You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -21,18 +21,18 @@ We need to design a CRD change for users to enable the UIF.
21
21
=== Stand-alone CRD
22
22
23
23
We could create a new CRD, e.g. UserInfoFetcher and have a controller for it that creates a DaemonSet.
24
-
A OpaCluster would than be able to link to a UserInfoFetcher discovery ConfigMap.
24
+
An OpaCluster would then be able to link to a UserInfoFetcher discovery ConfigMap.
25
25
26
26
* Good, because a UIF instance can be shared across multiple OPA clusters -> Simple and improved caching
27
27
* Bad, because OPA clusters would need to authenticate against UIF clusters.
28
28
* Bad, because UIF might need some form of authorization as well
29
29
30
30
=== Integrate in OpaCluster
31
31
32
-
Add a new section to OpaCluster that allows users to spin up a UIF as a sidecar within the Opa DaemonSet.
32
+
Add a new section to OpaCluster that allows users to spin up a UIF as a sidecar within the Opa DaemonSet's Pods.
33
33
34
-
The CRD is mostly copied from the `oidc` AuthenticationClass introduced in xref:adr/ADR032-oidc-support.adoc[] with the addition of needed credentials for Keycloak as well as the admin and user realm and a very simplistic cache.
35
-
The cache will be probably extended in the future (e.g. max number of entries or users that should not be cached), which can be done in a non-breaking fashion below `spec.clusterConfig.userInfo.backend.keycloak.cache`.`
34
+
The CRD is mostly copied from the `oidc` AuthenticationClass introduced in xref:adr/ADR032-oidc-support.adoc[] with the addition of needed credentials for Keycloak as well as the _admin_ and _user_ realms and a very simplistic cache.
35
+
The cache might be extended in the future (e.g. to set the maximum number of cache entries or exempt particular users from being cached), which can be done in a non-breaking fashion below `spec.clusterConfig.userInfo.backend.keycloak.cache`.`
36
36
37
37
[source,yaml]
38
38
----
@@ -72,7 +72,7 @@ stringData:
72
72
clientSecret: user-info-fetcher-client-secret
73
73
----
74
74
75
-
* Good, because only accessible via loopback to OPA clusters -> No authentication or authorization needed.
75
+
* Good, because only accessible via the loopback network interface to OPA clusters -> No authentication or authorization needed.
0 commit comments