ContainerImage.Pinniped/site/content/docs/img/pinniped-concierge-supervisor-sequence.svg
Andrew Keesler 40d93ff33b
site/content/docs/architecture.md: another coat of paint with Supervisor updates
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-18 09:39:36 -05:00

61 lines
22 KiB
XML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="1115px" preserveAspectRatio="none" style="width:1570px;height:1115px;" version="1.1" viewBox="0 0 1570 1115" width="1570px" zoomAndPan="magnify"><defs><filter height="300%" id="fazmj0hiken0e" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter></defs><g><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="461.5" x="64.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="96" x="247.25" y="18.0669">Workstation</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="146" x="795" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="140" x="798" y="18.0669">Supervisor Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="141" x="1017" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="135" x="1020" y="18.0669">Concierge Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="156" x="1333.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="150" x="1336.5" y="18.0669">Corporate Network</text><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="23" x2="23" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="106.5" x2="106.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="191.5" x2="191.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="468" x2="468" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="867.5" x2="867.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1087" x2="1087" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1411.5" x2="1411.5" y1="88.2969" y2="1022.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="84.9951">User</text><ellipse cx="23.5" cy="15" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,23 L23.5,50 M10.5,31 L36.5,31 M23.5,50 L10.5,65 M23.5,50 L36.5,65 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="1034.75">User</text><ellipse cx="23.5" cy="1048.0517" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,1056.0517 L23.5,1083.0517 M10.5,1064.0517 L36.5,1064.0517 M23.5,1083.0517 L10.5,1098.0517 M23.5,1083.0517 L36.5,1098.0517 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="58" x="75.5" y="72.9951">Browser</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="58" x="75.5" y="1041.75">Browser</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="70" x="154.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="56" x="161.5" y="72.9951">Kubectl</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="70" x="154.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="56" x="161.5" y="1041.75">Kubectl</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="103" x="415" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="89" x="422" y="72.9951">Pinniped CLI</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="103" x="415" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="89" x="422" y="1041.75">Pinniped CLI</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="827.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="834.5" y="72.9951">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="827.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="834.5" y="1041.75">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="1047" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="1054" y="72.9951">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="1047" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="1054" y="1041.75">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="78" x="1370.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="64" x="1377.5" y="72.9951">OIDC IDP</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="78" x="1370.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="64" x="1377.5" y="1041.75">OIDC IDP</text><polygon fill="#A80036" points="179.5,115.4297,189.5,119.4297,179.5,123.4297,183.5,119.4297" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="23.5" x2="185.5" y1="119.4297" y2="119.4297"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="106" x="30.5" y="114.3638">kubectl get pods</text><polygon fill="#A80036" points="456.5,144.5625,466.5,148.5625,456.5,152.5625,460.5,148.5625" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="191.5" x2="462.5" y1="148.5625" y2="148.5625"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="253" x="198.5" y="143.4966">get credential for cluster authentication</text><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="510.5" y1="177.6953" y2="177.6953"/><line style="stroke:#A80036;stroke-width:1.0;" x1="510.5" x2="510.5" y1="177.6953" y2="190.6953"/><line style="stroke:#A80036;stroke-width:1.0;" x1="469.5" x2="510.5" y1="190.6953" y2="190.6953"/><polygon fill="#A80036" points="479.5,186.6953,469.5,190.6953,479.5,194.6953,475.5,190.6953" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="149" x="475.5" y="172.6294">starts localhost listener</text><polygon fill="#A80036" points="34.5,215.8281,24.5,219.8281,34.5,223.8281,30.5,219.8281" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="28.5" x2="467.5" y1="219.8281" y2="219.8281"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="157" x="40.5" y="214.7622">"open browser to URL X"</text><polygon