Kubernetes service account automatic configuration
This topic tells you about the resources that you create for Kubernetes service account automatic configuration for Artifact Metadata Repository (AMR) authentication and authorization.
Overview
This topic describes which resources play a role in the default configuration and how to troubleshoot. For more information about the resources, for example, if you use means to manage your service accounts or have other requirements related to roles and bindings, see User-defined kubernetes service account configuration
The package-level configuration has a component top level key (TLK) prefix and this topic describes how Tanzu Application Platform configurations can influence this prefix.
Observer
Observer configuration in the Tanzu Application Platform context has the prefix TLK amr.observer. For authentication and authorization, the Tanzu Application Platform profiles influence automatic configuration.
Observer can only automatically configure itself when colocated with the CloudEvent Handler, which is in the full or view profile. If this is not the case auth.kubernetes_service_accounts.autoconfigure is set to false at installation.
If auth.kubernetes_service_accounts.enable and auth.kubernetes_service_accounts.autoconfigure are true, the observer package creates the following resources to set up authentication automatically in the amr-observer-system namespace:
- A
ServiceAccountnamedamr-observer-editorthat Observer uses to send requests to the CloudEvent Handler - A
Secretnamedamr-observer-edit-tokenof the typekubernetes.io/service-account-token, which generates a long-lived token for the service account - A
ClusterRolenamedtanzu:amr:observer:editthat defines the necessaryupdatepermissions for all resources incloudevents.amr.apps.tanzu.vmware.com - A
ClusterRoleBindingnamedtanzu:amr:observer:editorthat binds the defined role to the service account
If auth.kubernetes_service_accounts.autoconfigure is set to false, you must configure the Observer package with all these resources manually. For information about how to set up the Observer, see Configure a user-defined Kubernetes service account.
CloudEvent Handler
You can find the CloudEvent Handler configuration in the Tanzu Application Platform context under the TLK amr.cloudevent_handler. This prefix is not stripped in this case.
On the package level, if amr.cloudevent_handler.auth.kubernetes_service_accounts.enable and amr.cloudevent_handler.auth.kubernetes_service_accounts.autoconfigure are true, the package creates the following resources to set up authentication automatically in the metadata-store namespace:
- A
ServiceAccountnamedamr-cloudevent-handler-editorthat clients use to send requests to the CloudEvent Handler - A
Secretnamedamr-cloudevent-handler-edit-tokenof the typekubernetes.io/service-account-token, which generates a long-lived token for the service account - A
ClusterRolenamedtanzu:amr:cloudevent-handler:editthat defines the necessaryupdatepermissions for all resources incloudevents.amr.apps.tanzu.vmware.com - A
ClusterRoleBindingnamedtanzu:amr:cloudevent-handler:editorthat binds the defined role to the service account
GraphQL handler
You can find the GraphQL configuration in the Tanzu Application Platform context under the TLK amr.graphql. This prefix is not stripped in this case.
If amr.graphql.auth.kubernetes_service_accounts.enable and amr.graphql.auth.kubernetes_service_accounts.autoconfigure are true, the package creates the following resources to set up authentication automatically in the metadata-store namespace:
- A
ServiceAccountnamedamr-graphql-viewerthat clients use to send requests to the GraphQL interface - A
Secretnamedamr-graphql-view-tokenof the typekubernetes.io/service-account-token, which generates a long-lived token for the service account - A
ClusterRolenamedtanzu:amr:graphql:viewthat defines the necessarygetpermissions for all resources ingraphql.amr.apps.tanzu.vmware.com - A
ClusterRoleBindingnamedtanzu:amr:graphql:viewerthat binds the defined role to the service account
