From b46a2f0267666e1861f42675b23bcd5d37efaea8 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 22 Sep 2022 12:31:31 -0700 Subject: [PATCH] Add more details about OIDCClients to configure-auth-for-webapps.md Co-authored-by: Ryan Richard Co-authored-by: Benjamin A. Petersen --- .../docs/howto/configure-auth-for-webapps.md | 71 ++++++++++++++++--- 1 file changed, 63 insertions(+), 8 deletions(-) diff --git a/site/content/docs/howto/configure-auth-for-webapps.md b/site/content/docs/howto/configure-auth-for-webapps.md index 1eaa13f0..1b535eb6 100644 --- a/site/content/docs/howto/configure-auth-for-webapps.md +++ b/site/content/docs/howto/configure-auth-for-webapps.md @@ -17,6 +17,13 @@ identity provider. This guide explains how to use the Supervisor to provide authentication services for a web application. +Note that this feature is not part of how Pinniped provides authentication for `kubectl` users. By default, +the Pinniped Supervisor will contain an OIDC client called `pinniped-cli` which requires no configuration and is +used to provide authentication for `kubectl` (and other kubeconfig-based Kubernetes API clients). +If you are only setting up authentication for `kubectl` users of your Kubernetes clusters, then you do not need to +read this guide. If you want to use the Pinniped Supervisor to provide authentication services for a web application, +then this guide is for you. + ## Prerequisites This guide assumes that you have installed and configured the Pinniped Supervisor, and configured it with an @@ -42,6 +49,19 @@ framework (e.g. Spring, Rails, Django, etc.) to implement authentication. The Su Most web application frameworks offer all these capabilities in their OAuth2/OIDC libraries. +## Performance implications of using OIDCClients in the Supervisor + +The Pinniped Supervisor is an efficient application which typically does not use a lot of CPU and memory resources. +Using the OIDCClient CR, as described below, will cause the Supervisor to perform +bcrypt operations to validate the client's secret during authorization and refresh flows. While each of these bcrypt operations +takes only about a quarter second of CPU time, in aggregate, when lots of users are perform authorization and refresh flows, +these bcrypts will constitute the majority of the CPU usage of the Supervisor. + +The administrator of the Supervisor may need to adjust the Supervisor Deployment once they are familiar with usage patterns of +their Supervisor. Very heavy usage by clients might result in the Supervisor pods reaching their cpu limit and being +throttled, resulting in poor performance. This can be alleviated by adjusting the number of Pod replicas, and the CPU +requests and limits on each Pod. + ## Create an OIDCClient For each web application, the administrator of the Pinniped Supervisor will create an OIDCClient describing what @@ -133,7 +153,7 @@ secret for the client. The client secrets are random strings auto-generated by t The plaintext secret will only be returned once upon creation. ```sh -cat <