Redirected from 
README
¶
oc-gate-operator
Operate the oc-gate service and access tokens on a cluster.
oc-gate service allow none-k8s users access to single k8s resource for a limited time. It uses signed, expiring JWTs to grant non k8s users access via a proxy server.
Once installed the operator manages two custom resources:
- GateServer: lounches the oc-gate service that proxy k8s API calls to users outside the cluster.
- GateToken: manages the creation of signed tokens used to authenticate with the oc-gate service.
(gopher network image - egonelbre/gophers)
Deploy the operator
# Deoploy the gate operator.
kubectl create -f \
https://raw.githubusercontent.com/yaacov/oc-gate-operator/main/deploy/oc-gate-operator.yaml
Deploy a gate server
# Create a namespace to run the gate server.
kubectl create namespace oc-gate
# Download and customize the oc-gate-server example.
curl https://raw.githubusercontent.com/yaacov/oc-gate-operator/main/deploy/oc-gate-server.yaml \
-o oc-gate-server.yaml
vmi oc-gate-server.yaml
kubectl create -f oc-gate-server.yaml
Disconnected clusters
In disconnected enviorments without access to public image repository, edit the yaml examples to use internaly provided container images.
# Edit the operator image in operator-controller-manager yaml file.
curl https://raw.githubusercontent.com/yaacov/oc-gate-operator/main/deploy/oc-gate-operator.yaml \
-o oc-gate-operator.yaml
vim oc-gate-operator.yaml
kubectl create -f oc-gate-operator.yaml
GateToken demo:
Example GateToken CR
This example will generate a token that will give it's holder access to API calls matching the path "/k8s/apis/subresources.kubevirt.io/v1alpha3/namespaces/default/virtualmachineinstances/my-vm/vnc" for 1 hour. You can edit the route to match the route designated for the gate server on your cluster.
apiVersion: ocgate.yaacov.com/v1beta1
kind: GateToken
metadata:
name: gatetoken-sample
namespace: oc-gate
spec:
verbs:
- "get"
nonResourceURLs:
- "/apis/subresources.kubevirt.io/v1alpha3/namespaces/default/virtualmachineinstances/my-vm/vnc"
Example GateServer CR
After the operator is set, users need to set up a gate server, this example will create an oc-gate proxy server, wating for requests on URL "https://test-proxy.apps.ostest.test.metalkube.org". One gate server can handle requests for resources from different users and over different namespaces.
apiVersion: ocgate.yaacov.com/v1beta1
kind: GateServer
metadata:
name: gateserver-sample
namespace: oc-gate
spec:
apiURL: 'https://kubernetes.default.svc'
route: oc-gate-proxy.apps-crc.testing
# serviceAccount fields are used to create a service account for the oc gate proxy.
# The proxy will run using this service account, it will be abale to
# proxy only requests available to this service account. Make sure to allow the
# proxy to access all k8s resources that the web application will consume.
serviceAccountVerbs:
- "get"
- "watch"
- "list"
serviceAccountAPIGroups:
- '*'
serviceAccountResources:
- '*'
# gnerateSecret is used to automatically create a secret holding the asymetrical
# keys needed to sign and authenticate the JWT tokens.
gnerateSecret: true
# use
passThrough: false
# the proxy server container image
image: 'quay.io/yaacov/oc-gate:latest'
# webAppImage is used to customize the static files of your web app.
# this example will install the noVNC web application that consume
# websockets streaming VNC data.
webAppImage: 'quay.io/yaacov/oc-gate-web-app-novnc:latest'
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
api
|
|
|
v1beta1
Package v1beta1 contains API Schema definitions for the ocgate v1beta1 API group +kubebuilder:object:generate=true +groupName=ocgate.yaacov.com
|
Package v1beta1 contains API Schema definitions for the ocgate v1beta1 API group +kubebuilder:object:generate=true +groupName=ocgate.yaacov.com |
|
pkg
|
|