This topic tells you about the resources that you create for Kubernetes service account automatic configuration for AMR authentication and authorization.
This topic describes which resources play a role in the default configuration and how to troubleshoot. For more information about the resources, for example, if you use means to manage your service accounts or have other requirements related to roles and bindings, see User-defined kubernetes service account configuration
The package-level configuration has a component top level key (TLK) prefix and this topic describes how Tanzu Application Platform configurations can influence this prefix.
Observer configuration in the Tanzu Application Platform context has the prefix
TLK amr.observer. For authentication and authorization, the Tanzu Application
Platform profiles influence automatic configuration. Observer can only automatically
configure itself when co-located with the CloudEvent Handler, which is in the
full or view profile. If this is not the case
auth.kubernetes_service_accounts.autoconfigure is set to false at
installation.
If auth.kubernetes_service_accounts.enable and auth.kubernetes_service_accounts.autoconfigure are true, the observer package creates the following resources to set up authentication automatically in the amr-observer-system namespace:
- a
ServiceAccountnamedamr-observer-editorthat observer uses to send requests to the CloudEvent Handler - a
Secretnamedamr-observer-edit-tokenof typekubernetes.io/service-account-tokenwhich generates a long-lived token for the service account - a
ClusterRolenamedtanzu:amr:observer:editdefining the necessaryupdatepermissions for all resources incloudevents.amr.apps.tanzu.vmware.com - a
ClusterRoleBindingnamedtanzu:amr:observer:editorbinding the defined role to the service account
If auth.kubernetes_service_accounts.autoconfigure is set to false, you must configure the observer package with all the above resources manually.
For information about how to set up the observer, see User-defined Kubernetes service account configuration.
You can find the CloudEvent Handler configuration in the Tanzu Application Platform context under the TLK amr.cloudevent_handler. This prefix is not stripped in this case.
On the package level, if amr.cloudevent_handler.auth.kubernetes_service_accounts.enable and amr.cloudevent_handler.auth.kubernetes_service_accounts.autoconfigure are true, the package creates the following resources to set up authentication automatically in the metadata-store namespace:
- a
ServiceAccountnamedamr-cloudevent-handler-editorthat clients use to send requests to the CloudEvent Handler - a
Secretnamedamr-cloudevent-handler-edit-tokenof typekubernetes.io/service-account-tokenwhich generates a long-lived token for the service account - a
ClusterRolenamedtanzu:amr:cloudevent-handler:editdefining the necessaryupdatepermissions for all resources incloudevents.amr.apps.tanzu.vmware.com - a
ClusterRoleBindingnamedtanzu:amr:cloudevent-handler:editorbinding the defined role to the service account
You can find the GraphQL configuration in the Tanzu Application Platform context under the TLK amr.graphql. This prefix is not stripped in this case.
If amr.graphql.auth.kubernetes_service_accounts.enable and amr.graphql.auth.kubernetes_service_accounts.autoconfigure are true, the package creates the following resources to set up authentication automatically in the metadata-store namespace:
- a
ServiceAccountnamedamr-graphql-viewerthat clients use to send requests to the graphql interface - a
Secretnamedamr-graphql-view-tokenof typekubernetes.io/service-account-tokenwhich generates a long-lived token for the service account - a
ClusterRolenamedtanzu:amr:graphql:viewdefining the necessarygetpermissions for all resources ingraphql.amr.apps.tanzu.vmware.com - a
ClusterRoleBindingnamedtanzu:amr:graphql:viewerbinding the defined role to the service account