@startuml "pinniped"

!define K8S_BLUE #326CE5
!define K8S_SPRITES_URL https://raw.githubusercontent.com/michiel/plantuml-kubernetes-sprites/master/resource
!include K8S_SPRITES_URL/k8s-sprites-unlabeled-25pct.iuml

participant "User" as USER << ($pod{scale=0.30},K8S_BLUE) >> #LightGreen
participant "Kubectl" as KUBECTL << ($ing{scale=0.30},K8S_BLUE) >> #LightSteelBlue
participant "Proprietary CLI" as CLI << ($svc{scale=0.30},K8S_BLUE) >> #LightPink
participant "Pinniped" as PINNIPED << ($node{scale=0.30},K8S_BLUE) >> #LightGray
participant "TokenReview Webhook" as WEBHOOK << ($pod{scale=0.30},K8S_BLUE) >> #LightPink
participant "Kubernetes API" as API << ($node{scale=0.30},K8S_BLUE) >> #LightSteelBlue

legend
  # <back:lightsalmon>Message contains upstream IDP credentials</back>
  # <back:lightgreen>Message contains cluster-specific credentials</back>
end legend

USER -> KUBECTL : ""kubectl get pods""
activate KUBECTL

group Acquire cluster-specific credential

KUBECTL -> CLI : Get cluster-specific credential
activate CLI

CLI -> CLI : Retrieve upstream IDP credential in\norganization-specific way

CLI -> PINNIPED : <back:lightsalmon>""POST /apis/pinniped.dev/...""</back>
activate PINNIPED

PINNIPED -> WEBHOOK : <back:lightsalmon>""POST /authenticate""</back>
activate WEBHOOK

WEBHOOK -> PINNIPED : ""200 OK"" with user and group information
deactivate WEBHOOK

PINNIPED -> PINNIPED : Issue short-lived cluster-specific credential\nwith user and group information

PINNIPED -> CLI : <back:lightgreen>""200 OK""</back>
deactivate PINNIPED

CLI -> KUBECTL : Here is a cluster-specific credential

end

group Authenticate to cluster with cluster-specific credential

KUBECTL -> API : <back:lightgreen>""GET /api/v1/pods""</back>
activate API

API -> API : Glean user and group information from\ncluster-specific credential

API -> KUBECTL : ""200 OK"" with pods
deactivate API

deactivate KUBECTL

end

@enduml