Hi, Came here to ask a question that has been bothering me for the past few weeks. I think it would be total hit to create a front end Swagger OpenApi OpenIDConnect admission controller as Kubernetes Ingress Controller.
Kubernetes is already grouping pods and exposing them under a service per group of pods so you can have horizontal scaling capability for endpoint of a certain type. It would make sense to use what you have here https://swagger.io/docs/specification/authentication/openid-connect-discovery/ and have ability to send users to different kubernetes svc endpoints based on groups membership inside of jwt token. User hits Swagger Ingress Controller with a certain method and a verb in mind. In the ingress deployment definition we have almost identical structure as you have in your specification https://swagger.io/docs/specification/authentication/openid-connect-discovery/ (pets method, read/write verbs). If JWT token contains group/roles then admission is granted, if not user is refused access. Kong seems to be on the right path with this but its such a complex beast that i'm really afraid of Kong, Traefik is not interested. Nginx thinks OIDC is not really a requirement. HAProxy i have not found a good OIDC capabilities. https://github.com/containous/traefik/pull/3216 https://github.com/kubernetes/ingress-nginx/issues/874 But, from perspective of speed of deployment and live change updates in Kubernetes, ability to authorize access to various endpoints that can be developed independently, horizontal scaling of groups of methods independently, not involving developers with authentication/authorization would be a massive gain. Swagger definitions, api document rendering, OIDC token intercept admission control could all live independently in the Swagger-Kubernetes Ingress Controller and the service mesh with its pods could be down further abstracted and living in their own universe... away. Does that make sense? Anyone doing this already? Anyone interested? Cheers, Peter https://github.com/styk-tv -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
