-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure forwarding #13
Comments
pretty sure there's a way to do that in k8s with a sidecar, and it removes the issue completely. All networking goes over wireguard and your connection from the gx-it-proxy can do that as well. |
You might not even need the k8s-side proxy in that case? I'll have to do some more reading but if wireguard creates a VPN on the Galaxy side such that the k8s network is accessible directly on the Galaxy node, then I think you just need the one proxy. |
yeah it creates a mesh network. you can choose to expose internal networks as well, I believe, so once you expose the k8s subnet from a wireguard instance running in k8s, talking to wireguard on your galaxy side, then it should function as essentially a one way tunnel into k8s. maybe. |
Yeah this is it right here. Using a tailscale subnet router (in k8s), it Just Works™, no double proxy required. |
I've been using the double-proxy forwarding option for usegalaxy.org to run GxITs on a K8s cluster for a while now. Because that cluster is on the same network as Galaxy itself, the fact that forwarded communication is insecure was not a huge issue. However, we are migrating to a K8s cluster running in Jetstream2, which means that proxy traffic will be routed over the Internet. Thus it becomes much more imperative to secure it.
Longer term we may switch to the ingress-based configuration that @almahmoud developed, but that only works with the Galaxy native K8s runner, not the Pulsar Coexecution runner, which is what we're using. @jmchilton's K8s deployment of the proxy is working fine in testing (as it did on the old internal K8s cluster), but I don't want to put it in production until we can secure it.
Some ideas:
Reading back over this missive, I think the simplest and most broadly useful solution is probably 4, just add a shared secret/token, https client support to gx-it-proxy, and let ingress handle the rest.
The text was updated successfully, but these errors were encountered: