Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Simplify installing and referencing authentication services
See original GitHub issueOverview
With the changes proposed in #2288 , we should have a way to easily deploy and install the standard authentication service for EnMasse service admins. A controller managing the provisioning and installation of the standard authentication service would simplify the work of an EnMasse service admin.
In addition, a service admin might want to be able to control which authentication services are available to a tenant. And the tenant should not have to care about authentication service details such as location of CA cert secrets.
Requirements
- As a service admin, I want to install the standard authentication service independently of the ‘core’ EnMasse system
- As a service admin, I want to configure the authentication services available to the messaging tenant
- As a messaging tenant, i want to list the available authentication services
- As a messaging tenant, I want to reference an authentication service when creating an address space
Design
Installation of standard authentication service
The existing keycloak-controller logic that creates realms in the standard authentication service will be moved to the address-space-controller. The address-space-controller already deals with configuration related to an address space, and is already checking for realm availability in Keycloak.
The keycloak-controller component will be changed to watch StandardAuthenticationService resources, and create the standard authentication service as specified by the resource. Some of the logic of creating keycloak resources already exists, but will now be created based on the creation of a StandardAuthenticationService instead of by default.
Defining authentication services
Tasklist
- Move existing per-address space keycloak-controller logic into
address-space-controller - Create CRD for the
StandardAuthenticationServiceresource and modify keycloak-controller to create deployment and resources needed for keycloak based on it - Remove standard-authservice templates, and move keycloak-specific templates to a new
keycloak-controllerthat is included in the default install bundles - Create CRD for the
AuthenticationServiceand have keycloak-controller create that - Modify
address-space-controllerto watchAuthenticationServiceresources and look for them in theAddressSpacedefinition.
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@rgodfrey, @k-wall,
Now that I’m in the implementation of this, I wonder if it would be better to unify the AuthentiationService and StandardAuthenticationService types. This is to avoid another NoneAuthenticationService type and pollution of the operator UI.
Instead, I’d like to add a type field and per-type properties in the AuthenticationService spec. This will make it easier to manage for the admin I think, and also easier to reconcile the resources. The status field can be used to provide a unified “run-time” view of host, port, certs etc
Fixed in #2415