search

rancher / dashboard

The Rancher UI
https://rancher.com
Apache License 2.0
442 stars 243 forks source link

Add support for service account tokens #10402

Open gaktive opened 5 months ago

gaktive commented 5 months ago

Internal reference: SURE-6467

A new feature, taken from the parent backend ticket: https://github.com/rancher/rancher/issues/22417

Many 3rd party integrations available for Kubernetes (e.g. for Gitlab, Vault, Avi, etc.) involve giving an external process access to the Kubernetes API using a native Kubernetes Service Account token for authentication.

Rancher's Auth Proxy currently has no notion of SA tokens and sending any request to the Rancher endpoint that uses such token will result in an auth error, but work is being done to implement this in the backend, so this is the frontend portion.

Expected behaviour:

Ranchers auth proxy should support authentication of requests that specify a Service Account token in the Authorization Bearer header

Updated UI Design/Approach (4th June)

Service Account tokens will need to be configured on a per-cluster basis. For each cluster where this feature is enabled, a ProxyConfig resource will be created. Note: The resource includes a single property of interest enabled - the presence of a ProxyConfig resource with enabled set to false is the same as the ProcyConfig resource not existing.

UI

Add a new list view for the new ProxyConfig resource under the Advanced section of cluster management - name TBD, but suggest Service Account Access:

image

This will show only the clusters for which a ProxyConfig resource exists and is set to be enabled.

Note: The ProxyConfig resource uses the cluster ID to reference a cluster, so we will need to fetch the cluster list and do the mapping, so that the list shows the cluster name and not the ID.

The list should show:

Name | Enabled | Age

Note: Enabled will always be true if shown in the list, so we could chose to show this differently. Name should NOT be a link - there is no value in seeing the underlying ProxyConfig resource, since the only value on it of use if the enabled flag.

You should be able to disable a given row and also bulk disable clusters using the standard table actions.

We should have an info banner at the top of the list page saying something like:

Service Account Token proxying is configured for the clusters listed below

The list page will include a call-to-action button in the top-right, labelled 'Configure' - this gives a screen that can be used to enable proxying for one of more clusters. This could be a modified version of the UX from the original edit design - the multi-select input field where you can choose one or more clusters.

Bonus points:

^^ FYI @kwwii

Original design:

Proposed design workflow: Edit mode: https://xd.adobe.com/view/4eb8efa9-0a4c-447f-81d9-6e3e822bb236-1beb/?fullscreen View mode: https://xd.adobe.com/view/4eb8efa9-0a4c-447f-81d9-6e3e822bb236-1beb/screen/e015bf0c-261f-4efc-b75a-9e2023817183?fullscreen

gaktive commented 3 months ago

https://github.com/rancher/rancher/issues/22417 is the related backend which is now in Working

gaktive commented 2 months ago

https://github.com/rancher/rancher/issues/22417 is now in To Test. Confirming whether UI is now unblocked.

gaktive commented 1 month ago

One thing to make this simpler (per @nwmac): on the configuration page, we could have text that says "This feature needs to be configured on the management server" or something similar without worrying out the link structure or looking up the access rights for the current user (and potentially losing a token if clicking on it).

gaktive commented 1 month ago

This is currently part of the imported cluster wizard.

edenhernandez-suse commented 4 weeks ago

After several discussions, we've revisited the original designs and switched to a table-based solution: Adobe Xd Prototype