fill="#A80036" points="94.5,244.9609,104.5,248.9609,94.5,252.9609,98.5,248.9609" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="23.5" x2="100.5" y1="248.9609" y2="248.9609"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="59" x="30.5" y="243.895">clicks link</text><polygon fill="#A80036" points="856,274.561,866,278.561,856,282.561,860,278.561" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="862" y1="278.561" y2="278.561"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="344" x="113.5" y="272.9989">GET https://supervisor.com/oauth2/authorize</text><polygon fill="#A80036" points="117.5,304.161,107.5,308.161,117.5,312.161,113.5,308.161" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="111.5" x2="867" y1="308.161" y2="308.161"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="66" x="123.5" y="303.095">302 to IDP</text><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="440" x="193.5" y="302.599">/authorize?redirect_uri=https://supervisor.com/callback</text><polygon fill="#A80036" points="1399.5,333.761,1409.5,337.761,1399.5,341.761,1403.5,337.761" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="1405.5" y1="337.761" y2="337.761"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="472" x="113.5" y="332.199">GET /authorize?redirect_uri=https://supervisor.com/callback</text><line style="stroke:#A80036;stroke-width:1.0;" x1="1411.5" x2="1453.5" y1="366.8938" y2="366.8938"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1453.5" x2="1453.5" y1="366.8938" y2="379.8938"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1412.5" x2="1453.5" y1="379.8938" y2="379.8938"/><polygon fill="#A80036" points="1422.5,375.8938,1412.5,379.8938,1422.5,383.8938,1418.5,379.8938" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="145" x="1418.5" y="361.8279">IDP authenticates user</text><polygon fill="#A80036" points="117.5,405.4938,107.5,409.4938,117.5,413.4938,113.5,409.4938" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="111.5" x2="1410.5" y1="409.4938" y2="409.4938"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="41" x="123.5" y="404.4279">302 to</text><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="248" x="168.5" y="403.9318">https://supervisor.com/callback</text><polygon fill="#A80036" points="856,435.0938,866,439.0938,856,443.0938,860,439.0938" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="862" y1="439.0938" y2="439.0938"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="280" x="113.5" y="433.5318">GET https://supervisor.com/callback</text><polygon fill="#A80036" points="1399.5,464.6938,1409.5,468.6938,1399.5,472.6938,1403.5,468.6938" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="1405.5" y1="468.6938" y2="468.6938"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="88" x="875" y="463.1318">POST /token</text><polygon fill="#A80036" points="879,493.8266,869,497.8266,879,501.8266,875,497.8266" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="873" x2="1410.5" y1="497.8266" y2="497.8266"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="239" x="885" y="492.7607">access token, ID token, refresh token</text><polygon fill="#A80036" points="117.5,523.4267,107.5,527.4267,117.5,531.4267,113.5,527.4267" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="111.5" x2="867" y1="527.4267" y2="527.4267"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="41" x="123.5" y="522.3607">302 to</text><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="240" x="168.5" y="521.8647">http://localhost:1234/callback</text><polygon fill="#A80036" points="456.5,553.0267,466.5,557.0267,456.5,561.0267,460.5,557.0267" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="462.5" y1="557.0267" y2="557.0267"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="272" x="113.5" y="551.4647">GET http://localhost:1234/callback</text><polygon fill="#A80036" points="856,582.6267,866,586.6267,856,590.6267,860,586.6267" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="862" y1="586.6267" y2="586.6267"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="320" x="475.5" y="581.0647">POST https://supervisor.com/oauth2/token</text><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="910" y1="615.7595" y2="615.7595"/><line style="stroke:#A80036;stroke-width:1.0;" x1="910" x2="910" y1="615.7595" y2="628.7595"/><line style="stroke:#A80036;stroke-width:1.0;" x1="869" x2="910" y1="628.7595" y2="628.7595"/><polygon fill="#A80036" points="879,624.7595,869,628.7595,879,632.7595,875,628.7595" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="110" x="875" y="610.6936">lookup auth code</text><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="910" y1="657.8923" y2="657.8923"/><line style="stroke:#A80036;stroke-width:1.0;" x1="910" x2="910" y1="657.8923" y2="670.8923"/><line style="stroke:#A80036;stroke-width:1.0;" x1="869" x2="910" y1="670.8923" y2="670.8923"/><polygon fill="#A80036" points="879,666.8923,869,670.8923,879,674.8923,875,670.8923" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="123" x="875" y="652.8264">issue refresh token</text><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="910" y1="700.0251" y2="700.0251"/><line style="stroke:#A80036;stroke-width:1.0;" x1="910" x2="910" y1="700.0251" y2="713.0251"/><line style="stroke:#A80036;stroke-width:1.0;" x1="869" x2="910" y1="713.0251" y2="713.0251"/><polygon fill="#A80036" points="879,709.0251,869,713.0251,879,717.0251,875,713.0251" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="151" x="875" y="694.9592">issue