A Quarkus-based intelligent routing service that automatically redirects users to their designated Red Hat OpenShift Dev Spaces instance based on their OpenShift group membership. This enables organizations to manage multiple Dev Spaces clusters and seamlessly route users to the appropriate instance.
In enterprise environments with multiple OpenShift Dev Spaces deployments across different clusters, users need to be directed to the correct instance based on their team, project, or organizational unit. This redirector service solves that problem by:
- Authenticating users via OpenShift OAuth Proxy
- Querying OpenShift groups to determine user membership
- Mapping groups to Dev Spaces URLs using a configurable mapping
- Automatically redirecting users to their designated Dev Spaces instance
- Quarkus Application: Lightweight Java application providing REST APIs and redirect logic
- OAuth Proxy Sidecar: Handles OpenShift authentication and injects user/group headers
- OpenShift Client: Queries the OpenShift API for group membership information
- ConfigMap Integration: Dynamically loads group-to-URL mappings without restart
User Request β OAuth Proxy β Quarkus App β OpenShift API β Group Mapping β Redirect
- User accesses the redirector URL
- OAuth Proxy authenticates the user against OpenShift
- User and group information is passed via HTTP headers (
X-Forwarded-User,X-Forwarded-Groups) - Application queries OpenShift API to get user's group memberships
- Group mappings are loaded from ConfigMap (
/etc/config/group-mapping.json) - User is redirected to the appropriate Dev Spaces instance
- 404 errors redirect to home page for seamless user experience
- ConfigMap-based configuration: Update group mappings without redeploying
- Real-time updates: Automatically detects ConfigMap changes via symlink resolution
- Retry mechanism: Handles Kubernetes ConfigMap update delays gracefully
- Native group queries: Direct integration with OpenShift API
- Service account authentication: Uses Kubernetes service account tokens
- RBAC support: Requires appropriate cluster role bindings
- 404 to Home: All 404 errors redirect to the home page
- No caching: Cache control headers prevent stale data
- User-friendly: Seamless experience with automatic redirects
- Java 17 or later
- Maven 3.9.x or later
- OpenShift cluster access (for deployment)
- Podman (for container builds)
Development mode enables live coding with automatic reload:
mvn quarkus:devThe application will start on http://localhost:8080
Creates a runnable JAR file:
mvn clean packageThe application produces:
target/quarkus-app/quarkus-run.jar- Main executabletarget/quarkus-app/lib/- Dependencies
Run the application:
java -jar target/quarkus-app/quarkus-run.jarCreate a native executable for faster startup and lower memory footprint:
mvn package -DnativeOr using a container build (no GraalVM installation required):
mvn package -Dnative -Dquarkus.native.container-build=trueRun the native executable:
./target/devspaces-multicluster-redirector-1.0.0-SNAPSHOT-runnerBuild a container image:
mvn package -Dquarkus.container-image.build=true- Service Account: The application requires a service account with permissions to list and read OpenShift groups
- ConfigMap: Create a ConfigMap with group-to-URL mappings
- OAuth Proxy: Configured for OpenShift authentication
The openshift/ directory contains Kustomize configuration files:
kubectl apply -k openshiftThis creates:
- ServiceAccount:
devspaces-multicluster-redirector - ClusterRole: Permissions to list and get groups
- ClusterRoleBinding: Binds the role to the service account
- ConfigMap: Group mapping configuration
- Secret: OAuth proxy session secret
- Deployment: Application with OAuth proxy sidecar
- Service: Internal service on port 8443
- Route: External HTTPS access
Edit openshift/configmap.yaml to configure your group mappings:
apiVersion: v1
kind: ConfigMap
metadata:
name: devspaces-openshift-group-mapping
data:
group-mapping.json: |
{
"team-alpha": "https://devspaces-alpha.example.com",
"team-beta": "https://devspaces-beta.example.com",
"contractors": "https://devspaces-external.example.com"
}Note: ConfigMap updates are automatically detected by the application without restart.
The service account needs these permissions (defined in openshift/clusterrole.yaml):
rules:
- apiGroups: ["user.openshift.io"]
resources: ["groups"]
verbs: ["get", "list"]Configure in src/main/resources/application.properties:
# HTTP port
quarkus.http.port=8080
# Container image settings
quarkus.container-image.registry=quay.io
quarkus.container-image.name=redhat-developer/devspaces-multicluster-redirectorThe OAuth proxy sidecar uses these environment variables:
NAMESPACE: Automatically injected from pod metadata
Run the test suite:
mvn testTests include:
GreetingResourceTest: Basic endpoint testingNotFoundRedirectFilterTest: 404 redirect functionality
View application logs:
kubectl logs -f deployment/devspaces-multicluster-redirector -c devspaces-multicluster-redirectorView OAuth proxy logs:
kubectl logs -f deployment/devspaces-multicluster-redirector -c oauth-proxy- User not redirected: Check if user belongs to any mapped groups
- ConfigMap not updating: Verify the ConfigMap is mounted at
/etc/config - Authentication failures: Check OAuth proxy configuration and service account permissions
- Group query failures: Verify ClusterRole and ClusterRoleBinding are correctly applied
- Framework: Quarkus 3.15.3.1
- Language: Java 17
- Build Tool: Maven
- Kubernetes Client: Fabric8 OpenShift Client 6.13.4
- REST: Jakarta REST (JAX-RS)
- JSON: Jackson
- Authentication: OpenShift OAuth Proxy
Contributions are welcome! Please feel free to submit issues and pull requests.
- Fork the repository
- Create a feature branch
- Make your changes
- Run tests:
mvn test - Build the project:
mvn package - Submit a pull request
This project is licensed under the terms specified in the LICENSE file.
For issues and questions:
- Open an issue in this repository
- Check the Red Hat Developer documentation