Revoke auth0 kubeconfig access token
Use this runbook if we make changes to the Auth0 authorisation process and require users to re-authenticate and use a new config to access the cluster.
1. Revoke existing tokens generated from github
GitHub is being used as an OIDC provider. Once you’ve logged in to GitHub, it provides an ID token(valid for 10 hours), which is a signed JWT containing your GitHub username and a a list of teams you’re in.
To revoke the tokens you need MOJ organisation administrator access, if you are not a Github admin request some one in the team who are Github admin to do it for you.
Click on the “Revoke all user tokens” button, this will force users to reauthenticate to get a new token.
2. Recreate auth0_client.kubernetes
Follow below steps to recreate auth0_client.kubernetes to make users unauthorised using existing token/config.
1) Taint resources (terraform)
$ terraform workspace select live $ terraform taint module.auth0.auth0_client.kubernetes
Make sure with
terraform plan that auth0 resource is going to be recreated and aws eks identity provider associates with the new auth0 kubernetes client.
Apply changes if you are happy with them:
$ terraform apply
This will create a new auth0 kubernetes client and use the newly created kubernetes client information to associate oidc in aws eks identity provider config.
Note: Associating oidc process takes around 35 minutes.
2) Apply changes within components (terraform)
terraform plan inside
to ensure changes match kuberos resource, if they do, apply them:
$terraform workspace select live $terraform plan $ terraform apply -target=module.kuberos
3) Verifiying changes
In order to verify that the changes were successfully applied
- You can authenticate to the cluster (follow user guide)
Ensure users are aware of the change. It is important to point out that they will have to reauthenticate against the cluster after the change (following user guide).