search

kumahq / kuma

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.
https://kuma.io/install
Apache License 2.0
3.66k stars 333 forks source link

make it clear that zone and user tokens can be issued only on Global #10370

Open lahabana opened 5 months ago

lahabana commented 5 months ago

Description

A few

jakubdyszkiewicz commented 5 months ago

Is it not clear here? https://kuma.io/docs/2.7.x/production/cp-deployment/zoneproxy-auth/#multi-zone

Multi-zone
When running in multi-zone mode, we can generate zone tokens only on the global control plane. The zone control plane only has a public key of a signing key to verify tokens.

https://kuma.io/docs/2.7.x/production/secure-deployment/api-server-auth/#multizone

Multizone
In a multizone setup, users execute a majority of actions on the global control plane. However, some actions like generating dataplane tokens are available on the zone control plane. The global control plane doesn’t propagate authentication credentials to the zone control plane. You can set up consistent user tokens across the whole setup by manually copying signing key from global to zone control planes.
lahabana commented 5 months ago

Triage: moving this to kuma. The error returned by the server should explain that in federated mode these types of tokens can only be issued on Global

github-actions[bot] commented 2 months ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.