ID+access tokens</text><polygon fill="#A80036" points="479.5,738.1579,469.5,742.1579,479.5,746.1579,475.5,742.1579" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="473.5" x2="867" y1="742.1579" y2="742.1579"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="170" x="485.5" y="737.092">refresh+access+ID tokens</text><polygon fill="#A80036" points="856,767.7579,866,771.7579,856,775.7579,860,771.7579" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="862" y1="771.7579" y2="771.7579"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="144" x="475.5" y="766.1959">POST /oauth2/token</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="199" x="623.5" y="766.692">(w/ access token per RFC8693)</text><polygon fill="#A80036" points="479.5,796.8908,469.5,800.8908,479.5,804.8908,475.5,800.8908" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="473.5" x2="867" y1="800.8908" y2="800.8908"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="153" x="485.5" y="795.8248">cluster-specific ID token</text><polygon fill="#A80036" points="1075.5,826.0236,1085.5,830.0236,1075.5,834.0236,1079.5,830.0236" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="1081.5" y1="830.0236" y2="830.0236"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="388" x="475.5" y="824.9577">create TokenCredentialRequest (w/ cluster-specific ID token)</text><polygon fill="#A80036" points="479.5,855.1564,469.5,859.1564,479.5,863.1564,475.5,859.1564" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="473.5" x2="1086.5" y1="859.1564" y2="859.1564"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="219" x="485.5" y="854.0905">cluster-specific certificate and key</text><polygon fill="#A80036" points="202.5,884.2892,192.5,888.2892,202.5,892.2892,198.5,888.2892" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="196.5" x2="467.5" y1="888.2892" y2="888.2892"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="219" x="208.5" y="883.2233">cluster-specific certificate and key</text><polygon fill="#A80036" points="1075.5,913.8892,1085.5,917.8892,1075.5,921.8892,1079.5,917.8892" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="191.5" x2="1081.5" y1="917.8892" y2="917.8892"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="128" x="198.5" y="912.3272">GET /api/v1/pods</text><line style="stroke:#A80036;stroke-width:1.0;" x1="1087.5" x2="1129.5" y1="962.1548" y2="962.1548"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1129.5" x2="1129.5" y1="962.1548" y2="975.1548"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1088.5" x2="1129.5" y1="975.1548" y2="975.1548"/><polygon fill="#A80036" points="1098.5,971.1548,1088.5,975.1548,1098.5,979.1548,1094.5,975.1548" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="251" x="1094.5" y="941.9561">Glean user and group information from</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="163" x="1094.5" y="957.0889">cluster-specific credential</text><polygon fill="#A80036" points="202.5,1000.7549,192.5,1004.7549,202.5,1008.7549,198.5,1004.7549" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="196.5" x2="1086.5" y1="1004.7549" y2="1004.7549"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="48" x="208.5" y="999.1928">200 OK</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="62" x="260.5" y="999.6889">with pods</text><!--MD5=[49d02181e46ae9cfb93bcee05d19a828]
@startuml
actor User
box "Workstation"
participant Browser
participant Kubectl
participant "Pinniped CLI"
end box
box "Supervisor Cluster"
participant Pinniped as sp
end box
box "Concierge Cluster"
participant Pinniped as wp
end box
box "Corporate Network"
participant "OIDC IDP" as IDP
end box
User -> Kubectl: kubectl get pods
Kubectl -> "Pinniped CLI" : get credential for cluster authentication
"Pinniped CLI" -> "Pinniped CLI": starts localhost listener
"Pinniped CLI" -> User: "open browser to URL X"
User -> Browser: clicks link
Browser -> sp : ""GET https://supervisor.com/oauth2/authorize""
sp -> Browser: 302 to IDP ""/authorize?redirect_uri=https://supervisor.com/callback""
Browser -> IDP: ""GET /authorize?redirect_uri=https://supervisor.com/callback""
IDP -> IDP: IDP authenticates user
IDP -> Browser: 302 to ""https://supervisor.com/callback""
Browser -> sp: ""GET https://supervisor.com/callback""
sp -> IDP: ""POST /token""
IDP -> sp: access token, ID token, refresh token
sp -> Browser: 302 to ""http://localhost:1234/callback""
Browser -> "Pinniped CLI": ""GET http://localhost:1234/callback""
"Pinniped CLI" -> sp: ""POST https://supervisor.com/oauth2/token""
sp -> sp: lookup auth code
sp -> sp: issue refresh token
sp -> sp: issue ID+access tokens
sp -> "Pinniped CLI": refresh+access+ID tokens
"Pinniped CLI" -> sp: ""POST /oauth2/token"" (w/ access token per RFC8693)
sp -> "Pinniped CLI": cluster-specific ID token
"Pinniped CLI" -> wp: create TokenCredentialRequest (w/ cluster-specific ID token)
wp -> "Pinniped CLI": cluster-specific certificate and key
"Pinniped CLI" -> Kubectl: cluster-specific certificate and key
Kubectl -> wp : ""GET /api/v1/pods""
wp -> wp : Glean user and group information from\ncluster-specific credential
wp -> Kubectl : ""200 OK"" with pods
@enduml
PlantUML version 1.2020.24beta4(Unknown compile time)
(GPL source distribution)
Java Runtime: Java(TM) SE Runtime Environment
JVM: Java HotSpot(TM) 64-Bit Server VM
Default Encoding: UTF-8
Language: en
Country: US
--></g></svg>