This task tracks putting the jaeger-ui web interface behind SSO.
Since we've had success with oauth2-proxy to implement stateless OIDC SSO for thanos.w.o we'll be doing the same for trace.wikimedia.org (name TBD, used as placeholder).
The high level I (Filippo) have right now is to do the following:
- trace.w.o is an ingress service, served by k8s-aux ingress
- Ingress talks (within the cluster, and securely) the oauth2-proxy sidecar within the jaeger-query pod
- Said oauth2-proxy is deployed with its OIDC secrets, and redirects the user to SSO as required for authentication
- The proxy is also configured as an OIDC client in SSO
- For authenticated requests, oauth2-proxy reverses-proxy (https or http) to the actual jager query/ui
Upstream's jaeger chart already has support for an oauth2-proxy sidecar, we'll have to change its image and make sure it is compatible with our image.
@fgiunchedi and @akosiaris brainstormed a bit on this and since most/all pieces are in place already via ingress + jaeger chart, the idea so far is not to go through the service mesh. Therefore the request path from the internet will look like the following:
client <-- tls --> cdn <-- tls --> ingress <-- tls --> oauth2-proxy <-- tls --> jaeger-query
internet prod k8s network jaeger pod jaeger pod
Next steps
- Filippo to look into jaeger chart and its oauth2-proxy support
- Filippo to look into the secrets to be deployed for oauth2-proxy