Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Simplify installing and referencing authentication services

See original GitHub issue


With the changes proposed in #2288 , we should have a way to easily deploy and install the standard authentication service for EnMasse service admins. A controller managing the provisioning and installation of the standard authentication service would simplify the work of an EnMasse service admin.

In addition, a service admin might want to be able to control which authentication services are available to a tenant. And the tenant should not have to care about authentication service details such as location of CA cert secrets.


  • As a service admin, I want to install the standard authentication service independently of the ‘core’ EnMasse system
  • As a service admin, I want to configure the authentication services available to the messaging tenant
  • As a messaging tenant, i want to list the available authentication services
  • As a messaging tenant, I want to reference an authentication service when creating an address space


Installation of standard authentication service

Design doc:

The existing keycloak-controller logic that creates realms in the standard authentication service will be moved to the address-space-controller. The address-space-controller already deals with configuration related to an address space, and is already checking for realm availability in Keycloak.

The keycloak-controller component will be changed to watch StandardAuthenticationService resources, and create the standard authentication service as specified by the resource. Some of the logic of creating keycloak resources already exists, but will now be created based on the creation of a StandardAuthenticationService instead of by default.

Defining authentication services

Design doc:


  • Move existing per-address space keycloak-controller logic into address-space-controller
  • Create CRD for the StandardAuthenticationService resource and modify keycloak-controller to create deployment and resources needed for keycloak based on it
  • Remove standard-authservice templates, and move keycloak-specific templates to a new keycloak-controller that is included in the default install bundles
  • Create CRD for the AuthenticationService and have keycloak-controller create that
  • Modify address-space-controller to watch AuthenticationService resources and look for them in the AddressSpace definition.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

lulfcommented, Mar 6, 2019

@rgodfrey, @k-wall,

Now that I’m in the implementation of this, I wonder if it would be better to unify the AuthentiationService and StandardAuthenticationService types. This is to avoid another NoneAuthenticationService type and pollution of the operator UI.

Instead, I’d like to add a type field and per-type properties in the AuthenticationService spec. This will make it easier to manage for the admin I think, and also easier to reconcile the resources. The status field can be used to provide a unified “run-time” view of host, port, certs etc

lulfcommented, Mar 15, 2019

Fixed in #2415

Read more comments on GitHub >

github_iconTop Results From Across the Web

Authentication and authorization - Azure App Service
You're not required to use this feature for authentication and authorization. You can use the bundled security features in your web framework of ......
Read more >
Named Credentials - Salesforce Help
To simplify the setup of authenticated callouts, specify a named credential as ... All callouts that reference the named credential simply continue to...
Read more >
WPA2-Enterprise and 802.1x Simplified - SecureW2
Deploying WPA2-Enterprise and 802.1x. An 802.1X RADIUS server for WiFi authentication is a necessary component of enterprise network security. Remote ...
Read more >
Safeguard Authentication Services 4.1.7 - Mac OS X/macOS ...
Unix Security Simplified. Privileged Access Suite for ... Install Authentication Services on one machine, so you can set up your Active Directory Forest....
Read more >
Cloud Identity Engine - Palo Alto Networks
The Cloud Authentication Service also allows you to configure the authentication source once instead of for each authentication method you use (for example, ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found