within OpenShift, for example while logging into the console or using the API endpoint. What I am trying to achieve is the use of clientauth for services. I know it is possible to tell OpenShift to pass SSL connections to the pods and have them do the ssl handshake and - if needed - client certificate authentication. But this involves setting up the whole thing inside the pods. In my scenario this would mean setting up a haproxy that does the job inside the container. From my point of view it would be better if "the platform" could handle this.

I have seen that it is possible to deploy customized routers to OpenShift, but I found no way of setting up haproxy specific configuration for handling clientauth in the templates that are there for set up.

openshift-bot commented 6 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

mar1ged commented 6 years ago

/remove-lifecycle stale /lifecycle frohen

I think this is still of interest for me and others, therefore commenting accordingly

openshift-bot commented 6 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

mar1ged commented 6 years ago

I still do not know about alternatives, so this FR is still of interest

/remove-lifecycle stale

simo5 commented 6 years ago

Sounds like this is something Istio is in a better position to deliver to you.

mar1ged commented 6 years ago

Technically this can be correct, but the company I work for wants to use Redhats Openshift with as few additional components as possible. Therefore my suggestion.

openshift-bot commented 6 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

mar1ged commented 6 years ago

/remove-lifecycle stale /lifecycle frozen

ericavonb commented 5 years ago

@mar1ged istio support in openshift is now in tech preview: https://docs.openshift.com/container-platform/3.11/servicemesh-install/servicemesh-install.html If you want to auth your services in a similar manner to the console, you can check out https://github.com/openshift/oauth-proxy/ as well.