Self-Service Portals
Integration with Self-Service Portals¶
There are scenarios where an Internal Developer Portal (IDP) like Backstage, CMDB such as ServiceNow or a custom portal is the preferred self-service frontend interface for developers/data scientists in an organization. In this set-up, the self-service portal can be configured to leverage Rafay APIs to enable developers/data scientists to spin up namespaces, clusters or full stack environments on demand as necessary.
Rafay supports an Assume User facility which makes it easier to integrate Self-service portals such as Backstage. The Self-Service portal can be configured to make API calls leveraging an Organization's Admin API key and adding user/group details as part of the header. This helps with two things:
- Removes the need to manage API keys on a per user basis on the self-service portal side
- Ensures that the necessary security related guardrails are in place - Rafay enforces RBAC based on the user/group details included in the header and audit logs captures the specific user details who performed the operation (e.g. creation of a namespace)
The above pattern (Assume User) is only supported with an Org Admin API key and the following headers needed to be included:
X-RAFAY-IMPERSONATE-USER : <user_name>
X-RAFAY-IMPERSONATE-GROUP: <user_group>
Workflow¶
sequenceDiagram
participant User
participant Self-Service Portal
participant Rafay Controller
User->>+Self-Service Portal: Authenticates and logs in to the portal
User->>+Self-Service Portal: Initiates an allowed operation (e.g. create namespace)
rect rgb(191, 223, 255)
Self-Service Portal->>+Rafay Controller: Calls Rafay APIs to execute the user initiated operation
Note right of Self-Service Portal: Org Admin API key with user/group details in the header
Rafay Controller-->>+Rafay Controller: User entry created during first login (similar to IDP user)
Rafay Controller-->>+Rafay Controller: RBAC enforcement based on group membership
end
Rafay Controller->>+Self-Service Portal: API Response
Rafay Controller->>+Rafay Controller: Audit logs captured for all user activities
Self-Service Portal->>+User: Visibility into executed operationExamples¶
EXAMPLE:
Below is a curl example using V3 API (for creating a Rafay GitOps Docker Agent)
curl --location --request POST 'https://console.stage.rafay.dev/apis/gitops.k8smgmt.io/v3/projects/defaultproject/agents' \
--header 'accept: application/json' \
--header 'X-API-KEY: ra2.1603579db8bb61e09b7b2ba33493b8de81dc1bd8.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--header 'Content-Type: application/yaml' \
--header 'X-RAFAY-IMPERSONATE-USER: testuser@example.co' \
--header 'X-RAFAY-IMPERSONATE-GROUP: Organization Admins' \
--data-raw 'apiVersion: gitops.k8smgmt.io/v3
kind: Agent
metadata:
name: agent-demo
project: defaultproject
spec:
active: true
type: Docker
Below is a curl example using V2 API (for creating a Rafay GitOps Docker Agent)
curl --location --request POST 'https://console.stage.rafay.dev/v2/config/project/rx28oml/agent' \
--header 'accept: application/json' \
--header 'X-RAFAY-API-KEYID: ra2.1603579db8bb61e09b7b2ba33493b8de81dc1bd8.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--header 'Content-Type: application/json' \
--header 'X-RAFAY-IMPERSONATE-USER: testuser2@example.co' \
--header 'X-RAFAY-IMPERSONATE-GROUP: Organization Admins' \
--data-raw '{"metadata":{"name":"agent-demo-v2"},"spec":{"agentType":"DockerAgent"}}'