GitLab Create Editor Group, 4 Mar 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: GitLab Workspaces - Central Auth Proxy Discovery Demo

Description

In this video, I show how we've adopted the proxy to discover Kubernetes targets. So, if we use either DWO or Devfile library to generate deployments, services - the central proxy will automatically discover those services and protect those endpoints with authentication.

A

Hi everyone I wanted to give you a quick update on the progress of the auth proxy that I've been working on, um so what I've really been doing is working on the central proxy design um and and trying to work with that. First uh now, if the security team comes back and says that hey, we need to do a sidecar.

A

Instead, we may move in that direction, but we're still waiting for the output of those conversations, uh so in the meanwhile I thought I'd record um of what I'm working on uh so that you guys know. um uh You know exactly what I've been I've been up to um so essentially the central proxy design discovers workspaces as they come along, and so, as dwo and later you know, our non-dw approach generates workspaces.

A

um What what the the proxy does is? It discovers endpoints or services that have been created and then automatically creates um requests for them, so it automatically proxies those and protects those with authentication at the moment. I have not added authorization of them uh as of yet, but you know that's soon to come um so very quickly, I'm going to go ahead and clear this.

A

If I look at any Dev workspaces at the moment, there's nothing so I can go ahead and apply our um our example with ttyd and the workspace, and so that should start getting created, and you say this is waiting for workspace deployment. So bwo is creating that workspace.

A

um So what's happening behind the scenes here in the proxy, you see it's discovered as we created that workspace and discovered the new Upstream. So it discovered not only the Upstream which led to my workspace, but it also discovered any open ports I had so. If I go back and quickly, look at that that workspace yeah, you can see that I have the container and the container does have these ports endpoints open here and therefore it uh you know, the the proxy will automatically protect those.

A

And so, if I look here, you can see that the proxy has started to detect those endpoints. um So hopefully it should be up now now, so I can go ahead and actually open that up in now, I'll first open this up in a little window. So you see the actual login request in fact. Do that you can see ignore this error, it's something in my GDK, um but I can go ahead and log in I. It does not. Let me access the workspace until I've logged in once.

A

I actually do log in creates cookies using a signed GWT token, so that I can actually access my workspace and then I don't need to keep authenticating. So that's my workspace, so I I just need to authenticate once I'm going to open this in a different window.

A

um So with that I'm actually going to navigate and start a node.js server.

A

um So I've got a server.js here, which just starts a very simple node.js server. So I'm going to go ahead and run that and so now the server is running so I could actually take that same route. I could open an incognito window within my endpoint.

A

And do that and now again will be protected by by the proxy server, and so it would redirect me to my login screen and gitlab I would have to sign in and only then can I actually see the hello world. So it's not just the IDE that's protected by this proxy, but it's also any other bot. That's opened, so that's also protected by the proxy.

A

um Thank you for listening. That's all.