Simplify installing and referencing authentication servicesSee original GitHub issue
With the changes proposed in #2288 , we should have a way to easily deploy and install the standard authentication service for EnMasse service admins. A controller managing the provisioning and installation of the standard authentication service would simplify the work of an EnMasse service admin.
In addition, a service admin might want to be able to control which authentication services are available to a tenant. And the tenant should not have to care about authentication service details such as location of CA cert secrets.
- As a service admin, I want to install the standard authentication service independently of the ‘core’ EnMasse system
- As a service admin, I want to configure the authentication services available to the messaging tenant
- As a messaging tenant, i want to list the available authentication services
- As a messaging tenant, I want to reference an authentication service when creating an address space
Installation of standard authentication service
keycloak-controller logic that creates realms in the standard authentication service will be moved to the address-space-controller. The address-space-controller already deals with configuration related to an address space, and is already checking for realm availability in Keycloak.
keycloak-controller component will be changed to watch
StandardAuthenticationService resources, and create the standard authentication service as specified by the resource. Some of the logic of creating keycloak resources already exists, but will now be created based on the creation of a
StandardAuthenticationService instead of by default.
Defining authentication services
- Move existing per-address space keycloak-controller logic into
- Create CRD for the
StandardAuthenticationServiceresource and modify keycloak-controller to create deployment and resources needed for keycloak based on it
- Remove standard-authservice templates, and move keycloak-specific templates to a new
keycloak-controllerthat is included in the default install bundles
- Create CRD for the
AuthenticationServiceand have keycloak-controller create that
AuthenticationServiceresources and look for them in the
- Created 5 years ago
- Comments:5 (5 by maintainers)
Top GitHub Comments
Now that I’m in the implementation of this, I wonder if it would be better to unify the AuthentiationService and StandardAuthenticationService types. This is to avoid another NoneAuthenticationService type and pollution of the operator UI.
Instead, I’d like to add a type field and per-type properties in the AuthenticationService spec. This will make it easier to manage for the admin I think, and also easier to reconcile the resources. The status field can be used to provide a unified “run-time” view of host, port, certs etc