Internal applications

Here is an idea that I was drafting on Frills, but then I thought it was a bit too open-ended so I’m posting it here for discussion.

So, when you deploy development or staging applications, or production applications for an internal use, you usually don’t want them to be exposed publicly on the internet. You want something that only allows the company employees to access them.

I think that deploying OpenVPN / Wireguard and offering to expose these applications behind an internal ingress, with an easy way to download the VPN configuration files per user, would be extremely practical. From a business perspective, you could even charge for VPN users that are not developers already on Qovery. :slightly_smiling_face:

An other option I can see would be to deploy an authentication proxy that you can only pass if you’re a known user, like OAuth2 Proxy. Or even just configure the ingress to add an HTTP Basic Auth per application or environment. But these two options are not really practical for backend applications / APIs, only frontend or fullstack applications.

What do you think?

1 Like

I think it’s a good idea - as far as I know, I’ve seen one of our users building a portal on top of Qovery to allow dev environment access to allowed developers. One of the simplest solutions would be to use Cloudflare Access - which is exactly made for this purpose. You also have Auth0/Okta proposing the same kind of feature as Cloudflare Access.

It looks great and quite similar to the solutions above. Did you try it?

Cloudflare Access would only protect mydomain.com, and not abc123-gtw.qovery.io, right?

And just like Oauth2 Proxy and alike, that’s probably not very practical for backend applications / APIs.

No, it’s just something I benchmarked in a previous life. There are quite a bunch of more or less similar tools: S.S. Octopus, Vouch Proxy, Authelia, Dex, etc. :slight_smile:

Teleport could be interesting as well, since it can be used for access management of both applications and Kubernetes!

It’s probably worth another subject I guess, but user accounts for the Kubernetes cluster would be nice as well.