-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kuma-cp) Admin User Token bootstrap #2923
Conversation
ec76774
to
b7814aa
Compare
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
f931f96
to
a74746a
Compare
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Codecov Report
@@ Coverage Diff @@
## master #2923 +/- ##
==========================================
+ Coverage 52.21% 52.29% +0.07%
==========================================
Files 912 913 +1
Lines 52736 52804 +68
==========================================
+ Hits 27538 27612 +74
+ Misses 23004 22993 -11
- Partials 2194 2199 +5
Continue to review full report at Codecov.
|
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Summary
Bootstrap flow for Admin User Token.
We create Admin User Token for the user. The assumption is that if someone has access to Secrets, they have access to user token signing key and can do whatever they want, so we could just as well pregenerate this token for convenience.
Additionally, on Kubernetes, we will disable
localhostIsAdmin
setting once we switch to User Token as the default auth mechanism. We can do this since user can just access the secret directly using kubectl.On Universal, we cannot do this, because it's expected that the user will extract it using kumactl / API. Therefore what we can do is to log a warning that it is recommended to disable this setting.
I'm considering logging
bootstrap of Admin User Token is enabled...
message only when Admin User Token is created, but I think it may be useful for every start of CP. What do you think?Documentation
Testing
Backwards compatibility