feat: single pane of glass — unified API gateway with auth proxy by paullatzelsperger · Pull Request #103 · Metaform/jad

paullatzelsperger · 2026-05-04T13:09:43Z

Summary

All JAD administration APIs are now exposed under a single hostname (jad.localhost) via a unified Traefik gateway, acting as a single pane of glass
Introduces the auth-proxy service: a small Go reverse proxy that enforces Bearer token authentication via Keycloak RFC 7662 token introspection, wired into Traefik as ForwardAuth middlewares
Each protected API has a dedicated Traefik middleware (jwt-auth-*) that validates the token and checks the required OAuth2 scopes before forwarding to the backend
redline and the web UI are moved onto the shared jad.localhost hostname with path-prefix routing (/redline, /ui)
Keycloak is moved from keycloak.localhost to jad.localhost/auth
Dataplane routes updated from /dp/* to /api/dp/* for consistency with the rest of the API surface
Keycloak realm extended with scopes and client assignments for tenant-manager and provision-manager APIs, and a new auth-proxy client for token introspection
README updated with a new "Single pane of glass" section documenting the full route mapping, auth middleware scopes, and the auth-proxy design

🤖 Generated with Claude Code

paullatzelsperger added 8 commits May 4, 2026 08:15

feat: all admin apis are available unter the same base path

0246a33

administration API: add auth proxy, remove some unneeded paths

af5ce10

update API paths and bruno collection

55d97fe

fix tests (wip)

7cc0fb9

update bruno requests

4eab169

exclude siglet API from auth proxy

61c0df1

update dataplane base URL

d06c963

update readme

57d7cbd

paullatzelsperger marked this pull request as draft May 4, 2026 13:10

build and upload auth-proxy

4174fad

paullatzelsperger force-pushed the feat/single_pane_of_glass branch from cf93921 to 4174fad Compare May 4, 2026 13:16

paullatzelsperger added 8 commits May 4, 2026 15:18

refactor method name

244bfd8

reorder workflow actions

b29ba9a

authenticate siglet's token API

d791a59

rewrite auth-proxy in rust

dedca23

fix e2e test and docker publish

c78913d

simplify e2e tests

6279d94

authproxy: tests, sourcedoc

f409a69

add e2e tests for SPG

756f166

paullatzelsperger requested review from jimmarino and wolf4ood May 5, 2026 06:41

paullatzelsperger marked this pull request as ready for review May 5, 2026 06:41

paullatzelsperger mentioned this pull request May 5, 2026

Single Pane Glass (Glass API) eclipse-cfm/planning#48

Closed

rename auth-proxy -> clearglass

9101bde

paullatzelsperger force-pushed the feat/single_pane_of_glass branch from bd1bf01 to 9101bde Compare May 5, 2026 07:22

jimmarino approved these changes May 5, 2026

View reviewed changes

paullatzelsperger merged commit cc6a68d into main May 5, 2026
7 checks passed

paullatzelsperger deleted the feat/single_pane_of_glass branch May 5, 2026 07:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: single pane of glass — unified API gateway with auth proxy#103

feat: single pane of glass — unified API gateway with auth proxy#103
paullatzelsperger merged 18 commits into
mainfrom
feat/single_pane_of_glass

paullatzelsperger commented May 4, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

paullatzelsperger commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

paullatzelsperger commented May 4, 2026 •

edited

Loading