Bug 1470022

Description of problem:
The current protocol for SSO with Kibana through Openshift is sending the Kibana the management-admin (ManageIQ's Service Account) token with a temporary user-token and then giving that user-token to the user to connect to Kibana with it. The auth-proxy container on the Kibana pod has a map between user-tokens and service accounts (SA) token and knows to forward the SA token for authentication. This way we are hiding the SA token from the user.


ManageIQ          -> Kibana auth-proxy /sso/setup?auth_token=$$$&user_token=%%%
User              -> Kibana auth-proxy /sso/login?user_token=%%%
Kibana auth-proxy -> Openshift         authenticates with auth_token=$$$


When there are multiple replicas of Kibana, it is very common that one replica will get the /sso/setup requests from ManageIQ and another will get the users requests. The replica that gets the user's requests will then not known the SA token and will forward the user to authenticate with Openshift manually.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. scale the logging-kibana dc for two or more replicas
oc scale dc/logging-kibana-ops --replicas=2

Actual results:
When clicking the External logging button in ManageIQ we are forwarded to authenticate with Openshift

Expected results:
Seamless SSO that will forward us into Kibana.

Additional info: