Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-1308

MCE: Cluster Discovery enabled for MITM cluster proxy

XMLWordPrintable

      Epic Goal

      • Background: OCP's cluster-wide proxy configuration includes the ability for a customer to define a cluster-wide custom Certificate Authorities bundle.  If defined, this bundle should be used as the trusted CA bundle by components making outbound SSL/TLS connections to endpoints outside of the cluster.  One scenario in which use of this bundle is important is to support man-in-the-middle type proxies, that is proxies that terminate (vs. pass through) the SSL/TLS connection.
      • The MCE operator should be extended to make the cluster-wide CA bundle (configmap) available to all of the components of MCE that run on the "hub".
      • MCE's cluster-discovery component should be extended to use the cluster-wide CA bundle when making proxied SSL/TLS connections to cloud.redhat.com to obtain cluster information.

      Out-of-Scope: 

      • It is possible that other components in MCE that initiate flows between hub and managed cluster (managed cluster import controller, cluster proxy, etc.) may also encounter MITM proxy configurations.  However, enabling components other than Discovery for this type of proxy is not a priority for ACM 2.6 and thus considered out of scope for this epic.

      Why is this important?

      • MCE's (and ACM's) proxy ennoblement is incomplete without this support, as  the existing proxy support does not work if the customer deploys a MITM proxy that uses a custom CA certificate.
      • We recently had a customer support case/BZ for just this kind of configuration, affecting cluster discovery.

      Scenarios

      1. An MCE hub running on OCP.
      2. The underlying OCP uses cluster-wide proxy configuration with cluster-wide custom Certificate Authorities bundle.
      3. Enable MCE operator to make use of the cluster-wide CA bundle (configmap).
      4. Cluster Discovery credential can be defined for Red Hat cloud.
      5. Cluster Discovery can be run successfully and display a valid list of clusters available within the RH cloud org.
      6. At this point, it's expected that a user can complete the cluster import step.

      Acceptance Criteria

      • When this Epic is completed, MCE cluster discovery will be able to successfully discover clusters in a customer environment in which:
        • The customer defines an OCP's cluster wide proxy
        • That proxy is a man-in-the-middle type, that is using a server certificate signed by some custom/non-standard CA
      • The customer is not required to do any MCE/discovery-specific configuration steps beyond doing the cluster-wide proxy/CA configuration at the OCP level.
      • The customer can define (or change) the OCP cluster-wide proxy configuration after installing MCE, and MCE will react to/start using that proxy without requiring manual customer intervention to eg. reinstall MCE, restart MCE components etc.
      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.

      Dependencies (internal and external)

      1. No known external dependencies. 

      Previous Work (Optional):

      Open questions:

      1. What other squads are impacted? Lets use this initial investigation to help other components understand what to do.
      2. We will need to keep this configuration in mind in future release when/if we intend to perform a Cluster Discovery on other cloud providers.

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              sberens@redhat.com Scott Berens
              sberens@redhat.com Scott Berens
              Jakob Gray Jakob Gray
              Joe Gdaniec Joe Gdaniec (Inactive)
              Scott Berens Scott Berens
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: