These are notes from a whiteboard session discussion requirements and design for the upcoming NDS Labs workbench release.
Load Balancer
Use case: The workbench user (project administrator) configures a service via the the workbench. Once configured, external endpoints are accessible via TLS/SSL.
Requirements:
- User can access service, initially via HTTP/S but also anticipating needs to access TCP services
- Services are secured using TLS
- Special handling for NDS Labs Workbench API server and GUI requests, including CORS support
- Resilient to failure (restarting)
Design discussion:
- Load balancer running on one machine (nginx, haproxy, vulcand)
- Load balancer monitors Kubernetes endpoints via API or ETCD (service creates and deletes)
- Load balancer is updated to proxy HTTP/S requests to the service via path:
- For project-specific services, paths are in the form: "namespace/serviceId"
- For GUI and API, paths are "/" and "/api" respectively
- Load balancer routes requests to correct K8 service
- If load balancer is restarted, previous configuration is maintained.
- For non-HTTP services, a port-based solution will be used
Additional notes:
- Do we need this for May 20 release? No, we can still run Nodeport but w/o TLS
Authentication/Authorization
A longer term question: Should we consider other approaches to support authentication/authorization? Kubernetes, LDAP, SSO/CAS, Shibboleth, Globus, Oauth, etc?
Registration/Approval
Use case: User can request access/register for access to the NDS Labs workbench
We discussed several options:
- User is instructed to send an email to ndslabs-support, account is created manually by us. This could be a form in Wordpress (labsportal.nds.org) or on the Workbench home page
- User selects "Register" link, fills in a form which when submitted emails ndslabs-support for approval. The approval process would include specifying resource limits.
- Using another authentication solution, such as Oauth. This means we would not need to handle logins and manage credentials, but, this doesn't solve the approval process.
Additional notes:
- Do we need this for May 20 release? No, but nice to have. We should at least disable the Create Project link.