samjustus
commented
1 month ago @crobby to add more details
Open samjustus opened 1 month ago
samjustus
commented
1 month ago @crobby to add more details
LucasSaintarbor
commented
1 month ago @crobby @samjustus Do have more details/screenshots you can share about this feature and what should be added to the docs? Should info about this feature live under https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters?
As of 2.9, will this be the only way to enable JWT Authentication (Service Account Authentication) for a cluster?
crobby
commented
1 month ago @crobby @samjustus Do have more details/screenshots you can share about this feature and what should be added to the docs? Should info about this feature live under https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters?
As of 2.9, will this be the only way to enable JWT Authentication (Service Account Authentication) for a cluster?
- Go to Cluster Management
- Go to Advanced and select JWT Authentication
- Select cluster > click Enable
I don't have any additional screenshots...the feature is pretty minimal UI-wise.
I'm not sure if this belongs under "new user guides". I say that because this isn't really a basic/intro feature that would likely be of use to new users. That being said, I'm not sure where the best fit would be.
In addition to being able to configure this through the UI, it is also possible to manually create a ClusterProxyConfig object in the target clusters namespace on the local cluster to enable/disable the feature, but I'm not sure we want/need to document that approach.
crobby
commented
1 month ago @LucasSaintarbor Is there any additional content you need from me for this? Are you taking care of adding the docs?
crobby
commented
1 month ago A little more info/context that you may or may not have:
JWT Authentication is also known as Service Account Token Authentication.
This feature, when enabled, lets a user set up a downstream cluster to support authentication, through Rancher, of tokens that are created for a service account that exists on a downstream cluster (those tokens are in the form of a JWT).
Prior to this feature, Rancher would reject such requests because Rancher would only support Rancher-issued tokens (which are NOT JTWs). Some users worked-around this limitation by issuing those requests directly to the downstream cluster, rather than relying on Rancher's auth/security. With this feature enabled, users no longer have to work-around Rancher.
A common use case for this is to enable integration of secret vault solutions (like Hashicorp Vault). You can see the original rancher/rancher issue for more details https://github.com/rancher/rancher/issues/22417.
LucasSaintarbor
commented
1 month ago @crobby Thanks for sharing more info! I opened https://github.com/rancher/rancher-docs/pull/1402. I'll follow up with questions there.
martyav
commented
4 weeks ago There was a child ticket associated with the Jira, which proposed updating the general FAQ page as well. Re-opened as we still need to address.
martyav
commented
4 weeks ago I can take on the task and create a PR.
Related Issues
(https://github.com/rancher/rancher/issues/22417) https://jira.suse.com/browse/SURE-2476
Summary
Ranchers auth proxy can now support authentication of requests that specify a Service Account token in the Authorization Bearer header
Details