Support authentication with service account tokens #1373
Comments
|
@crobby to add more details |
|
@crobby @samjustus Do have more details/screenshots you can share about this feature and what should be added to the docs? Should info about this feature live under https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters? As of 2.9, will this be the only way to enable JWT Authentication (Service Account Authentication) for a cluster?
|
I don't have any additional screenshots...the feature is pretty minimal UI-wise. I'm not sure if this belongs under "new user guides". I say that because this isn't really a basic/intro feature that would likely be of use to new users. That being said, I'm not sure where the best fit would be. In addition to being able to configure this through the UI, it is also possible to manually create a ClusterProxyConfig object in the target clusters namespace on the local cluster to enable/disable the feature, but I'm not sure we want/need to document that approach. |
|
@LucasSaintarbor Is there any additional content you need from me for this? Are you taking care of adding the docs? |
|
A little more info/context that you may or may not have: JWT Authentication is also known as Service Account Token Authentication. This feature, when enabled, lets a user set up a downstream cluster to support authentication, through Rancher, of tokens that are created for a service account that exists on a downstream cluster (those tokens are in the form of a JWT). Prior to this feature, Rancher would reject such requests because Rancher would only support Rancher-issued tokens (which are NOT JTWs). Some users worked-around this limitation by issuing those requests directly to the downstream cluster, rather than relying on Rancher's auth/security. With this feature enabled, users no longer have to work-around Rancher. A common use case for this is to enable integration of secret vault solutions (like Hashicorp Vault). You can see the original rancher/rancher issue for more details rancher/rancher#22417. |
* Add JWT Authentication page for v2.9 feature #1373 * Update GitLab / HashiCorp reference Co-authored-by: Billy Tat <[email protected]> * Update location of JWT Authentication page * Apply suggestions from code review for Intro Co-authored-by: Marty Hernandez Avedon <[email protected]> * Update title / get rid of note * Update title (2) * Add JWT Auth page to v2.9 docs * Update JWT feature summary * Apply suggestions from code review Co-authored-by: Billy Tat <[email protected]> --------- Co-authored-by: Billy Tat <[email protected]> Co-authored-by: Marty Hernandez Avedon <[email protected]>
|
There was a child ticket associated with the Jira, which proposed updating the general FAQ page as well. Re-opened as we still need to address. |
|
I can take on the task and create a PR. |
Related Issues
(rancher/rancher#22417)
https://jira.suse.com/browse/SURE-2476
Summary
Ranchers auth proxy can now support authentication of requests that specify a Service Account token in the Authorization Bearer header
Details
The text was updated successfully, but these errors were encountered: