one icon indicating copy to clipboard operation
one copied to clipboard
verified publisher icon OpenNebula

OneGate proxy service

Open sk4zuzu opened this issue 3 years ago • 0 comments

Description Add OneGate proxy service deployed on hypervisor hosts to mitigate the requirement of guest VMs to be able to directly connect to the OneGate server.

Use case OneGate configuration of OpenNebula instances in certain clusters (like for example OneProvision ones) requires etiher publicly accessible OneGate endpoint or a complex / inconvenient network design to make the endpoint secured. By introducing this proxy we can shift the responsibility of handling the OneGate communication to a service network that connects OpenNebula frontends and hypervisor hosts. Then because guest VM <-> OneGate communication doesn't happen directly it can be easily protected with a VPN or a TLS/SSL tunnel established between frontends and hypervisor hosts.

Interface Changes No

Additional Context

  • Guest VMs will require an additional static route (which can be added automatically in the context), for example:
ip route replace 169.254.169.254/32 dev eth0
  • oned will require additional ONEGATE_PROXY_ENDPOINT variable, that when defined will be passed to guest VMs as the ONEGATE_ENDPOINT in the context.

Progress Status

  • [ ] Code committed
  • [ ] Testing - QA
  • [ ] Documentation (Release notes - resolved issues, compatibility, known issues)

sk4zuzu avatar Sep 15 '22 11:09 sk4zuzu