Skip to content

Self-Service Portals

Integration with Self-Service Portals

There are scenarios where an Internal Developer Portal (IDP) like Backstage, CMDB such as ServiceNow or a custom portal is the preferred self-service frontend interface for developers/data scientists in an organization. In this set-up, the self-service portal can be configured to leverage Rafay APIs to enable developers/data scientists to spin up namespaces, clusters or full stack environments on demand as necessary.

Rafay supports an Assume User facility which makes it easier to integrate Self-service portals such as Backstage. The Self-Service portal can be configured to make API calls leveraging an Organization's Admin API key and adding user/group details as part of the header. This helps with two things:

  • Removes the need to manage API keys on a per user basis on the self-service portal side
  • Ensures that the necessary security related guardrails are in place - Rafay enforces RBAC based on the user/group details included in the header and audit logs captures the specific user details who performed the operation (e.g. creation of a namespace)

The above pattern (Assume User) is only supported with an Org Admin API key and the following headers needed to be included:

X-RAFAY-IMPERSONATE-USER : <user_name>
X-RAFAY-IMPERSONATE-GROUP: <user_group>

Workflow

sequenceDiagram
    participant User
    participant Self-Service Portal
    participant Rafay Controller

    User->>+Self-Service Portal: Authenticates and logs in to the portal
    User->>+Self-Service Portal: Initiates an allowed operation (e.g. create namespace)
    rect rgb(191, 223, 255)
    Self-Service Portal->>+Rafay Controller: Calls Rafay APIs to execute the user initiated operation
    Note right of Self-Service Portal: Org Admin API key with user/group details in the header
    Rafay Controller-->>+Rafay Controller: User entry created during first login (similar to IDP user)
    Rafay Controller-->>+Rafay Controller: RBAC enforcement based on group membership    
    end
    Rafay Controller->>+Self-Service Portal: API Response       
    Rafay Controller->>+Rafay Controller: Audit logs captured for all user activities
    Self-Service Portal->>+User: Visibility into executed operation

Examples

EXAMPLE:

Below is a curl example using V3 API (for creating a Rafay GitOps Docker Agent)

curl --location --request POST 'https://console.stage.rafay.dev/apis/gitops.k8smgmt.io/v3/projects/defaultproject/agents' \
--header 'accept: application/json' \
--header 'X-API-KEY: ra2.1603579db8bb61e09b7b2ba33493b8de81dc1bd8.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--header 'Content-Type: application/yaml' \
--header 'X-RAFAY-IMPERSONATE-USER: testuser@example.co' \
--header 'X-RAFAY-IMPERSONATE-GROUP: Organization Admins' \
--data-raw 'apiVersion: gitops.k8smgmt.io/v3
kind: Agent
metadata:
  name: agent-demo
  project: defaultproject
spec:
  active: true
  type: Docker

Below is a curl example using V2 API (for creating a Rafay GitOps Docker Agent)

curl --location --request POST 'https://console.stage.rafay.dev/v2/config/project/rx28oml/agent' \
--header 'accept: application/json' \
--header 'X-RAFAY-API-KEYID: ra2.1603579db8bb61e09b7b2ba33493b8de81dc1bd8.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--header 'Content-Type: application/json' \
--header 'X-RAFAY-IMPERSONATE-USER: testuser2@example.co' \
--header 'X-RAFAY-IMPERSONATE-GROUP: Organization Admins' \
--data-raw '{"metadata":{"name":"agent-demo-v2"},"spec":{"agentType":"DockerAgent"}}'