Major Epic Goal
- Support token registration to authenticate managed clusters
Why is this important?
- For some reason we don't have ability for enabling CSR in our clusters. As alternative we may support authenticate managed clusters without using CSR, like sa-token/secret with kubeconfig, support token registration, etc.
Community issue: https://github.com/open-cluster-management-io/enhancements/issues/68
Proposal: https://github.com/open-cluster-management-io/enhancements/pull/69
Scenarios
- OCM agents in the spoke cluster were offline (e.g. due to an outage) during which its service account token expired
- A network outage resulted in the spoke cluster loosing connectivity to the hub api server for an extended period of time
- A service account was intentionally deleted (e.g. the associated token was compromised) and replaced.
- In token base approach, addons also need to use token to talk to the hub.
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- ...
Dependencies (internal and external)
- ...
Previous Work (Optional):
- …
Open questions::
- …
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
