Add instructions for bypassing IdP with admin token (#5376)

* add instructions for bypassing IdP with admin token, closes #5374 * Apply suggestions from code review Co-authored-by: Jason Stirnaman <stirnamanj@gmail.com> * fix broken clustered tab, relocated idp-bypass file * link to management token definition * remove management token term from idp bypass guide * add commands for deleting an admin token --------- Co-authored-by: Jason Stirnaman <stirnamanj@gmail.com>
2024-03-22 16:18:31 -06:00 · 2024-03-22 16:18:31 -06:00 · 51a47138d2
parent f458519a2b
commit 51a47138d2
9 changed files with 130 additions and 11 deletions
--- a/assets/styles/layouts/article/_html-diagrams.scss
+++ b/assets/styles/layouts/article/_html-diagrams.scss
@ -526,10 +526,6 @@ table tr.point{
  .plan-double-column {
    display: flex;
    justify-content: space-around;
    .plan-column {
      // width: 50%;
    }
  }
 }
--- a/content/influxdb/clustered/admin/bypass-identity-provider.md
+++ b/content/influxdb/clustered/admin/bypass-identity-provider.md
@ -0,0 +1,111 @@
 ---
 title: Bypass your identity provider
 description: >
  InfluxDB clustered generates a valid access token (known as the _admin token_)
  that can be used in development and testing environments in lieu of configuring
  and using an OAuth2 identity provider.
 menu:
  influxdb_clustered:
    parent: Administer InfluxDB Clustered
 weight: 207
 ---
 {{< product-name >}} generates a valid access token (known as the _admin token_)
 for managing databases and database tokens and stores it as a secret in your
 InfluxDB namespace.
 You can use the admin token with the [`influxctl` CLI](/influxdb/clustered/reference/cli/influxctl/)
 in lieu of configuring and using an OAuth2 identity provider.
 {{% warn %}}
 #### Do not use in production
 This feature is for development and testing purposes only and should not be used
 in a production InfluxDB cluster.
 {{% /warn %}}
 ## Configure influxctl to use the admin token
 {{% code-placeholders "INFLUXDB_NAMESPACE|DIRECTORY_PATH" %}}
 1.  If you haven't already, [download, install, or upgrade to `influxctl` v2.2.0 or newer](/influxdb/clustered/reference/cli/influxctl/#download-and-install-influxctl).
 2.  Use `kubectl` to retrieve the admin token from your cluster namespace's
    secret store and copy it to a file:
    ```sh
    kubectl get secrets/admin-token \
      --template={{.data.token}} \
      --namespace INFLUXDB_NAMESPACE | base64 -d > token.json
    ```
 3.  Update your `influxctl` connection profile with a new `[profile.auth.token]`
    section.
 4.  In the `[profile.auth.token]` section, assign the `token_file` setting to the location of your saved admin token file:
    ```toml
    [[profile]]
    # ...
      [profile.auth.token]
        token_file = "/DIRECTORY_PATH/token.json"
    ```
 {{% /code-placeholders %}}
 In the examples above, replace the following:
 - {{% code-placeholder-key %}}`INFLUXDB_NAMESPACE`{{% /code-placeholder-key %}}:
  The name of your InfluxDB namespace.
 - {{% code-placeholder-key %}}`DIRECTORY_PATH`{{% /code-placeholder-key %}}:
  The directory path to your admin token file, `token.json`.
 ## Revoke an admin token
 The admin token is a long-lived access token.
 The only way to revoke the token is to do the following:
 {{% code-placeholders "INFLUXDB_NAMESPACE|KEY_GEN_JOB|001" %}}
 1.  Delete the `rsa-keys` secret from your InfluxDB cluster's context and namespace:
    ```sh
    kubectl delete secrets/rsa-keys --namespace INFLUXDB_NAMESPACE
    ```
 2.  Rerun the `key-gen` job:
    1.  List the jobs in your InfluxDB namespace to find the key-gen job pod:
        ```
        # List jobs to find the key-gen job pod
        kubectl get jobs --namespace INFLUXDB_NAMESPACE
        ```
    2.  Run the key-gen job and increment the job number as needed:
        ```sh
        kubectl create job \
          --from=job/KEY_GEN_JOB key-gen-001 \
          --namespace INFLUXDB_NAMESPACE
        ```
 3.  Restart the `token-management` service:
    ```sh
    kubectl delete pods \
      --selector app=token-management \
      --namespace INFLUXDB_NAMESPACE
    ```
 {{% /code-placeholders %}}
 In the examples above, replace the following:
 - {{% code-placeholder-key %}}`INFLUXDB_NAMESPACE`{{% /code-placeholder-key %}}:
  The name of your InfluxDB namespace.
 - {{% code-placeholder-key %}}`KEY_GEN_JOB`{{% /code-placeholder-key %}}:
  The name of the key-gen job pod.
 - {{% code-placeholder-key %}}`001`{{% /code-placeholder-key %}}:
  A unique number used to increment the key-gen job.
 {{% note %}}
 To create a new admin token after revoking the existing one, rerun the
 `create-admin-token` job.
 {{% /note %}}
--- a/content/influxdb/clustered/admin/custom-partitions/_index.md
+++ b/content/influxdb/clustered/admin/custom-partitions/_index.md
@ -6,7 +6,7 @@ description: >
  specific schema and workload.
 menu:
  influxdb_clustered:
-    parent: Administer InfluxDB Cloud
+    parent: Administer InfluxDB Clustered
 weight: 103
 influxdb/clustered/tags: [storage]
 related:
--- a/content/influxdb/clustered/admin/tables/_index.md
+++ b/content/influxdb/clustered/admin/tables/_index.md
@ -7,7 +7,7 @@ description: >
  In previous versions of InfluxDB, tables were known as "measurements."
 menu:
  influxdb_clustered:
-    parent: Administer InfluxDB Cloud
+    parent: Administer InfluxDB Clustered
 weight: 101
 influxdb/clustered/tags: [tables]
 ---
--- a/content/influxdb/clustered/admin/tokens/database/list.md
+++ b/content/influxdb/clustered/admin/tokens/database/list.md
@ -5,7 +5,7 @@ description: >
  to list tokens in your InfluxDB cluster.
 menu:
  influxdb_clustered:
-    parent: Manage database tokens
+    parent: Database tokens
 weight: 202
 list_code_example: |
  ```sh
--- a/content/influxdb/clustered/admin/tokens/database/update.md
+++ b/content/influxdb/clustered/admin/tokens/database/update.md
@ -5,7 +5,7 @@ description: >
  to update a database token's permissions in your InfluxDB cluster.
 menu:
  influxdb_clustered:
-    parent: Manage database tokens
+    parent: Database tokens
 weight: 201
 list_code_example: |
  ```sh
--- a/content/influxdb/clustered/admin/upgrade.md
+++ b/content/influxdb/clustered/admin/upgrade.md
@ -7,7 +7,7 @@ menu:
  influxdb_clustered:
    name: Upgrade InfluxDB
    parent: Administer InfluxDB Clustered
-weight: 101
+weight: 206
 influxdb/clustered/tags: [upgrade]
 related:
  - /influxdb/clustered/install/
--- a/content/influxdb/clustered/install/auth.md
+++ b/content/influxdb/clustered/install/auth.md
@ -20,6 +20,18 @@ If you choose to deploy your provider with your InfluxDB cluster, the process
 outlined below should be done _after_ your initial InfluxDB cluster deployment.
 {{% /note %}}
 {{% note %}}
 #### Bypass your identity provider for development and testing
 If running in a development or testing environment and you do not want to
 authorize with an OAuth2 identity provider, {{< product-name >}} provides an
 _admin token_ in your cluster's namespace that can be used to bypass your
 identity provider.
 For more information, see
 [Bypass your identity provider](/influxdb/clustered/admin/bypass-identity-provider/).
 {{% /note %}}
 InfluxDB Clustered requires that your OAuth2 identity provider supports
 [Device Authorization Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow).
 InfluxData has tested with the following identity providers:
--- a/layouts/shortcodes/code-placeholders.html
+++ b/layouts/shortcodes/code-placeholders.html
@ -2,5 +2,5 @@
 {{- $color := .Get 1 | default "magenta" -}}
 {{- $elReplace := print "<div class='code-placeholder-wrapper'><var title='Edit $0' class='code-placeholder " $color "' data-code-var='$0' data-code-var-value='$0'>$0<span class='code-placeholder-edit-icon cf-icon Pencil'></span></var></div>" -}}
 {{- $code := .Inner | markdownify -}}
-{{- $codeCallout := replaceRE $regex $elReplace $code -}}
+{{- $codePlaceholders := replaceRE $regex $elReplace $code -}}
-{{ $codeCallout | safeHTML }}
+{{ $codePlaceholders | safeHTML }}