This topic tells you how to authenticate and authorize the Artifact Metadata Repository (AMR).
The following are included in authentication and authorization:
The Artifact Metadata Repository (AMR) deploys the following Kubernetes services which expose http endpoints:
Both Cloudevent-handler and GraphQL are in the same cluster. In a multicluster Tanzu Application Platform deployment, they’re in the view cluster and the clients can be from any cluster. This topic shows the client in the build cluster in our examples.
The client sends requests to either service depending on their current task. The cloudevent-handler ingests events from the client and stores it in a database. The GraphQL server answers queries from the client and returns data from the database. Other than those points, the two are treated the same in this design. They both use the same authentication and authorization solution. This topic simplifies the explanation by only showing the cloudevent-handler.
The server implements support for authentication using Kubernetes RBAC. This includes requiring the client to send a token from a Kubernetes service account token bound to a Kubernetes role.
The administrator creates a service account, role/clusterrole, and role binding in the cluster where the cloudevent-handler is deployed in the View cluster. The role declares what permissions the client has:
update
, resource *
, group cloudevents.amr.apps.tanzu.vmware.com
. No resourceNames are supported. That translates to “write for all resources” for the CloudEvents API.get
, resource *
and group graphql.amr.apps.tanzu.vmware.com
. No resourceNames are supported. That translates to “read all” from the GraphQL API.Authorization: Bearer <token>
.