...
CDAP must be configured with a shared secret file which all system services must have access to. To generate the shared secret file, use the AuthenticationTool:
docker run -it --rm \
...
--mount type=bind,source=$(pwd),target=/auth
...
...
gcr.io/cdapio/cdap:latest \
...
io.cdap.cdap.security.tools.AuthenticationTool -g /auth/auth.key
Next, ensure the key file (/auth/auth.key) is available to every system service. In Kubernetes, this can be done by creating a new secret and mounting it as a file in the pod:
kubectl create secret generic cdap-auth \
...
--from-file=auth.key
Alternatively, in distributed mode, other key managers (for example, the DistributedKeyManager leveraging ZooKeeper) can be used, but the same key must be available to all system services or internal token verification will fail.
...