Details
-
Sub-task
-
Resolution: Unresolved
-
Undefined
-
None
-
None
Description
Overview
Initial implementation leverages Envoy filter to initiate OAuth flow. It is however not feasible to bind it to the ingress gateway as it has been done.
As part of this spike, we should evaluate if the filter-based approach is feasible, but we should bind them to the sidecar instead.
Reasons
- The GATEWAY primarily focuses on routing and load balancing, while the SIDECAR handles service-specific concerns. Enforcing OAuth2 flow globally might not be feasible for every service being part of RHOAI stack
- it allows for service-specific configuration adjustments without affecting the GATEWAY.
Notes
As filters will be bound to sidecars, they will be outside the istio-system namespace. Therefore we will need to figure out how to propagate relevant secrets for them (e.g. oauth2 client secrets). Can we use SDS for that?
Attachments
Issue Links
- clones
-
OSSM-4171 Narrow where Envoy filters should be applied
- Closed