From 2a99337f7dce42fb94a7e5406943c954674dd532 Mon Sep 17 00:00:00 2001 From: Silvestre Zabala Date: Mon, 27 May 2024 16:13:54 +0200 Subject: [PATCH] feat(apiserver): Optionally restrict public API to a single client # Issue As a platform operator you might want to restrict access to the public API. # Fix The property `autoscaler.apiserver.autoscaler_api_client_id`, if set, restricts the public API endpoint, to only allow requests providing an oauth token from this client id to access the public API. The token needs to be provided in the request header `X-Autoscaler-Token`. --- jobs/golangapiserver/spec | 5 +++++ jobs/golangapiserver/templates/apiserver.yml.erb | 1 + 2 files changed, 6 insertions(+) diff --git a/jobs/golangapiserver/spec b/jobs/golangapiserver/spec index 4ecfdb3b09..ce8a89f533 100644 --- a/jobs/golangapiserver/spec +++ b/jobs/golangapiserver/spec @@ -70,6 +70,11 @@ properties: description: "" autoscaler.apiserver.broker.server.dashboard_redirect_uri: description: "" + autoscaler.apiserver.public_api.autoscaler_api_client_id: + description: | + If set, restricts the public API endpoint, to only allow requests providing an oauth token from this client id to access the public API. + The token needs to be provided in the request header X-Autoscaler-Token. + default: "" autoscaler.apiserver.public_api.server.port: description: "Port where broker server will run" default: 6102 diff --git a/jobs/golangapiserver/templates/apiserver.yml.erb b/jobs/golangapiserver/templates/apiserver.yml.erb index 32f298c965..c77db0a086 100644 --- a/jobs/golangapiserver/templates/apiserver.yml.erb +++ b/jobs/golangapiserver/templates/apiserver.yml.erb @@ -57,6 +57,7 @@ cf: idle_connection_timeout_ms: <%= p("autoscaler.cf.idle_connection_timeout_ms") %> max_idle_conns_per_host_ms: <%= p("autoscaler.cf.max_idle_conns_per_host_ms") %> +api_client_id: <%= p("autoscaler.apiserver.public_api.autoscaler_api_client_id") %> public_api_server: port: <%= p("autoscaler.apiserver.public_api.server.port") %> <% if_p("autoscaler.apiserver.public_api.server.ca_cert", "autoscaler.apiserver.public_api.server.server_cert", "autoscaler.apiserver.public_api.server.server_key") do %>