Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CORE] Auth for policy-reporter API #336

Closed
yuriydzobak opened this issue Aug 30, 2023 · 4 comments · Fixed by #343
Closed

[CORE] Auth for policy-reporter API #336

yuriydzobak opened this issue Aug 30, 2023 · 4 comments · Fixed by #343
Labels
Core Policy Reporter Core Application Kyverno Plugin Policy Reporter Kyverno Plugin UI Policy Reporter UI

Comments

@yuriydzobak
Copy link
Contributor

Hi,
I'm using policy reporter in centralisation entry point. This feature
Would be nice if policy-reporter has auth method, for example, i configure simple HTTP auth and provide secret to auth another policy reporter via API, because at the moment API is opened for everyone in internal network, filtering by IP doesn't help in my case
Thanks
@fjogeleit fjogeleit added UI Policy Reporter UI Core Policy Reporter Core Application Kyverno Plugin Policy Reporter Kyverno Plugin labels Aug 30, 2023
@fjogeleit
Copy link
Member

fjogeleit commented Aug 30, 2023
edited
Loading

Hey, thanks for your request, I will have a look on it when I find some time but it can take a bit.

@fjogeleit fjogeleit linked a pull request Sep 6, 2023 that will close this issue
basic auth for API and Metrics #343
Merged
@fjogeleit
Copy link
Member

@yuriydzobak I opened a PR for the core app, can you check if the feature set is fine for your use case?

@fjogeleit
Copy link
Member

Summary:

  • You can configure global HTTP BasicAuthentication via Helm:
    • Username/Password can configured directly or as existing secret with username / password keys
    • The Authentication is applied to REST APIs and metrics of the Core App and KyvernoPlugin (if enabled)
    • The Authorization header will be set in the Policy Reporter UI automatically
      • External Cluster configuration also supports secretRef where you can set username / password as well as the API endpoints (api, kyvernoApi) and ssl configuration (skipTLS, certificate)
    • If monitoring enabled the basicAuth configuration will also configured on the ServiceMonitor
      • direct configuration will create a dedicated auth secret for ServiceMonitors
      • secretRef will reuse the existing secret for the ServiceMonitor
global:
  basicAuth:
    #username: "username"
    #password: "password"
    secretRef: auth-secret

Example external cluster:

ui:
  ...
  clusters:
  - name: Minikube
    api: http:https://policy-reporter:8080
    kyvernoApi: http:https://policy-reporter-kyverno-plugin:8080
    basicAuth:
      username: user
      password: password
  - name: Secret
    api: http:https://policy-reporter:8080
    kyvernoApi: http:https://policy-reporter-kyverno-plugin:8080
    secretRef: auth-secret
  - name: Unauthorized
    api: http:https://policy-reporter:8080
    kyvernoApi: http:https://policy-reporter-kyverno-plugin:8080

@fjogeleit
Copy link
Member

Hey @yuriydzobak, just want to ask if you already had a chance to test the new version and if everything is working as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Core Policy Reporter Core Application Kyverno Plugin Policy Reporter Kyverno Plugin UI Policy Reporter UI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

basic auth for API and Metrics kyverno/policy-reporter
2 participants
@fjogeleit @yuriydzobak