Summary
As a platform engineer, I want to expose Qdrant through Envoy Gateway with Authorino enforcement so that vector search can be consumed securely by internal and external services.
Acceptance Criteria
Given Qdrant is deployed in-cluster,
when clients access the Qdrant HTTP API through Envoy,
then requests are authenticated and authorized by Authorino.
- It’s done when Qdrant is reachable only through the gateway, not directly.
- It’s done when API-key and/or OAuth2 auth policies apply.
- It’s done when unauthorized requests return 401.
Additional Sections
-
Design: Gateway route: Client → Envoy → Authorino → Qdrant.
-
Technical Information:
- Qdrant REST API endpoints (collections, points, search).
- Authorino AuthConfig enforcing API keys or JWT.
-
Notes: Consider rate limiting + audit logging for vector queries.
-
ToDo: @decide whether Qdrant should be public-facing or internal-only.
Definition of Done
- Qdrant API is exposed securely behind Envoy.
- Authorino policies are deployed via ArgoCD.
- Access tested with valid + invalid credentials.
Summary
As a platform engineer, I want to expose Qdrant through Envoy Gateway with Authorino enforcement so that vector search can be consumed securely by internal and external services.
Acceptance Criteria
Given Qdrant is deployed in-cluster,
when clients access the Qdrant HTTP API through Envoy,
then requests are authenticated and authorized by Authorino.
Additional Sections
Design: Gateway route: Client → Envoy → Authorino → Qdrant.
Technical Information:
Notes: Consider rate limiting + audit logging for vector queries.
ToDo: @decide whether Qdrant should be public-facing or internal-only.
Definition of Done