Git Product home page Git Product logo

virt-gateway-operator's Introduction

virt-gateway-operator

alt gopher network

Operate the kube-gateway service and access tokens on a cluster.

Go Report Card Go Reference License

kube-gateway service allow none-k8s users access to single k8s resource for a limited time. It uses signed, expiring JWTs to grant non k8s users access via a proxy server.

Once installed the operator manages two custom resources:

  • GateServer: lounches the kube-gateway service that proxy k8s API calls to users outside the cluster.
  • GateToken: manages the creation of signed tokens used to authenticate with the kube-gateway service.

(gopher network image - egonelbre/gophers)

Deploy the operator

# Deoploy the gate operator.
kubectl create -f \
    https://raw.githubusercontent.com/yaacov/virt-gateway-operator/main/deploy/virt-gateway-operator.yaml

Deploy a gate server

# Create a namespace to run the gate server.
kubectl create namespace kube-gateway

# Download and customize the kube-gateway-server example.
curl https://raw.githubusercontent.com/yaacov/virt-gateway-operator/main/deploy/virt-gateway-server.yaml \
    -o kube-gateway-server.yaml

vim kube-gateway-server.yaml
kubectl create -f kube-gateway-server.yaml

Disconnected clusters

In disconnected enviorments without access to public image repository, edit the yaml examples to use internaly provided container images.

# Edit the operator image in operator-controller-manager yaml file.
curl https://raw.githubusercontent.com/yaacov/virt-gateway-operator/main/deploy/virt-gateway-operator.yaml \
    -o virt-gateway-operator.yaml

vim virt-gateway-operator.yaml
kubectl create -f virt-gateway-operator.yaml

Example GateToken CR

This example will generate a token that will give it's holder access to API calls matching the path "/k8s/apis/subresources.kubevirt.io/v1alpha3/namespaces/default/virtualmachineinstances/my-vm/vnc" for 1 hour. You can edit the route to match the route designated for the gate server on your cluster.

apiVersion: ocgate.yaacov.com/v1beta1
kind: GateToken
metadata:
  name: gatetoken-sample
  namespace: kube-gateway
spec:
  namespace: "default"
  APIGroups:
    - "subresources.kubevirt.io"
  resources:
    - "virtualmachineinstances"
    - "virtualmachineinstances/vnc"
  resourceNames:
    - testvm
  generateServiceAccount: false

Example GateServer CR

After the operator is set, users need to set up a gate server, this example will create an kube-gateway proxy server, wating for requests on URL "https://test-proxy.apps.ostest.test.metalkube.org". One gate server can handle requests for resources from different users and over different namespaces.

apiVersion: ocgate.yaacov.com/v1beta1
kind: GateServer
metadata:
  name: gateserver-sample
  namespace: kube-gateway
spec:
  route: kube-gateway-proxy.apps-crc.testing
  # serviceAccount fields are used to create a service account for the oc gate proxy.
  # The proxy will run using this service account, it will be abale to
  # proxy only requests available to this service account. Make sure to allow the 
  # proxy to access all k8s resources that the web application will consume.
  serviceAccountVerbs:
    - "get"
  serviceAccountAPIGroups:
    - "subresources.kubevirt.io"
  serviceAccountResources:
    - "virtualmachineinstances"
    - "virtualmachineinstances/vnc"
  # gnerateSecret is used to automatically create a secret holding the asymetrical
  # keys needed to sign and authenticate the JWT tokens.
  gnerateSecret: true
  # passThrough is used to pass the request token directoy to k8s API server
  # without authenticating and replacing with the service account access token of the proxy.
  passThrough: false
  # the proxy server container image
  image: 'quay.io/yaacov/kube-gateway'
  # webAppImage is used to customize the static files of your web app.
  # this example will install the noVNC web application that consume
  # websockets streaming VNC data.
  webAppImage: 'quay.io/yaacov/kube-gateway-web-app-novnc'

virt-gateway-operator's People

Contributors

yaacov avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.