chore(charts): add passport component to requirements

Author: lijianguo

README.md

@@ -10,6 +10,7 @@ This repository contains the source code for Drycc Workflow documentation. If yo
 
 Please see below for links and descriptions of each component:
 
+- [passport](https://github.com/drycc/passport) - Workflow single sign on system
 - [controller](https://github.com/drycc/controller) - Workflow API server
 - [builder](https://github.com/drycc/builder) - Git server and source-to-image component
 - [imagebuilder](https://github.com/drycc/imagebuilder) - The builder for [Docker](https://www.docker.com/) based applications

charts/workflow/requirements.yaml

@@ -41,3 +41,6 @@ dependencies:
   - name: rabbitmq
     version: <rabbitmq-tag>
     repository: https://charts.drycc.cc/stable/rabbitmq
+  - name: passport
+    version: <passport-tag>
+    repository: https://charts.drycc.cc/stable/passport

charts/workflow/values.yaml

@@ -28,7 +28,7 @@ global:
   # - on-cluster: Run Redis within the Kubernetes cluster
   # - off-cluster: Run Redis outside the Kubernetes cluster (configure in redis section)
   redis_location: "on-cluster"
-    # Set the location of Workflow's rabbitmq instance
+  # Set the location of Workflow's rabbitmq instance
   # Valid values are:
   # - on-cluster: Run Rabbitmq within the Kubernetes cluster
   # - off-cluster: Run Rabbitmq outside the Kubernetes cluster (configure in controller section)
@@ -91,6 +91,12 @@ global:
   platform_domain: ""
   # Whether cert_manager is enabled to automatically generate drycc certificates
   cert_manager_enabled: "true"
+  # Set the location of Workflow's passport
+  #
+  # Valid values are:
+  # - on-cluster: Run passport within the Kubernetes cluster
+  # - off-cluster: Use passport outside the Kubernetes cluster
+  passport_location: "on-cluster"
 
 s3:
   # Your AWS access key. Leave it empty if you want to use IAM credentials.

src/understanding-workflow/components.md

@@ -19,6 +19,12 @@ the `drycc` CLI. The controller provides all of the platform functionality as
 well as interfacing with your Kubernetes cluster. The controller persists all
 of its data to the database component.
 
+## Passport
+
+**Project Location:** [drycc/passport](https://github.com/drycc/passport)
+
+The passport component exposes a web API and provide OAuth2 authentication.
+
 ## Database
 
 **Project Location:** [drycc/postgres](https://github.com/drycc/postgres)

src/users/cli.md

@@ -26,7 +26,6 @@ Use `drycc help` to explore the commands available to you:
 
     Auth commands::
 
-      register      register a new user with a controller
       login         login to a controller
       logout        logout from the current controller
 
@@ -45,6 +44,7 @@ To get help on subcommands, use `drycc help [subcommand]`:
     apps:logs          view aggregated application logs
     apps:run           run a command in an ephemeral app container
     apps:destroy       destroy an application
+    apps:transfer      transfer app ownership to another user
 
     Use `drycc help [command]` to learn more
 

src/users/registration.md

@@ -1,36 +1,12 @@
 # Users and Registration
 
-There are two classes of Workflow users: normal users and administrators.
-
- * Users can use most of the features of Workflow - creating and deploying applications, adding/removing domains, etc.
- * Administrators can perform all the actions that users can, but they also have owner access to all applications.
-
-The first user created on a Workflow installation is automatically an administrator.
-
-## Register with a Controller
-
-Use `drycc register` with the [Controller][] URL (supplied by your Drycc administrator)
-to create a new account. After successful registration you will be logged in as the new user.
-
-    $ drycc register http://drycc.example.com
-    username: myuser
-    password:
-    password (confirm):
-    email: myuser@example.com
-    Registered myuser
-    Logged in as myuser
-
-!!! important
-    The first user to register with Drycc Workflow automatically becomes an administrator. Additional users who register will be ordinary users.
+Workflow use the passport component to create and authorize users
 
 ## Login to Workflow
 
 If you already have an account, use `drycc login` to authenticate against the Drycc Workflow API.
 
     $ drycc login http://drycc.example.com
-    username: drycc
-    password:
-    Logged in as drycc
 
 ## Logout from Workflow
 
@@ -49,107 +25,4 @@ You can verify your client configuration by running `drycc whoami`.
 !!! note
     Session and client configuration is stored in the `~/.drycc/client.json` file.
 
-## Registering New Users
-
-By default, new users are not allowed to register after an initial user does. That initial user
-becomes the first "admin" user. Others will now receive an error when trying to register, but when
-logged in, an admin user can register new users:
-
-```shell
-$ drycc register --login=false --username=newuser --password=changeme123 --email=newuser@drycc.cc
-```
-
-## Controlling Registration Modes
-
-After creating your first user, you may wish to change the registration mode for Drycc Workflow.
-
-Drycc Workflow supports three registration modes:
-
-| Mode                  | Description                                     |
-| ---                   | ---                                             |
-| admin\_only (default) | Only existing admins may register new users     |
-| enabled               | Registration is enabled and anyone can register |
-| disabled              | Does not allow anyone to register new users.    |
-
-To modify the registration mode for Workflow you may add or modify the `REGISTRATION_MODE` environment variable for the
-controller component. If Drycc Workflow is already running, use:
-
-`kubectl --namespace=drycc patch deployments drycc-controller -p '{"spec":{"template":{"spec":{"containers":[{"name":"drycc-controller","env":[{"name":"REGISTRATION_MODE","value":"disabled"}]}]}}}}'`
-
-Modify the `value` portion to match the desired mode.
-
-Kubernetes will automatically deploy a new ReplicaSet and corresponding Pod with the new environment variables set.
-
-## Managing Administrative Permissions
-
-You can use the `drycc perms` command to promote a user to an admin:
-
-```
-$ drycc perms:create john --admin
-Adding john to system administrators... done
-```
-
-View current admins:
-
-```
-$ drycc perms:list --admin
-=== Administrators
-admin
-john
-```
-
-Demote admins to normal users:
-
-```
-$ drycc perms:delete john --admin
-Removing john from system administrators... done
-```
-
-## Re-issuing User Authentication Tokens
-
-The controller API uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for
-client-server setups, such as native desktop and mobile clients. Each user of the platform is issued a token the first
-time that they sign up on the platform. If this token is compromised, it will need to be regenerated.
-
-A user can regenerate their own token like this:
-
-    $ drycc auth:regenerate
-
-An administrator can also regenerate the token of another user like this:
-
-    $ drycc auth:regenerate -u test-user
-
-At this point, the user will no longer be able to authenticate against the controller with his auth token:
-
-    $ drycc apps
-    401 UNAUTHORIZED
-    Detail:
-    Invalid token
-
-They will need to log back in to use their new auth token.
-
-If there is a cluster wide security breach, an administrator can regenerate everybody's auth token like this:
-
-    $ drycc auth:regenerate --all=true
-
-
-## Changing Account Password
-
-A user can change their own account's password like this:
-
-```
-$ drycc auth:passwd
-current password:
-new password:
-new password (confirm):
-```
-
-An administrator can change the password of another user's account like this:
-
-```
-$ drycc auth:passwd --username=<username>
-new password:
-new password (confirm):
-```
-
 [controller]: ../understanding-workflow/components.md#controller