lubosmj
commented
1 month ago When using an external token authentication and you want to supply the keys also externally, then the keys need to be mounted and the internal mount path of the pod should be declared.
The external token server will need to be fully compatible with the Pulp's RBAC and will have to be able to access the Pulp's database. Currently, I am not aware of such a server. I consider this part to be superfluous.
The instructions at https://pulpproject.org/pulp_container/docs/admin/learn/authentication/ are not fully clear with regards that you can set up a fully working token authentication with the default pulp pod.
Suggest to improve the documentation (https://pulpproject.org/pulp_container/docs/admin/learn/authentication/#token-authentication) to add the complete instructions to set up with the internal authentication server provided by Django framework.
In essence it comes down to change (or to add to) the settings the following
Above will redirect token request to the pulp internal token authentication, and uses also the out of the box already configured certificates at their internal path.
Also to note, and perhaps to improve. When using an external token authentication and you want to supply the keys also externally, then the keys need to be mounted and the internal mount path of the pod should be declared.
The below example silently assumes that /tmp is accessible, but that is not the default case, when running pulp in a pod
Further down, there is also the command
http --auth-type=jwt --auth=<TOKEN> https://puffy.example.com/v2/to get this working you must have executed first
pip install httpie-jwt-auth. I can assume this is beyond the scope of the example, but it saves an online search for the package by the user