Channels
announcements
ask-marvin
best-practices-coordination-plane
data-ecosystem
data-tricks-and-tips
events
find-a-prefect-job
geo-bay-area
geo-berlin
geo-boston
geo-chicago
geo-colorado
geo-dc
geo-israel
geo-japan
geo-london
geo-nyc
geo-seattle
geo-texas
gratitude
introductions
marvin-in-the-wild
pacc-clearcover-june-12-2023
pacc-may-31-2023
ppcc-may-16-2023
prefect-ai
prefect-aws
prefect-azure
prefect-cloud
prefect-community
prefect-contributors
prefect-dbt
prefect-docker
prefect-gcp
prefect-getting-started
prefect-integrations
prefect-kubernetes
prefect-recipes
prefect-server
prefect-ui
random
show-us-what-you-got
Title
p
Pierre Monico
01/18/2022, 1:02 PMDoes anyone have experience with securing the apollo API (ingress) when deploying Server with the Helm chart. I could easily secure it with basic auth or similar but then I don’t get how you’re supposed to authenticate from the UI since you can only pass a URL. Do I need to implement some sort of API key mechanism?
a
Anna Geller
01/18/2022, 1:07 PMMany users deploy Server to a secure network e.g. only accessible from a company VPN, but I’m curious to hear from the community on this.
p
Pierre Monico
01/18/2022, 1:11 PMI had it on running on a virtual network before - I could then just SSH + port forward. Now I am trying to get it to work without the VN+SSH. Setting up the ingress for the UI to use basic auth is easy; getting it right for the apollo api is harder 🙂 but just because it needs to be some sort of “URL” based auth (we don’t have access to the internals of the UI sending requests to the backend)
Just out of curiosity @Anna Geller: how is setting the Apollo API through the UI handled? Since you haven’t “set up the backend” yet, where is the value that you type in to that field persisted?
a
Anna Geller
01/18/2022, 1:15 PMprobably to the machine from which you started the Server
i.e. to the config.toml
p
Pierre Monico
01/18/2022, 1:19 PMAh ok, so the UI service goes ahead and modifies that file.
d
davzucky
01/18/2022, 2:44 PMSomeone share that recently. Can it help you?
https://prefect-community.slack.com/archives/CL09KTZPX/p1641827645018300
t
Thomas Pedersen
01/19/2022, 12:12 PMBeen running into the question of how server can be deployed securely myself as well. It's a bit of a shame that it isn't available in an edition with security out of the box.
a
Anna Geller
01/19/2022, 12:45 PMFor out-of-the-box Auth we have Prefect Cloud with a generous free tier providing 20,000 free task runs each month.
p
Pierre Monico
01/19/2022, 4:35 PMThanks @davzucky. A bit too much overhead for me but I’ll try to get inspired 🙂
Update: couldn’t come up with a solution that is not a workaround and/or needs a lot of extra work in order to make a Prefect Server publicly accessible. Must say I am a bit disappointed since it really feels that as a developer you are being pushed to use the Cloud offering. While I would love to do so, my client doesn’t allow for it so I end up being either stuck or having to implement a lot of things on top of Server to have it work (we’re talking adding authentication services etc.). One simple thing that would alleviate the pain of setting authentication up would be to allow to customize the way the UI calls the Apollo endpoint, i.e. adding a header, basic auth, or at least allowing for query params so that we can pass an API key (it’s the last thing I tried, but it just “breaks” the calls to the endpoint). EDIT: and even if finally managing to pass in an api key or similar to access apollo, there is no way to do this for registering the flows since it’s only possible to set a
hostconfig.toml