ContainerImage.Pinniped/site/content/docs/img/pinniped-concierge-supervis...

<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="1115px" preserveAspectRatio="none" style="width:1570px;height:1115px;" version="1.1" viewBox="0 0 1570 1115" width="1570px" zoomAndPan="magnify"><defs><filter height="300%" id="fazmj0hiken0e" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter></defs><g><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="461.5" x="64.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="96" x="247.25" y="18.0669">Workstation</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="146" x="795" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="140" x="798" y="18.0669">Supervisor Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="141" x="1017" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="135" x="1020" y="18.0669">Concierge Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="156" x="1333.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="150" x="1336.5" y="18.0669">Corporate Network</text><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="23" x2="23" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="106.5" x2="106.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="191.5" x2="191.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="468" x2="468" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="867.5" x2="867.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1087" x2="1087" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1411.5" x2="1411.5" y1="88.2969" y2="1022.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="84.9951">User</text><ellipse cx="23.5" cy="15" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,23 L23.5,50 M10.5,31 L36.5,31 M23.5,50 L10.5,65 M23.5,50 L36.5,65 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="1034.75">User</text><ellipse cx="23.5" cy="1048.0517" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,1056.0517 L23.5,1083.0517 M10.5,1064.0517 L36.5,1064.0517 M23.5,1083.0517 L10.5,1098.0517 M23.5,1083.0517 L36.5,1098.0517 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="58" x="75.5" y="72.9951">Browser</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="1021.7549"/><text fill="#000000" font-f
@startuml
actor User

box "Workstation"
participant Browser
participant Kubectl
participant "Pinniped CLI"
end box

box "Supervisor Cluster"
participant Pinniped as sp
end box

box "Concierge Cluster"
participant Pinniped as wp
end box

box "Corporate Network"
participant "OIDC IDP" as IDP
end box

User -> Kubectl: kubectl get pods
Kubectl -> "Pinniped CLI" : get credential for cluster authentication
"Pinniped CLI" -> "Pinniped CLI": starts localhost listener
"Pinniped CLI" -> User: "open browser to URL X"
User -> Browser: clicks link
Browser -> sp : ""GET https://supervisor.com/oauth2/authorize""
sp -> Browser: 302 to IDP ""/authorize?redirect_uri=https://supervisor.com/callback""
Browser -> IDP: ""GET /authorize?redirect_uri=https://supervisor.com/callback""
IDP -> IDP: IDP authenticates user
IDP -> Browser: 302 to ""https://supervisor.com/callback""
Browser -> sp: ""GET https://supervisor.com/callback""
sp -> IDP: ""POST /token""
IDP -> sp: access token, ID token, refresh token
sp -> Browser: 302 to ""http://localhost:1234/callback""
Browser -> "Pinniped CLI": ""GET http://localhost:1234/callback""
"Pinniped CLI" -> sp: ""POST https://supervisor.com/oauth2/token""
sp -> sp: lookup auth code
sp -> sp: issue refresh token
sp -> sp: issue ID+access tokens
sp -> "Pinniped CLI": refresh+access+ID tokens
"Pinniped CLI" -> sp: ""POST /oauth2/token"" (w/ access token per RFC8693)
sp -> "Pinniped CLI": cluster-specific ID token
"Pinniped CLI" -> wp: create TokenCredentialRequest (w/ cluster-specific ID token)
wp -> "Pinniped CLI": cluster-specific certificate and key
"Pinniped CLI" -> Kubectl: cluster-specific certificate and key
Kubectl -> wp : ""GET /api/v1/pods""
wp -> wp : Glean user and group information from\ncluster-specific credential
wp -> Kubectl : ""200 OK"" with pods
@enduml

PlantUML version 1.2020.24beta4(Unknown compile time)
(GPL source distribution)
Java Runtime: Java(TM) SE Runtime Environment
JVM: Java HotSpot(TM) 64-Bit Server VM
Default Encoding: UTF-8
Language: en
Country: US
--></g></svg>
site/content/docs/architecture.md: another coat of paint with Supervisor updates Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-18 14:39:36 +00:00			<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="1115px" preserveAspectRatio="none" style="width:1570px;height:1115px;" version="1.1" viewBox="0 0 1570 1115" width="1570px" zoomAndPan="magnify"><defs><filter height="300%" id="fazmj0hiken0e" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter></defs><g><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="461.5" x="64.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="96" x="247.25" y="18.0669">Workstation</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="146" x="795" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="140" x="798" y="18.0669">Supervisor Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="141" x="1017" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="135" x="1020" y="18.0669">Concierge Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="156" x="1333.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="150" x="1336.5" y="18.0669">Corporate Network</text><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="23" x2="23" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="106.5" x2="106.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="191.5" x2="191.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="468" x2="468" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="867.5" x2="867.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1087" x2="1087" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1411.5" x2="1411.5" y1="88.2969" y2="1022.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="84.9951">User</text><ellipse cx="23.5" cy="15" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,23 L23.5,50 M10.5,31 L36.5,31 M23.5,50 L10.5,65 M23.5,50 L36.5,65 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="1034.75">User</text><ellipse cx="23.5" cy="1048.0517" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,1056.0517 L23.5,1083.0517 M10.5,1064.0517 L36.5,1064.0517 M23.5,1083.0517 L10.5,1098.0517 M23.5,1083.0517 L36.5,1098.0517 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="58" x="75.5" y="72.9951">Browser</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="1021.7549"/><text fill="#000000" font-f
			`@startuml`
			`actor User`

			`box "Workstation"`
			`participant Browser`
			`participant Kubectl`
			`participant "Pinniped CLI"`
			`end box`

			`box "Supervisor Cluster"`
			`participant Pinniped as sp`
			`end box`

			`box "Concierge Cluster"`
			`participant Pinniped as wp`
			`end box`

			`box "Corporate Network"`
			`participant "OIDC IDP" as IDP`
			`end box`

			`User -> Kubectl: kubectl get pods`
			`Kubectl -> "Pinniped CLI" : get credential for cluster authentication`
			`"Pinniped CLI" -> "Pinniped CLI": starts localhost listener`
			`"Pinniped CLI" -> User: "open browser to URL X"`
			`User -> Browser: clicks link`
			`Browser -> sp : ""GET https://supervisor.com/oauth2/authorize""`
			`sp -> Browser: 302 to IDP ""/authorize?redirect_uri=https://supervisor.com/callback""`
			`Browser -> IDP: ""GET /authorize?redirect_uri=https://supervisor.com/callback""`
			`IDP -> IDP: IDP authenticates user`
			`IDP -> Browser: 302 to ""https://supervisor.com/callback""`
			`Browser -> sp: ""GET https://supervisor.com/callback""`
			`sp -> IDP: ""POST /token""`
			`IDP -> sp: access token, ID token, refresh token`
			`sp -> Browser: 302 to ""http://localhost:1234/callback""`
			`Browser -> "Pinniped CLI": ""GET http://localhost:1234/callback""`
			`"Pinniped CLI" -> sp: ""POST https://supervisor.com/oauth2/token""`
			`sp -> sp: lookup auth code`
			`sp -> sp: issue refresh token`
			`sp -> sp: issue ID+access tokens`
			`sp -> "Pinniped CLI": refresh+access+ID tokens`
			`"Pinniped CLI" -> sp: ""POST /oauth2/token"" (w/ access token per RFC8693)`
			`sp -> "Pinniped CLI": cluster-specific ID token`
			`"Pinniped CLI" -> wp: create TokenCredentialRequest (w/ cluster-specific ID token)`
			`wp -> "Pinniped CLI": cluster-specific certificate and key`
			`"Pinniped CLI" -> Kubectl: cluster-specific certificate and key`
			`Kubectl -> wp : ""GET /api/v1/pods""`
			`wp -> wp : Glean user and group information from\ncluster-specific credential`
			`wp -> Kubectl : ""200 OK"" with pods`
			`@enduml`

			`PlantUML version 1.2020.24beta4(Unknown compile time)`
			`(GPL source distribution)`
			`Java Runtime: Java(TM) SE Runtime Environment`
			`JVM: Java HotSpot(TM) 64-Bit Server VM`
			`Default Encoding: UTF-8`
			`Language: en`
			`Country: US`
			`--></g></svg>`