[DOC] Authentication section update #17
Conversation
| the authentication in the MKE 4 configuration file and add your own method. | ||
|
|
||
| --- | ||
| ***Caution: Changing authentication method*** |
There was a problem hiding this comment.
This should say "disabling" instead of "changing". Users will already have to configure authentication themselves, we just have tooling to make it easier.
If they disable the authentication section, then they are removing everything completely including our tooling and they will be responsible for 100% of the authentication
| Authentication can be configured in the `authentication` section of the MKE 4 config. | ||
| By default, authentication is enabled, but each of the individual authentication | ||
| methods is disabled. It can be disabled by setting the root `enabled` to `false`. | ||
| This will completely remove any authentication-related components from being |
There was a problem hiding this comment.
Suggest:
"Doing so will completely remove any authentication-related components from being installed on your cluster."
|
|
||
| ## Authentication methods | ||
|
|
||
| To learn more, refer to the documentation on specific authentication methods: |
There was a problem hiding this comment.
| To learn more, refer to the documentation on specific authentication methods: | |
| Documentation for specific authentication methods as they apply to MKE 4 is available: |
|
|
||
| To learn more, refer to the documentation on specific authentication methods: | ||
|
|
||
| - [OpenID Connect (OIDC)](OIDC.md) |
There was a problem hiding this comment.
| - [OpenID Connect (OIDC)](OIDC.md) | |
| - [OIDC (OpenID Connect)](OIDC.md) |
| To learn more, refer to the documentation on specific authentication methods: | ||
|
|
||
| - [OpenID Connect (OIDC)](OIDC.md) | ||
| - [Security Assertion Markup Language (SAML)](SAML.md) |
There was a problem hiding this comment.
| - [Security Assertion Markup Language (SAML)](SAML.md) | |
| - [SAML (Security Assertion Markup Language)](SAML.md) |
|
|
||
| - [OpenID Connect (OIDC)](OIDC.md) | ||
| - [Security Assertion Markup Language (SAML)](SAML.md) | ||
| - [Lightweight Directory Access Protocol (LDAP)](LDAP.md) |
There was a problem hiding this comment.
| - [Lightweight Directory Access Protocol (LDAP)](LDAP.md) | |
| - [LDAP (Lightweight Directory Access Protocol)](LDAP.md) |
Co-authored-by: Kory <[email protected]>
| @@ -46,15 +52,17 @@ authentication: | |||
| nameAttr: cn | |||
| ``` | |||
|
|
|||
| ## Authentication Flow | |||
| **To test the Authentication flow:** | |||
There was a problem hiding this comment.
This should be a heading section not bold text
There was a problem hiding this comment.
@nwneisen , this approach is part of the current Mirantis docs style, to introduce straight procedures. It would be rendered as an H2 if (a) there was descriptive content behind the subject, and/or (b) there was another H2 level heading in the topic, and/or (c) there was a need for the subject to be prominent enough to display in the TOC/left-hand menu.
|
|
||
| The remaining fields are used to configure the OIDC provider. | ||
| The remaining fields in the `authentication.oidc` section are used to configure |
There was a problem hiding this comment.
We should move the configure okta to it's on file and section and refer to it here. There will be more IdP providers and this should be made generic for them. Many providers offer both SAML and OIDC and in the specific pages we can say how to pull the config values for them.
The hierarchy might look something like this
authentication
ldap
oidc
....
SAML providers
Configuration okta
Configuration aws
OIDC providers
Configuration okta
Configuration aws
Same thoughts for SAML
| You can configure OIDC (OpenID Connect) for MKE 4 through the `authentication` section of the MKE configuration file. To enable the service, set 'enabled' to 'true' | ||
| The remaining fields in the `authentication.oidc` section are used to configure | ||
| the OIDC provider. | ||
| For information on how to obtain the field values, refer to |
There was a problem hiding this comment.
