Open gaktive opened 5 months ago
https://github.com/rancher/rancher/issues/22417 is the related backend which is now in Working
https://github.com/rancher/rancher/issues/22417 is now in To Test. Confirming whether UI is now unblocked.
One thing to make this simpler (per @nwmac): on the configuration page, we could have text that says "This feature needs to be configured on the management server" or something similar without worrying out the link structure or looking up the access rights for the current user (and potentially losing a token if clicking on it).
This is currently part of the imported cluster wizard.
After several discussions, we've revisited the original designs and switched to a table-based solution: Adobe Xd Prototype
Internal reference: SURE-6467
A new feature, taken from the parent backend ticket: https://github.com/rancher/rancher/issues/22417
Many 3rd party integrations available for Kubernetes (e.g. for Gitlab, Vault, Avi, etc.) involve giving an external process access to the Kubernetes API using a native Kubernetes Service Account token for authentication.
Rancher's Auth Proxy currently has no notion of SA tokens and sending any request to the Rancher endpoint that uses such token will result in an auth error, but work is being done to implement this in the backend, so this is the frontend portion.
Expected behaviour:
Ranchers auth proxy should support authentication of requests that specify a Service Account token in the Authorization Bearer header
Updated UI Design/Approach (4th June)
Service Account tokens will need to be configured on a per-cluster basis. For each cluster where this feature is enabled, a
ProxyConfig
resource will be created. Note: The resource includes a single property of interestenabled
- the presence of a ProxyConfig resource withenabled
set to false is the same as the ProcyConfig resource not existing.UI
Add a new list view for the new
ProxyConfig
resource under theAdvanced
section of cluster management - name TBD, but suggestService Account Access
:This will show only the clusters for which a
ProxyConfig
resource exists and is set to beenabled
.Note: The
ProxyConfig
resource uses the cluster ID to reference a cluster, so we will need to fetch the cluster list and do the mapping, so that the list shows the cluster name and not the ID.The list should show:
Name | Enabled | Age
Note: Enabled will always be true if shown in the list, so we could chose to show this differently. Name should NOT be a link - there is no value in seeing the underlying
ProxyConfig
resource, since the only value on it of use if theenabled
flag.You should be able to disable a given row and also bulk disable clusters using the standard table actions.
We should have an info banner at the top of the list page saying something like:
Service Account Token proxying is configured for the clusters listed below
The list page will include a call-to-action button in the top-right, labelled 'Configure' - this gives a screen that can be used to enable proxying for one of more clusters. This could be a modified version of the UX from the original edit design - the multi-select input field where you can choose one or more clusters.
Bonus points:
Add a banner to the cluster creation screen in the Advanced tab saying that Service Account Token proxying can be configured after cluster creation from
Cluster Management > Advanced > Service Account Access
.Enhance the cluster detail screen to show a message/status at the top if Service Account Token proxying has been enabled for the cluster
Future: We could allow this to be enabled at cluster creation time, if we are able to create the cluster and then get the ID and be able to create the resource needed (need to check backend has created the namespace for the cluster)
^^ FYI @kwwii
Original design:
Proposed design workflow: Edit mode: https://xd.adobe.com/view/4eb8efa9-0a4c-447f-81d9-6e3e822bb236-1beb/?fullscreen View mode: https://xd.adobe.com/view/4eb8efa9-0a4c-447f-81d9-6e3e822bb236-1beb/screen/e015bf0c-261f-4efc-b75a-9e2023817183?fullscreen