#ConnectorsProxy

ConnectorsProxy is a core component that provides secure, secretless access to integrated tools within Kubernetes clusters. It acts as a proxy server, handling authentication injection and request routing to target tool.

ConnectorsProxy enables clients to access tool resources without direct credential handling. This approach delivers significant security benefits:

• Secretless Access: Eliminates the need to distribute tool credentials directly to clients by using short-lived tokens issued by ServiceAccount. This prevents credential exposure in clients like logs or environment variables.
• Centralized Credential Management: All tool credentials are managed centrally by connectors, and no need to distribute credentials to each client.

The platform supports both built-in and custom proxy implementations to accommodate diverse tool authentication requirements.

#Built-in Connectors Proxy

The built-in ConnectorsProxy implementation provides comprehensive HTTP/HTTPS protocol support with Basic Auth and Bearer Token authentication methods. It offers both forward proxy and reverse proxy capabilities.

#Forward Proxy

Operates as a standard HTTP proxy using http_proxy and https_proxy environment variables. When the proxy receives client requests, it:

1. Authenticates the client
2. Injects tool credentials specified in the Connector into the request
3. Forwards the authenticated request to the target tool

#Reverse Proxy

Clients access tools by connecting directly to the Connector Proxy Address instead of the original tool URL. The proxy:

1. Receives client requests at the proxy endpoint
2. Performs client authentication
3. Injects tool credentials specified in the Connector and forwards requests to the backend tool

#Custom Connectors Proxy

For tools requiring specialized authentication mechanisms, custom proxy implementations can be developed. These proxies can be implemented as either forward or reverse proxies based on specific requirements.

Example: The OCI Connector uses a custom OCI Plugin Proxy that supports OCI protocol with Bearer Token authorization for registries like Harbor and Docker Registry.

User can develop a custom proxy server and specified in the connectorclass.

#Connector Proxy Address

Each Connector has a unique proxy address for accessing tool resources. The proxy address is stored in the status.proxy.httpAddress field:

apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: github
spec:
  address: https://github.com/kubernetes/kubernetes.git
  auth:
    name: basicAuth
    params:
    - name: repository
      value: kubernetes/kubernetes.git
  connectorClassName: git
status:
  # . . .
  proxy:
    httpAddress:
      url: http://c-github.default.svc.cluster.local

Clients use this proxy address to access resources within the tool specified by the Connector.

For more fields about connectorclass, please refer to ConnectorClass

#Use with Connectors CSI Driver

Connectors Proxy works seamlessly with the Connectors CSI Driver to provide a complete secretless access solution:

1. The Connectors CSI Driver mounts necessary configuration files that contains the proxy address and proxy authentication information
2. Connectors Proxy handles authentication injection and request routing to target tool.
3. Clients can access resources without credential management.

This integration is particularly useful in scenarios like:

• Git clone operations in Kubernetes Jobs
• Image push/pull operations in Tekton Pipelines
• API access in custom workloads

For complete secretless access scenarios using Connectors Proxy and Connectors CSI Driver, see How to use the Git Connector to complete Git clone without storing credentials on the client

#Deep Understanding of Connectors Proxy

#Specifying Proxy in ConnectorClass

You can specify the proxy server to use in the ConnectorClass:

apiVersion: connectors.alauda.io/v1alpha1
kind: ConnectorClass
metadata:
  name: example
spec:
  proxy:
    ref:
      kind: Service
      name: connectors-proxy-service
      namespace: connectors-system

Connectors created from this ConnectorClass will use connectors-proxy-service as their real proxy server.

Built-in Proxy Configuration:

ref:
  kind: Service
  name: connectors-proxy-service
  namespace: <connector-namespace> # Namespace where Connector components are deployed

Custom Proxy Configuration:

Custom proxies can point to any address capable of handling proxy requests.

#Connectors Proxy Authentication

Clients must provide authentication when using Connectors Proxy. Authentication uses ServiceAccount tokens, and the ServiceAccount must have read permissions for the target Connector.

Built-in Forward Proxy Authentication

Authentication credentials are passed via Proxy-Authorization header:

• Username: <connector-namespace>/<connector-name>
• Password: ServiceAccount token with read permissions for the Connector

Example: For a github Connector in the default namespace:

export http_proxy=http://default%2Fgithub:xxxxxxx@c-github.default.svc.cluster.local

Requests through this proxy automatically inject the default/github connector's authentication credentials when accessing GitHub services.

Built-in Reverse Proxy Authentication

Authentication credentials are passed via Basic Auth:

• Username: Any value
• Password: ServiceAccount token with read permissions for the Connector

Example: For a github Connector in the default namespace:

curl -u any:sa-token-xxxxxxx "http://c-github.default.svc.cluster.local/xxx"

The proxy automatically injects the default/github connector's authentication credentials when forwarding requests to GitHub services.