Does anyone have experience with securing the apol...
# prefect-serverp
Pierre Monico
01/18/2022, 1:02 PMDoes anyone have experience with securing the apollo API (ingress) when deploying Server with the Helm chart. I could easily secure it with basic auth or similar but then I don’t get how you’re supposed to authenticate from the UI since you can only pass a URL. Do I need to implement some sort of API key mechanism?
a
Anna Geller
01/18/2022, 1:07 PM
Many users deploy Server to a secure network e.g. only accessible from a company VPN, but I’m curious to hear from the community on this.
p
Pierre Monico
01/18/2022, 1:11 PMI had it on running on a virtual network before - I could then just SSH + port forward. Now I am trying to get it to work without the VN+SSH. Setting up the ingress for the UI to use basic auth is easy; getting it right for the apollo api is harder 🙂 but just because it needs to be some sort of “URL” based auth (we don’t have access to the internals of the UI sending requests to the backend)
Pierre Monico
01/18/2022, 1:14 PMJust out of curiosity @Anna Geller: how is setting the Apollo API through the UI handled? Since you haven’t “set up the backend” yet, where is the value that you type in to that field persisted?
a
Anna Geller
01/18/2022, 1:15 PM
probably to the machine from which you started the Server
Anna Geller
01/18/2022, 1:15 PM
i.e. to the config.toml
p
Pierre Monico
01/18/2022, 1:19 PMAh ok, so the UI service goes ahead and modifies that file.
d
davzucky
01/18/2022, 2:44 PMSomeone share that recently. Can it help you?
https://prefect-community.slack.com/archives/CL09KTZPX/p1641827645018300
t
Thomas Pedersen
01/19/2022, 12:12 PMBeen running into the question of how server can be deployed securely myself as well. It's a bit of a shame that it isn't available in an edition with security out of the box.
a
Anna Geller
01/19/2022, 12:45 PM
For out-of-the-box Auth we have Prefect Cloud with a generous free tier providing 20,000 free task runs each month.
p
Pierre Monico
01/19/2022, 4:35 PMThanks @davzucky. A bit too much overhead for me but I’ll try to get inspired 🙂
Pierre Monico
01/25/2022, 5:02 PMUpdate: couldn’t come up with a solution that is not a workaround and/or needs a lot of extra work in order to make a Prefect Server publicly accessible. Must say I am a bit disappointed since it really feels that as a developer you are being pushed to use the Cloud offering. While I would love to do so, my client doesn’t allow for it so I end up being either stuck or having to implement a lot of things on top of Server to have it work (we’re talking adding authentication services etc.). One simple thing that would alleviate the pain of setting authentication up would be to allow to customize the way the UI calls the Apollo endpoint, i.e. adding a header, basic auth, or at least allowing for query params so that we can pass an API key (it’s the last thing I tried, but it just “breaks” the calls to the endpoint). EDIT: and even if finally managing to pass in an api key or similar to access apollo, there is no way to do this for registering the flows since it’s only possible to set a
hostconfig.toml4 Views