Epic Goal

• Support token registration to authenticate managed clusters

Why is this important?

• For some reason we don't have ability for enabling CSR in our clusters. As alternative we may support authenticate managed clusters without using CSR, like sa-token/secret with kubeconfig, support token registration, etc.

Community issue: https://github.com/open-cluster-management-io/enhancements/issues/68
Proposal: https://github.com/open-cluster-management-io/enhancements/pull/69

Scenarios

1. OCM agents in the spoke cluster were offline (e.g. due to an outage) during which its service account token expired

1. A network outage resulted in the spoke cluster loosing connectivity to the hub api server for an extended period of time

1. A service account was intentionally deleted (e.g. the associated token was compromised) and replaced.

1. In token base approach, addons also need to use token to talk to the hub.

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. …

Open questions::

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>