kbind-dev
diff --git a/‎docs/proposals/202303-poll-based-binding.md‎
Lines changed: 149 additions & 0 deletions b/‎docs/proposals/202303-poll-based-binding.md‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎docs/proposals/localhost-callback.png‎
392 KB b/‎docs/proposals/localhost-callback.png‎
392 KB
diff --git a/‎docs/proposals/poll-based.png‎
520 KB b/‎docs/proposals/poll-based.png‎
520 KB
@@ -0,0 +1,149 @@
+---
+type: proposal
+title: Global / Federated Rules API
+status: in-progress
+owner: s-urbaniak
+---
+
+* **Owners:**
+    * @s-urbaniak
+
+* **Related Tickets:**
+    * N/A
+
+## Summary
+
+kube-bind offers a user-friendly approach of being able to bind API resources provided by an external party using a simple URL. This URL can be invoked directly via the terminal and the rest of the binding process is finalized in a user web browser session.
+
+At the end a local callback ensures that the necessary metadata of the binding process is passed back to the kubectl `bind` process.
+
+While being user-friendly the current approach has a couple of drawbacks. An alternative method is described which adds a new "polling" based approach vs. the current "callback" based approach.
+
+## Why
+
+kube-bind allows to bind APIs offered by providers using a URL passed to the `bind` subcommand.
+As part of the binding process the following steps are executed:
+
+1. The kubectl `bind` plugin retrieves provider metadata
+which includes information about supported authentication methods at the provider.
+Currently, OAuth 2 code grant flow is supported.
+2. The kubectl `bind` renders an authentication URL on the terminal,
+augmented with additional session data.
+3. The user executes the rendered URL link
+and finalizes authentication and API selection in his local browser.
+
+kubectl `bind` plugin blocks until authentication and API selection is finalized.
+Currently, this is accomplished using a localhost web server listening on an ephemeral local port on the user machine.
+
+After the end of the above process the kube-bind backend invokes an HTTP 302 localhost redirect in the user browser session. The callback URL includes a serialized `kubebindv1alpha1.BindingResponse` JSON object. This object is passed as a base64 encoded `response` parameter which is added to the callback localhost URL as a query parameter.
+
+The following figure illustrates the current process:
+
+![](localhost-callback.png)
+Link: https://whimsical.com/kube-bind-auth-flow-FYCNPvj5m27pKUDVYxVRGy
+
+The current solution has a couple of drawbacks:
+
+1. The kubectl `bind` plugin starts localhost a web server running on the user machine. This makes it currently impossible to use kubectl `bind` on a remote machine i.e. via an SSH session.
+
+2. The serialized encoded length of the `kubebindv1alpha1.BindingResponse` is currently passed as a URL parameter which should not exceed ~2000 characters in most web browser implementations. Worse, this upper bound is not standardized. Finally, passing large URL parameters is not recommended. 
+
+The current method will be called as "callback based" approach in the remainder of this proposal.
+
+## Goals
+
+1. *MUST* enable the possibility to use kubectl `bind` on a remote machine i.e. via an SSH session.
+2. *MUST* remove the necessity to start a localhost web server on the user machine.
+3. *MUST* remove the limitation of encoding the binding response object via a URL query parameter.
+4. *MUST* retain user-friendliness of invoking a single URL to bind external APIs.
+
+## How
+
+Next to the above describe "callback based" approach kubectl `bind` additionally supports a "polling" based approach.
+
+Instead of having a localhost web server blocking until a callback http request is executed by the user web browser session, the kubectl `bind` process regularly polls the kube-bind backend whether the authentication and API resource selection process is finalized.
+
+As a result, the kubectl `bind` process downloads the `kubebindv1alpha1.BindingResponse` JSON object directly from the polled URL.
+
+Here, the following steps are executed:
+
+1. The kubectl `bind` plugin retrieves provider metadata
+which includes information about supported authentication methods at the provider.
+
+Here, a new authentication polling based variant of the OAuth2 code grant called `OAuth2CodeGrantPoll` is introduced:
+
+```yaml
+type BindingProvider struct {
+  metav1.TypeMeta `json:",inline"`
+
+  AuthenticationMethods []AuthenticationMethod `json:"authenticationMethods,omitempty"`
+}
+
+  type AuthenticationMethod struct {
+  // method is the name of the authentication method. The follow methods are supported:
+  //
+  // - "OAuth2CodeGrant"
+  // - "OAuth2CodeGrantPoll"
+  //
+  Method string `json:"method,omitempty"`
+
+  // OAuth2CodeGrant is the configuration for the OAuth2 code grant flow.
+  OAuth2CodeGrant *OAuth2CodeGrant `json:"oauth2CodeGrant,omitempty"`
+
+  // OAuth2CodeGrant is the configuration for the OAuth2 code grant flow
+  // using a poll based approach.
+  OAuth2CodeGrantPoll *OAuth2CodeGrantPoll `json:"oauth2CodeGrantPoll,omitempty"`
+}
+
+type OAuth2CodeGrantPoll struct {
+  // authenticatedURL is the service provider url that the service consumer will use to authenticate against
+  // the service provider in case of using OIDC mode made, e.g: www.mangodb.com/kubernetes/authorize.
+  //
+  // +required
+  // +kubebuilder:validation:Required
+  // +kubebuilder:validation:MinLength=1
+  AuthenticatedURL string `json:"authenticatedURL"`
+
+  // pollURL is the service provider url that is used to be poll regularly, i.e. "www.mangodb.com/bound".
+  // The backend returns a HTTP 403 while the process is ongoing
+  // and a HTTP 200 status code once the authentication and API resource selection is finalized.
+  // The http response body includes the `kubebindv1alpha1.BindingResponse` object.
+  //
+  // +required
+  // +kubebuilder:validation:Required
+  // +kubebuilder:validation:MinLength=1
+  PollURL string `json:"pollURL"`
+
+  // pollInterval is the expected polling interval in Go's `time.Duration` format.
+  // If exceeded, the kube-bind backend may return a 429 Too Many Requests http status code.
+  //
+  // +required
+  // +kubebuilder:validation:Required
+  // +kubebuilder:validation:MinLength=1
+  PollInterval string `json:"pollInterval"`
+}
+```
+
+2. The kubectl `bind` renders an authentication URL on the terminal,
+augmented with additional session data.
+
+3. The user executes the rendered URL link
+and finalizes authentication and API selection in his local browser.
+
+4. kubectl `bind` regularly polls at every `pollInterval`.
+While the user process is ongoing in the user browser session
+the kube-bind backend returns an HTTP 403 status code.
+Once the user process is finalized the kube-bind backend returns an HTTP 200 status code.
+The response body includes the `kubebindv1alpha1.BindingResponse` object.
+
+kubectl `bind` plugin blocks until authentication and API selection is finalized.
+
+The following figure illustrates the poll based approach:
+
+![](poll-based.png)
+Link: https://whimsical.com/kube-bind-auth-flow-FYCNPvj5m27pKUDVYxVRGy
+
+TODO(sur): finalize describing the kube-bind backend, especially how session state is maintained using group-cache and consistent hashring.
+TODO(sur): describe trusted client concept using HMAC
+
+# Alternatives