2016-04-19 Planning (load balancer, registration)

These are notes from a whiteboard session discussion requirements and design for the upcoming NDS Labs workbench release.

Load Balancer

Use case:  The workbench user (project administrator) configures a service via the the workbench.  Once configured, external endpoints are accessible via TLS/SSL. 

Requirements:

• User can access service, initially via HTTP/S but also anticipating needs to access TCP services
• Services are secured using TLS
• Special handling for NDS Labs Workbench API server and GUI requests, including CORS support
• Resilient to failure (restarting)
  
  

Design discussion:

• Load balancer running on one machine (nginx, haproxy, vulcand)
• Load balancer monitors Kubernetes endpoints via API or ETCD (service creates and deletes)
• Load balancer is updated to proxy HTTP/S requests to the service via path:
  • For project-specific services, paths are in the form: "namespace/serviceId"
  • For GUI and API, paths are "/" and "/api" respectively
• Load balancer routes requests to correct K8 service
• If load balancer is restarted, previous configuration is maintained.
• For non-HTTP services, a port-based solution will be used

Additional notes:

• Do we need this for May 20 release? No, we can still run Nodeport but w/o TLS

Authentication/Authorization

A longer term question: Should we consider other approaches to support authentication/authorization? Kubernetes, LDAP, SSO/CAS, Shibboleth, Globus, Oauth, etc?

Registration/Approval 

Use case: User can request access/register for access to the NDS Labs workbench

We discussed several options:

1. User is instructed to send an email to ndslabs-support, account is created manually by us. This could be a form in Wordpress (labsportal.nds.org) or on the Workbench home page
2. User selects "Register" link, fills in a form which when submitted emails ndslabs-support for approval.  The approval process would include specifying resource limits.
3. Using another authentication solution, such as Oauth. This means we would not need to handle logins and manage credentials, but, this doesn't solve the approval process.

Additional notes:

• Do we need this for May 20 release? No, but nice to have.  We should at least disable the Create Project link.