Uploaded image for project: 'Red Hat OpenShift AI Engineering'
  1. Red Hat OpenShift AI Engineering
  2. RHOAIENG-4178 Initialize OAuth flow when accessing secured service
  3. RHOAIENG-4573

Investigate use of Envoy filters

    XMLWordPrintable

Details

    • Sub-task
    • Resolution: Unresolved
    • Undefined
    • None
    • None
    • Platform
    • False
    • Hide

      None

      Show
      None
    • False
    • RHOAISTRAT-41 - Support SSO for all RHOAI components
    • No
    • Testable

    Description

      Overview

      Initial implementation leverages Envoy filter to initiate OAuth flow. It is however not feasible to bind it to the ingress gateway as it has been done.

      As part of this spike, we should evaluate if the filter-based approach is feasible, but we should bind them to the sidecar instead.

      Reasons

      • The GATEWAY primarily focuses on routing and load balancing, while the SIDECAR handles service-specific concerns. Enforcing OAuth2 flow globally might not be feasible for every service being part of RHOAI stack
      • it allows for service-specific configuration adjustments without affecting the GATEWAY.

      Notes

      As filters will be bound to sidecars, they will be outside the istio-system namespace. Therefore we will need to figure out how to propagate relevant secrets for them (e.g. oauth2 client secrets). Can we use SDS for that?

      Attachments

        Issue Links

          clones

          Sub-task - The sub-task of the issue OSSM-4171 Narrow where Envoy filters should be applied

          • Undefined - Priority not specified.
          • Closed

          Activity

            People

              Unassigned Unassigned
              bartosz-1 Bartosz Majsak
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                PagerDuty