Registration and Authentication

How the self-hosted runner registers with Bluebricks and uses Kubernetes JWTs for passwordless, secure task orchestration

Bluebricks Self-Hosted Runner leverages our Kubernetes-native solution for passwordless, secure, and efficient task orchestration. This section outlines the registration and authentication flow that establishes the secure connection between your self-hosted cloud account and Bluebricks’ platform, and explains how Kubernetes JWT (JSON Web Tokens) are used.

Overview

The registration and authentication process for Self-Hosted Runners ensures:

Secure and Passwordless Authentication: Kubernetes JWT is utilized to validate service account identities without relying on static passwords.
Seamless Cluster Integration: The Bluebricks API, in conjunction with Kubernetes’ built-in JWKS endpoint, securely registers and verifies clusters.
Dynamic Task Execution: Once registered, tasks are securely assigned to the appropriate collection for further orchestration by the Bluebricks Deployments Controller (BDC).

Note: A self-hosted cloud account (referred to as “Self-Hosted Runner”) is equivalent to a cloud account. It is directly associated with a collection and can be connected to multiple collections, allowing flexible management of Infrastructure as Code (IaC) tasks across diverse setups.

Registration and authentication flow

Registration process

The registration establishes the secure connection between your Kubernetes cluster and Bluebricks platform. Here's how it works:

Steps to Register

Complete the Bluebricks Deployments Controller (BDC) installation

Run our registration script:

/bin/bash -c "$(curl -fsSL https://brickscli.s3.eu-west-1.amazonaws.com/releases/latest/self-hosted-register.sh)"

The script will:
- Verify your Kubernetes context
- Guide you through a simple wizard to collect necessary details
- Connect your cluster to Bluebricks platform

How authentication works

After registration, your cluster communicates securely with Bluebricks using Kubernetes' built-in security features:

Token-based Requests: The BDC automatically sends authenticated requests using BDC cluster's service account tokens, those tokens are short lived, usually with 1 hour TTL (Depends on the cluster configuration)
Automatic Verification: Our platform verifies each request using your cluster's own security mechanisms
Task Delivery: Once verified, tasks are securely delivered to your collection

Security assurance

Our authentication system is built on Kubernetes' enterprise-grade security standards:

Uses native Kubernetes JWT tokens for all authentication
Verifies every request against your cluster's own security endpoint
Maintains complete isolation between different collections
No passwords or external credentials to manage

PreviousOrchestrator in a Box NextNetwork Access Requirements

Last updated 15 days ago

Was this helpful?

Good afternoon

hashtagOverview

hashtagRegistration and authentication flow

hashtagRegistration process

hashtagSteps to Register

hashtagHow authentication works

hashtagSecurity assurance