djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixing documentation to reference 1.20 generated docs

Browse Source
This commit is contained in:
Margo Crawford 2021-01-08 15:21:23 -08:00
parent 9051342d6d
commit 2686031ac1
3 changed files with 17 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -26,12 +26,12 @@ with IDPs, and distribution-specific integration strategies.
The Pinniped Supervisor component offers identity federation to enable a user to The Pinniped Supervisor component offers identity federation to enable a user to
access multiple clusters with a single daily login to their external IDP. The access multiple clusters with a single daily login to their external IDP. The
Pinniped Supervisor supports various external [IDP Pinniped Supervisor supports various external [IDP
types](https://github.com/vmware-tanzu/pinniped/tree/main/generated/1.19#k8s-api-idp-supervisor-pinniped-dev-v1alpha1). types](https://github.com/vmware-tanzu/pinniped/tree/main/generated/1.20#k8s-api-idp-supervisor-pinniped-dev-v1alpha1).
The Pinniped Concierge component offers credential exchange to enable a user to The Pinniped Concierge component offers credential exchange to enable a user to
exchange an external credential for a short-lived, cluster-specific exchange an external credential for a short-lived, cluster-specific
credential. Pinniped supports various [authentication credential. Pinniped supports various [authentication
methods](https://github.com/vmware-tanzu/pinniped/tree/main/generated/1.19#authenticationconciergepinnipeddevv1alpha1) methods](https://github.com/vmware-tanzu/pinniped/tree/main/generated/1.20#authenticationconciergepinnipeddevv1alpha1)
and implements different integration strategies for various Kubernetes and implements different integration strategies for various Kubernetes
distributions to make authentication possible. distributions to make authentication possible.

13
site/content/docs/architecture.md
View File

@ -46,7 +46,7 @@ Pinniped supports the following IDPs.
[Okta](https://www.okta.com/)). [Okta](https://www.okta.com/)).
The The
[`idp.supervisor.pinniped.dev`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-idp-supervisor-pinniped-dev-v1alpha1) [`idp.supervisor.pinniped.dev`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-idp-supervisor-pinniped-dev-v1alpha1)
API group contains the Kubernetes custom resources that configure the Pinniped API group contains the Kubernetes custom resources that configure the Pinniped
Supervisor's upstream IDPs. Supervisor's upstream IDPs.
@ -81,7 +81,7 @@ Pinniped supports the following authenticator types.
set on the `kube-apiserver` process. set on the `kube-apiserver` process.
The The
[`authentication.concierge.pinniped.dev`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-authentication-concierge-pinniped-dev-v1alpha1) [`authentication.concierge.pinniped.dev`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-authentication-concierge-pinniped-dev-v1alpha1)
API group contains the Kubernetes custom resources that configure the Pinniped API group contains the Kubernetes custom resources that configure the Pinniped
Concierge's authenticators. Concierge's authenticators.
@ -112,7 +112,7 @@ Users may use the Pinniped CLI as the credential plugin, or they may use any pro
built with the [Pinniped Go client library](https://github.com/vmware-tanzu/pinniped/tree/main/generated). built with the [Pinniped Go client library](https://github.com/vmware-tanzu/pinniped/tree/main/generated).
## Pinniped Deployment Strategies ## Pinniped Deployment Strategies
Pinniped can be configured to authenticate users in a variety of scenarios. Pinniped can be configured to authenticate users in a variety of scenarios.
Depending on the use case, administrators can deploy the Supervisor, the Concierge, Depending on the use case, administrators can deploy the Supervisor, the Concierge,
both, or neither. both, or neither.
@ -121,7 +121,7 @@ both, or neither.
Users can authenticate with the help of the Supervisor, which will issue tokens that Users can authenticate with the help of the Supervisor, which will issue tokens that
can be exchanged at the Concierge for a credential that is understood by the host Kubernetes can be exchanged at the Concierge for a credential that is understood by the host Kubernetes
cluster. cluster.
The Supervisor enables users to log in to their external identity provider The Supervisor enables users to log in to their external identity provider
once per day and access each cluster in a domain with a distinct scoped-down token. once per day and access each cluster in a domain with a distinct scoped-down token.
@ -143,7 +143,7 @@ Users can authenticate directly with their OIDC compliant external identity prov
can be exchanged at the Concierge for a credential that is understood by the host Kubernetes can be exchanged at the Concierge for a credential that is understood by the host Kubernetes
cluster. cluster.
The diagram below shows the components involved in the login flow when the Concierge is The diagram below shows the components involved in the login flow when the Concierge is
configured. configured.
![concierge-with-webhook-architecture-diagram](/docs/img/pinniped_architecture_concierge_webhook.svg) ![concierge-with-webhook-architecture-diagram](/docs/img/pinniped_architecture_concierge_webhook.svg)
@ -156,7 +156,7 @@ that obtains an external credential to be sent to a webhook authenticator via th
### Static Cluster Integration-- Supervisor and CLI ### Static Cluster Integration-- Supervisor and CLI
Users can authenticate with the help of the Supervisor, which will issue tokens that Users can authenticate with the help of the Supervisor, which will issue tokens that
can be given directly to a Kubernetes API Server that has been configured with can be given directly to a Kubernetes API Server that has been configured with
[OIDC Authentication.](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) [OIDC Authentication.](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens)
The Supervisor enables users to log in to their external identity provider The Supervisor enables users to log in to their external identity provider
once per day and access each cluster in a domain with a distinct scoped-down token. once per day and access each cluster in a domain with a distinct scoped-down token.
@ -166,4 +166,3 @@ once per day and access each cluster in a domain with a distinct scoped-down tok
Users can authenticate directly with their OIDC compliant external identity provider to get credentials Users can authenticate directly with their OIDC compliant external identity provider to get credentials
that can be given directly to a Kubernetes API Server that has been configured with that can be given directly to a Kubernetes API Server that has been configured with
[OIDC Authentication.](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) [OIDC Authentication.](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens)

18
site/content/docs/concierge-and-supervisor-demo.md
View File

@ -26,14 +26,14 @@ for a more specific example, including the commands to use for that case.
1. Install the Pinniped Supervisor. See [deploy/supervisor/README.md](https://github.com/vmware-tanzu/pinniped/blob/main/deploy/supervisor/README.md). 1. Install the Pinniped Supervisor. See [deploy/supervisor/README.md](https://github.com/vmware-tanzu/pinniped/blob/main/deploy/supervisor/README.md).
1. Create a 1. Create a
[`FederationDomain`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain) [`FederationDomain`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain)
via the installed Pinniped Supervisor. via the installed Pinniped Supervisor.
1. Create an 1. Create an
[`OIDCIdentityProvider`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityprovider) [`OIDCIdentityProvider`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityprovider)
via the installed Pinniped Supervisor. via the installed Pinniped Supervisor.
1. Install the Pinniped Concierge. See [deploy/concierge/README.md](https://github.com/vmware-tanzu/pinniped/blob/main/deploy/concierge/README.md). 1. Install the Pinniped Concierge. See [deploy/concierge/README.md](https://github.com/vmware-tanzu/pinniped/blob/main/deploy/concierge/README.md).
1. Create a 1. Create a
[`JWTAuthenticator`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator) [`JWTAuthenticator`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator)
via the installed Pinniped Concierge. via the installed Pinniped Concierge.
1. Download the Pinniped CLI from [Pinniped's github Releases page](https://github.com/vmware-tanzu/pinniped/releases/latest). 1. Download the Pinniped CLI from [Pinniped's github Releases page](https://github.com/vmware-tanzu/pinniped/releases/latest).
1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get kubeconfig --help` for more information. 1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get kubeconfig --help` for more information.
@ -48,7 +48,7 @@ non-production clusters.
The following steps will deploy the latest release of Pinniped on kind. It will deploy the Pinniped The following steps will deploy the latest release of Pinniped on kind. It will deploy the Pinniped
Supervisor on one cluster, and the Pinniped Concierge on another cluster. A multi-cluster deployment Supervisor on one cluster, and the Pinniped Concierge on another cluster. A multi-cluster deployment
strategy is typical for Pinniped. The Pinniped Concierge will use a strategy is typical for Pinniped. The Pinniped Concierge will use a
[`JWTAuthenticator`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator) [`JWTAuthenticator`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator)
to authenticate federated identities from the Supervisor. to authenticate federated identities from the Supervisor.
1. Install the tools required for the following steps. 1. Install the tools required for the following steps.
@ -77,7 +77,7 @@ to authenticate federated identities from the Supervisor.
This demo uses a `Secret` named `my-federation-domain-tls` to provide the serving certificate for This demo uses a `Secret` named `my-federation-domain-tls` to provide the serving certificate for
the the
[`FederationDomain`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain). The [`FederationDomain`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain). The
serving certificate `Secret` must be of type `kubernetes.io/tls`. serving certificate `Secret` must be of type `kubernetes.io/tls`.
The CA bundle for this serving The CA bundle for this serving
@ -85,7 +85,7 @@ to authenticate federated identities from the Supervisor.
`/tmp/pinniped-supervisor-ca-bundle-base64-encoded.pem`. `/tmp/pinniped-supervisor-ca-bundle-base64-encoded.pem`.
1. Create a 1. Create a
[`FederationDomain`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain) [`FederationDomain`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain)
object to configure the Pinniped Supervisor to issue federated identities. object to configure the Pinniped Supervisor to issue federated identities.
```bash ```bash
@ -114,7 +114,7 @@ to authenticate federated identities from the Supervisor.
``` ```
1. Create an 1. Create an
[`OIDCIdentityProvider`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityprovider) [`OIDCIdentityProvider`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityprovider)
object to configure the Pinniped Supervisor to federate identities from an upstream OIDC identity object to configure the Pinniped Supervisor to federate identities from an upstream OIDC identity
provider. provider.
@ -172,7 +172,7 @@ to authenticate federated identities from the Supervisor.
``` ```
1. Create a 1. Create a
[`JWTAuthenticator`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator) [`JWTAuthenticator`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator)
object to configure the Pinniped Concierge to authenticate using the Pinniped Supervisor. object to configure the Pinniped Concierge to authenticate using the Pinniped Supervisor.
```bash ```bash
@ -217,7 +217,7 @@ to authenticate federated identities from the Supervisor.
``` ```
Because this user has no RBAC permissions on this cluster, the previous command results in an Because this user has no RBAC permissions on this cluster, the previous command results in an
error that is similar to error that is similar to
`Error from server (Forbidden): pods is forbidden: User "pinny" cannot list resource "pods" `Error from server (Forbidden): pods is forbidden: User "pinny" cannot list resource "pods"
in API group "" in the namespace "pinniped"`, where `pinny` is the username that was used to login in API group "" in the namespace "pinniped"`, where `pinny` is the username that was used to login
to the upstream OIDC identity provider. However, this does prove that you are authenticated and to the upstream OIDC identity provider. However, this does prove that you are authenticated and