This would then say "For information on how to obtain the field values, refer to the section for your provider of choice: link"
| @@ -24,30 +28,30 @@ authentication: | |||
| redirectURI: http://dex.example.com:32000/callback | |||
| ``` | |||
|
|
|||
| Use the next section to understand how to configure Okta. Once the configuration is set, run the standard `mkectl apply` command with your config file and wait for the cluster to be ready. | |||
| **To create a new application in Okta:** | |||
There was a problem hiding this comment.
This should be a heading not just bold
There was a problem hiding this comment.
@nwneisen, I detailed the reasoning for this decision in a previous comment.
| To enable the service, set `enabled` to `true`. | ||
| The remaining fields in the `authentication.saml` section are used to configure | ||
| the SAML provider. | ||
| Refer to **Configure and create a new application in Okta** section of this document |
There was a problem hiding this comment.
Make any referrals a link
| @@ -0,0 +1,50 @@ | |||
| # Authentication | |||
|
|
|||
| Mirantis Kubernetes Engine (MKE) 4 uses Dex for authentication. | |||
There was a problem hiding this comment.
It''s just MKE. The version is 4.0
There was a problem hiding this comment.
It was agreed with the doc team that the first mention of MKE on each page will have this format.
If you want to change it, please bring it up to Kory, as it is a global change proposal.
| # Authentication | ||
|
|
||
| Mirantis Kubernetes Engine (MKE) 4 uses Dex for authentication. | ||
| If you want to use a different authentication method, disable |
| - **Identity Provider (IdP)** | ||
|
|
||
| To set OIDC or SAML you need to configure an IdP with an application. | ||
| Refer to the official Okta documentation tutorial [Add a SAML Identity Provider](https://help.okta.com/en-us/content/topics/security/idp-add-saml.htm). |
There was a problem hiding this comment.
This should point to the SAML providers section
|
|
||
| - **LDAP Server** | ||
|
|
||
| To set LDAP you need to configure an LDAP server with a user. |
There was a problem hiding this comment.
LDAP is many users. Not just one
| of the MKE configuration file. `authentication` is enabled by default, however | ||
| the settings for each of the individual authentication methods are disabled. | ||
| To enable a service, set its `enabled` configuration option to `true`. | ||
| Doing so will completely remove any authentication-related components from |
There was a problem hiding this comment.
They aren't installed when it is disabled. Setting it to true will install them
| OpenID Connect (OIDC) can be configured in the `authentication` section of | ||
| the Mirantis Kubernetes Engine (MKE) 4 config. | ||
| OIDC is disabled by default, to enable it set `enabled` to `true`. |
There was a problem hiding this comment.
My bad. 'enabled' needs to be enabled and 'true' needs to be true.
|
|
||
| The remaining fields are used to configure the OIDC provider. | ||
| The remaining fields in the `authentication.oidc` section are used to configure |
There was a problem hiding this comment.
Suggest editing "refer to Create a new application in Okta section of this document." to instead read "refer to the Create a new application in Okta procedure below."
| @@ -46,15 +52,17 @@ authentication: | |||
| nameAttr: cn | |||
| ``` | |||
|
|
|||
| ## Authentication Flow | |||
| **To test the Authentication flow:** | |||
There was a problem hiding this comment.
@nwneisen , this approach is part of the current Mirantis docs style, to introduce straight procedures. It would be rendered as an H2 if (a) there was descriptive content behind the subject, and/or (b) there was another H2 level heading in the topic, and/or (c) there was a need for the subject to be prominent enough to display in the TOC/left-hand menu.
| @@ -24,30 +28,30 @@ authentication: | |||
| redirectURI: http://dex.example.com:32000/callback | |||
| ``` | |||
|
|
|||
| Use the next section to understand how to configure Okta. Once the configuration is set, run the standard `mkectl apply` command with your config file and wait for the cluster to be ready. | |||
| **To create a new application in Okta:** | |||
There was a problem hiding this comment.
@nwneisen, I detailed the reasoning for this decision in a previous comment.
Update of the authentication section