Major Today we don't have any security engine OOTB with Kogito. The idea of this research is to verify a possibility to have a custom ingress controller deployed in the cluster that will authenticate and authorize external user calls (via routes). The token should be given by Openshift/Kubernetes authenticated users. The following diagram illustrates this idea:
External Calls Calls without Auth Calls without Auth
With Kube/OpenShift
Token +--------------+ +---------------+ +--------------+
| | | | | |
+-----------> | custom +------------->+ service A +----------->+ service B |
| ingress | | | | |
| | | | | |
+--------------+ +---------------+ +--------------+
|
|
|
|
| +--------------+
| Authenticate/Authorize| |
+---------------------->+ Kube API |
| |
+--------------+
The Operator will also deploy a custom role like kogito-service-role to authorize users.
So we could implement this small feature to at least have a security mechanism within the architecture for 0.3. Inner service calls won't use the custom ingress, so won't be authenticated. Users within the cluster network could call those services.
