https://prefect.io logo
Title
p

Pierre Monico

01/18/2022, 1:02 PM
Does anyone have experience with securing the apollo API (ingress) when deploying Server with the Helm chart. I could easily secure it with basic auth or similar but then I don’t get how you’re supposed to authenticate from the UI since you can only pass a URL. Do I need to implement some sort of API key mechanism?
a

Anna Geller

01/18/2022, 1:07 PM
Many users deploy Server to a secure network e.g. only accessible from a company VPN, but I’m curious to hear from the community on this.
p

Pierre Monico

01/18/2022, 1:11 PM
I had it on running on a virtual network before - I could then just SSH + port forward. Now I am trying to get it to work without the VN+SSH. Setting up the ingress for the UI to use basic auth is easy; getting it right for the apollo api is harder 🙂 but just because it needs to be some sort of “URL” based auth (we don’t have access to the internals of the UI sending requests to the backend)
Just out of curiosity @Anna Geller: how is setting the Apollo API through the UI handled? Since you haven’t “set up the backend” yet, where is the value that you type in to that field persisted?
a

Anna Geller

01/18/2022, 1:15 PM
probably to the machine from which you started the Server
i.e. to the config.toml
p

Pierre Monico

01/18/2022, 1:19 PM
Ah ok, so the UI service goes ahead and modifies that file.
d

davzucky

01/18/2022, 2:44 PM
t

Thomas Pedersen

01/19/2022, 12:12 PM
Been running into the question of how server can be deployed securely myself as well. It's a bit of a shame that it isn't available in an edition with security out of the box.
a

Anna Geller

01/19/2022, 12:45 PM
For out-of-the-box Auth we have Prefect Cloud with a generous free tier providing 20,000 free task runs each month.
p

Pierre Monico

01/19/2022, 4:35 PM
Thanks @davzucky. A bit too much overhead for me but I’ll try to get inspired 🙂
Update: couldn’t come up with a solution that is not a workaround and/or needs a lot of extra work in order to make a Prefect Server publicly accessible. Must say I am a bit disappointed since it really feels that as a developer you are being pushed to use the Cloud offering. While I would love to do so, my client doesn’t allow for it so I end up being either stuck or having to implement a lot of things on top of Server to have it work (we’re talking adding authentication services etc.). One simple thing that would alleviate the pain of setting authentication up would be to allow to customize the way the UI calls the Apollo endpoint, i.e. adding a header, basic auth, or at least allowing for query params so that we can pass an API key (it’s the last thing I tried, but it just “breaks” the calls to the endpoint). EDIT: and even if finally managing to pass in an api key or similar to access apollo, there is no way to do this for registering the flows since it’s only possible to set a
host
in
config.toml
. Knowing this I am not sure I would choose Prefect as an OS solution for my next production projects.