OSDOCS-19753: adds Vault integration MCP gateway#111554
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@ShaunaDiaz: This pull request references OSDOCS-19753 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
ShaunaDiaz
added
rhcl-docs-1.3
ShaunaDiaz
changed the title
openshift-ci
Bot
added
do-not-merge/work-in-progress
|
🤖 Wed May 13 11:33:05 - Prow CI generated the docs preview: https://111554--ocpdocs-pr.netlify.app/rhcl/latest/mcp_gateway_config/mcp-gateway-vault.html |
openshift-ci-robot
added
the
jira/valid-reference
|
@ShaunaDiaz: This pull request references OSDOCS-19753 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
ShaunaDiaz
force-pushed
the
OSDOCS-19753
branch
2 times, most recently
from
ff20aa9 to
b956dfc
Compare
ShaunaDiaz
removed
the
do-not-merge/work-in-progress
ShaunaDiaz
changed the title
|
@ShaunaDiaz: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| --data '{ | ||
| "policy": "path \_<"secret/data/mcp-gateway/*\">_ {\n capabilities = [\"read\", \"list\"]\n}" | ||
| }' \ | ||
| _<http://vault.vault-namespace.svc.cluster.local:8200>_/v1/sys/policies/acl/authorino |
There was a problem hiding this comment.
This is curling from outside the cluster, so http://vault.vault-namespace.svc.cluster.local can be a misleading example. Maybe use a more obvious placeholder such as <your-vault-service-hostname>?
| "user_claim": "sub", | ||
| "policies": ["authorino"], | ||
| "ttl": "1h" | ||
| }' |
| "vault": | ||
| http: | ||
| urlExpression: | | ||
| _<"https://vault.vault.svc.cluster.local:8200/v1/secret/data/mcp-gateway/" + auth.identity.sub>_ |
There was a problem hiding this comment.
| _<"https://vault.vault.svc.cluster.local:8200/v1/secret/data/mcp-gateway/" + auth.identity.sub>_ | |
| "https://vault.vault.svc.cluster.local:8200/v1/secret/data/mcp-gateway/" + auth.identity.sub |
Using vault.vault.svc.cluster.local is probably here, since Authorino calls Vault within the cluster. Users only need to be called attention to:
- whether a
vaultservice indeed exists in thevaultnamespace - whether the service listens on port 8200
- whether it's indeed https and not http.
Also, let's be careful with how we communicate a placeholder within a CEL expression. In this example, we want to convey that the Vault base URL may be different, but auth.identity.sub is a variable defined in the AuthPolicy that Authorino will always resolve and append to the URL.
| - predicate: auth.metadata.exists(p, p == "vault-login") && has(auth.metadata["vault-login"].auth ) && has(auth.metadata["vault-login"].auth.client_token) | ||
| https: | ||
| urlExpression: | | ||
| _<"http://vault.vault.svc.cluster.local:8200/v1/secret/data/mcp-gateway/"_+_auth.identity.sub>_ |
There was a problem hiding this comment.
| |The issuer URL of your OpenId Connect SSO provider. You can also use `.jwksUrl` instead of `.issuerUrl:` for authentication servers that do not implement OIDC. This is the primary authentication step that validates who the user is. | ||
|
|
||
| |`spec.metadata."oauth-token".https.url` | ||
| |the token endpoint of your OAuth provider. Typically, this URL ends with `/token`. This parameter specifies the call to the provider. |
There was a problem hiding this comment.
| |the token endpoint of your OAuth provider. Typically, this URL ends with `/token`. This parameter specifies the call to the provider. | |
| |The token endpoint of the OAuth provider used to authenticate to Vault. Typically, this URL ends with `/token`. |
| |the token endpoint of your OAuth provider. Typically, this URL ends with `/token`. This parameter specifies the call to the provider. | ||
|
|
||
| |`spec.rules.metadata.cache.ttl` | ||
| |Your required time in seconds. The example value is 30 minutes. |
There was a problem hiding this comment.
| |Your required time in seconds. The example value is 30 minutes. | |
| |Time in seconds that Authorino will cache and reuse the metadata once returned by the external service (OAuth token or Vault client token). The example value is 30 minutes. |
| |Your required time in seconds. The example value is 30 minutes. | ||
|
|
||
| |`spec.metadata."vault-login".https.url` | ||
| |Your the JWT login endpoint. This value typically ends in `/v1/auth/jwt/login`. This step performs the JWT authentication against Vault. |
There was a problem hiding this comment.
nit:
| |Your the JWT login endpoint. This value typically ends in `/v1/auth/jwt/login`. This step performs the JWT authentication against Vault. | |
| |The Vault JWT login endpoint. This value typically ends in `/v1/auth/jwt/login`. This step performs the JWT authentication against Vault. |
| |These parameter values specify the secret retrieval from Vault. | ||
|
|
||
| |`spec.rules.metadata."vault".https.urlExpression` | ||
| |Your Vault server URL and secret path. Adapt the `auth-identity` according to how your claims uniquely identify an MCP gateway user. The Vault path in the expression must match the KV Secrets Engine version. |
There was a problem hiding this comment.
| |Your Vault server URL and secret path. Adapt the `auth-identity` according to how your claims uniquely identify an MCP gateway user. The Vault path in the expression must match the KV Secrets Engine version. | |
| |Your Vault server URL and secret path. Replaced the `auth.identity.sub` variable according to how your claims uniquely identify an MCP gateway user if needed. The Vault path in the expression must match the KV Secrets Engine version. |
4 participants
Version(s):
rhcl-docs-1.3
rhcl-docs-1.4
Issue:
OSDOCS-19753
Link to docs preview:
https://111554--ocpdocs-pr.netlify.app/rhcl/latest/mcp_gateway_config/mcp-gateway-vault.html
QE review: