Api key deprecation #184
Open
Api key deprecation #184
+132
−244
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for suse-obs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
|
||
| Don't add a `update-scoped-permissions` permission, that will not work for a token that is used from multiple clusters. | ||
|
|
||
| Now re-deploy your agents and Open Telemetry collectors by following the instructions available in the UI for the Kubernetes StackPack and the xref:setup/otel/getting-started/getting-started-k8s.adoc[Open Telemetry collector documentation]. Use the generated Service Token as the API key by following. |
Contributor
There was a problem hiding this comment.
The last sentence reads like there should be more to it? Use the generated Service Token as the API key by following.
| ---- | ||
|
|
||
| ➡️ xref:/setup/cli/cli-sts.adoc#_authentication[Learn more about the SUSE Observability APIs] | ||
| Use the xref:use/security/k8s-service-tokens.adoc[Service Tokens] to authenticate authenticate to SUSE Observability without having an associated a user account. Service tokens are the preferred way to authenticate from CI/CD, or when sending telemetry data from agents or Open Telemetry. How to create and use service tokens is described in the xref:use/security/k8s-service-tokens.adoc[Service Tokens documentation]. |
Contributor
There was a problem hiding this comment.
There's a floating article (a) in the first sentence - having an associated a user account
|
|
||
| Ingestion API Keys were used by external tools to ingest data (such as metrics, events and traces) to the SUSE Observability cluster. | ||
| These tools include the STS Agent or/and OTel Collector. The recommended authentication mechanism is through xref:/use/security/k8s-service-tokens.adoc#_authenticate_using_service_tokens_for_data_ingestion[Service Tokens]. | ||
| These tools include the STS Agent or/and OTel Collector. Service tokens have the same, and more, capabilities. Follow the same steps as for the API key (in the previous setion) to migrate to <<_migrate_to_a_service_token_per_cluster, a service token per cluster>> or <<_migrate_to_a_single_service_token, a single service token>>. |
Contributor
There was a problem hiding this comment.
minor: there's not enough content between the headings and these anchors for them to work as expected.
|
|
||
| [NOTE] | ||
| ==== | ||
| *Note:* |
Contributor
There was a problem hiding this comment.
minor: the *Note:* is redundant in the rendered output (the note block already has a Note heading) - there's a double note.
| * The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability. | ||
| * Include `authentication.yaml` on every `helm upgrade` run. | ||
| * The authentication configuration is stored as a Kubernetes secret. |
Contributor
There was a problem hiding this comment.
Is there any housekeeping that needs to be done when the TTL on the bootstrap service token expires?
| update-metrics | system | ||
| ---- | ||
|
|
||
| Don't add a `update-scoped-permissions` permission, that will not work for a token that is used from multiple clusters. |
Contributor
There was a problem hiding this comment.
Suggested change
| Don't add a `update-scoped-permissions` permission, that will not work for a token that is used from multiple clusters. | |
| Do not add a `update-scoped-permissions` permission as it will not work for a token that is used from multiple clusters. |
|
|
||
| Don't add a `update-scoped-permissions` permission, that will not work for a token that is used from multiple clusters. | ||
|
|
||
| Now re-deploy your agents and Open Telemetry collectors by following the instructions available in the UI for the Kubernetes StackPack and the xref:setup/otel/getting-started/getting-started-k8s.adoc[Open Telemetry collector documentation]. Use the generated Service Token as the API key by following. |
Contributor
There was a problem hiding this comment.
Suggested change
| Now re-deploy your agents and Open Telemetry collectors by following the instructions available in the UI for the Kubernetes StackPack and the xref:setup/otel/getting-started/getting-started-k8s.adoc[Open Telemetry collector documentation]. Use the generated Service Token as the API key by following. | |
| Re-deploy your agents and Open Telemetry collectors by following the instructions available in the UI for the Kubernetes StackPack and the xref:setup/otel/getting-started/getting-started-k8s.adoc[Open Telemetry collector documentation]. Use the generated Service Token as the API key by following. |
| Use "sts service-token [command] --help" for more information about a command. | ||
| ---- | ||
|
|
||
| It's also possible to <<_set_up_a_bootstrap_service_token,set up a bootstrap service token>> when installing SUSE Observability. |
Contributor
There was a problem hiding this comment.
Suggested change
| It's also possible to <<_set_up_a_bootstrap_service_token,set up a bootstrap service token>> when installing SUSE Observability. | |
| It's also possible to <<_set_up_a_bootstrap_service_token,set up a bootstrap service token>> when installing {stackstate-product-name}. |
| ==== | ||
|
|
||
| To create a service token in your instance of SUSE Observability, you can use the `sts` CLI. | ||
| To create a service token for SUSE Observability, you can use the `sts` CLI. |
Contributor
There was a problem hiding this comment.
Suggested change
| To create a service token for SUSE Observability, you can use the `sts` CLI. | |
| To create a service token for {stackstate-product-name}, you can use the `sts` CLI. |
|
|
||
| === Set up a bootstrap service token | ||
|
|
||
| When installing SUSE Observability, it's possible to bootstrap it with a (temporary) service token. This allows for using the CLI without first interacting with SUSE Observability and obtaining an API token from the UI. In order to set this up, you can add the following snippet to the SUSE Observability configuration file: |
Contributor
There was a problem hiding this comment.
Suggested change
| When installing SUSE Observability, it's possible to bootstrap it with a (temporary) service token. This allows for using the CLI without first interacting with SUSE Observability and obtaining an API token from the UI. In order to set this up, you can add the following snippet to the SUSE Observability configuration file: | |
| When installing {stackstate-product-name}, it's possible to bootstrap it with a (temporary) service token. This allows using the CLI without first interacting with {stackstate-product-name} and obtaining an API token from the UI. In order to set this up, add the following snippet to the {stackstate-product-name} configuration file: |
|
|
||
| When installing SUSE Observability, it's possible to bootstrap it with a (temporary) service token. This allows for using the CLI without first interacting with SUSE Observability and obtaining an API token from the UI. In order to set this up, you can add the following snippet to the SUSE Observability configuration file: | ||
|
|
||
| To configure SUSE Observability to create a bootstrap service token on Kubernetes, The following values need to be added to the file `authentication.yaml`. For example |
Contributor
There was a problem hiding this comment.
Suggested change
| To configure SUSE Observability to create a bootstrap service token on Kubernetes, The following values need to be added to the file `authentication.yaml`. For example | |
| To configure {stackstate-product-name} to create a bootstrap service token on Kubernetes, the following values need to be added to the file `authentication.yaml`. For example: |
| ttl: 24h | ||
| ---- | ||
|
|
||
| Follow the steps below to configure SUSE Observability to create a bootstrap service token: |
Contributor
There was a problem hiding this comment.
Suggested change
| Follow the steps below to configure SUSE Observability to create a bootstrap service token: | |
| Follow the steps below to configure {stackstate-product-name} to create a bootstrap service token: |
Comment on lines
+96
to
+97
| ** *token* - The token that will be created on (initial) start of SUSE Observability. | ||
| ** *roles* - An array of roles that will be assigned to the bootstrap token. |
Contributor
There was a problem hiding this comment.
Suggested change
| ** *token* - The token that will be created on (initial) start of SUSE Observability. | |
| ** *roles* - An array of roles that will be assigned to the bootstrap token. | |
| ** *token* - The token that is created at the (initial) start of {stackstate-product-name}. | |
| ** *roles* - An array of roles that are assigned to the bootstrap token. |
| ** *token* - The token that will be created on (initial) start of SUSE Observability. | ||
| ** *roles* - An array of roles that will be assigned to the bootstrap token. | ||
| ** *ttl* - Optional. The time-to-live for the service token, expressed as a duration string. | ||
| . Store the file `authentication.yaml` together with the `values.yaml` from the SUSE Observability installation instructions. |
Contributor
There was a problem hiding this comment.
Suggested change
| . Store the file `authentication.yaml` together with the `values.yaml` from the SUSE Observability installation instructions. | |
| . Store the file `authentication.yaml` together with the `values.yaml` from the {stackstate-product-name} installation instructions. |
|
|
||
| ==== Setup the bootstrap service token from an external secret | ||
|
|
||
| When the bootstrap token should come from an external secret, follow xref:/setup/security/external-secrets.adoc#_getting_authentication_data_from_an_external_secret[these steps] and add the following data: |
Contributor
There was a problem hiding this comment.
When the bootstrap token should come from an external secret- This isn't clear. Is it supposed to be - "When the bootstrap token is retrieved from an external secret"?
| ---- | ||
| > sts context --name <name> --service-token <TOKEN> --url https://<tenant>.app.stackstate.io | ||
| ---- | ||
| A service token can be used for authentication with the `sts` CLI. For details, see xref:/setup/cli/cli-sts.adoc#_authentication[the CLI documentation]. |
Contributor
There was a problem hiding this comment.
Suggested change
| A service token can be used for authentication with the `sts` CLI. For details, see xref:/setup/cli/cli-sts.adoc#_authentication[the CLI documentation]. | |
| A service token isd used for authentication with the `sts` CLI. For more information, see xref:/setup/cli/cli-sts.adoc#_authentication[the CLI documentation]. |
Contributor
akashraj4261
left a comment
akashraj4261
left a comment
There was a problem hiding this comment.
Minor comments and typos.
viliakov
reviewed
Jan 19, 2026
| === List service tokens | ||
|
|
||
| The ID, name, expiration date and roles of all created service tokens can be seen using the `sts` CLI. For example: | ||
| The ID, name, expiration date and roles of all created service tokens can be seen using the new `sts` CLI. For example: |
Contributor
There was a problem hiding this comment.
Suggested change
| The ID, name, expiration date and roles of all created service tokens can be seen using the new `sts` CLI. For example: | |
| The ID, name, expiration date and roles of all created service tokens can be seen using the `sts` CLI. For example: |
Should we stop use "new" for the cli? It is inconsistent even within this page. And also it might be confusing for those who aren't aware about the "old" cli.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.