helm:Proxied UI Authentication (via Additional Containers "sidecars" in the Server Pod/s)

[kpurdon]

I'd like to propose supporting additional containers as "sidecars" in the Pod serving the Consul UI in order to allow for sidecar-based authentication proxies. This is something I'd be happy to add and test, if it's acceptable.

I generally use Google Cloud IAP to protect services (like the Consul UI) exposed to the public internet. In order to validate the IAP requests (for services that I cannot add authentication too myself) I use kpurdon/iapap to validate the IAP request. This simple proxy service (with IAP validation) is intended to be run as a sidecar in whatever Pod is serving the service I want to protect exposed via a NodePort service. Then an ingress w/ all the IAP requirements is pointed at the NodePort resulting in an IAP protected internal service.

Ingress (w/ IAP) -> NodePort -> Pod [ IAPAP (Validate IAP) -> SomeService ]

While my use case is specific to Cloud IAP, this proposal should allow supporting any authentication method that works by injecting a sidecar proxy service.

Specifically I'd like to be able to:

• Include additional containers in the server spec (e.g. adding sidecars)
• Specify a targetPort on the ui.service configuration (to point to the sidecar proxy)

This could look something like the following values.yml:

server:
  additionalContainers:
    - name: iapap-consul-ui
      spec: |
        image: kpurdon/iapap
        ports:
          - name: http
            containerPort: 9999
            env:
              IAPAP_TARGET: "http://localhost:8500" # the consul ui
        ...

ui:
  enabled: true
  type: NodePort
  targetPort: 9999
  ...

Of course this would all be totally optional to use and would result in a zero net change to the current defaults.

[adilyse]

Hi @kpurdon,

Thank you for thoroughly explaining your use case, it helps us make better decisions about our features and implementations!

We have a couple of tasks on our upcoming roadmap that will potentially interact with adding extra containers to various components, so it's helpful to be aware of how folks want to use it. We will endeavor make any solution as generally applicable as possible.

Related: hashicorp/consul-helm#158 and hashicorp/consul-helm#255

[kpurdon]

@adilyse thanks for the response.

Given the most generally applicable solution is simple allowing an extra containers key on at least the server resource would a PR to add that be considered?

I'd love the functionality and am more than happy to do the work.

[kpurdon]

Hi @adilyse @lkysow just wanted to check in here and see if there was anything I can do to help land a feature like this. I see the other open issue and PR has been stuck for a while.

I'm more than happy to do the work. Thanks for all your work on this project!

[david-yu]

Hi @kpurdon that does sound like a nice feature that could help with sidecar proxy service use case. We have not prioritized this on our end. I'm curious to know if that other PR perhaps addresses what you're looking for or if additional changes are needed.

[kpurdon]

The other PR looks like it should handle getting the extra container in, the only other thing needed would be the settings on the UI but that's a trivia change.

[blake]

Hi @kpurdon, this functionality was added in #749 and will be available in the next release of consul-k8s.