Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-16765

Implement TLS support for AppSub S3 buckets

XMLWordPrintable

    • 5
    • False
    • None
    • False
    • Hide

      Provide the required acceptance criteria using this template.
      * ...
      Show
      Provide the required acceptance criteria using this template. * ...
    • ACM-15987 - [RFE] Need Ability to Subscribe to TLS-Secured s3 Bucket
    • Workload Mgmt Train 23 - 1, Workload Mgmt Train 23 - 2, Workload Mgmt Train 24 - 1
    • Customer Escalated
    • None

      Value Statement

      Implement TLS support for AppSub S3 buckets needed by Morgan Stanley.

      Definition of Done for Engineering Story Owner (Checklist)

      • AppSub supports TLS for S3 buckets

      Development Complete

      • The code is complete.
      • Functionality is working.
      • Any required downstream Docker file changes are made.

      Tests Automated

      Test scenarios
      1. Test to make sure Objectstore still work without TLS

      2. Test with Objectstore TLS, make sure Channel insecureSkipVerify works
      Example:
      apiVersion: apps.open-cluster-management.io/v1
      kind: Channel
      metadata:
        name: object-dev
        namespace: ch-object-dev
      spec:
        type: ObjectBucket
        pathname: https://s3.console.aws.amazon.com/s3/buckets/feng-bucket
        secretRef:
          name: secret-dev
        insecureSkipVerify: true

      Note the new spec.insecureSkipVerify field. Previously ObjectBucket Channel doesn't support this.

      3. Test with Objectstore TLS, make sure configMapRef with cert works. Deploy to both Hub and Managed Cluster
      Example:
      apiVersion: apps.open-cluster-management.io/v1
      kind: Channel
      metadata:
        name: object-dev
        namespace: ch-object-dev
      spec:
        type: ObjectBucket
        pathname: https://s3.console.aws.amazon.com/s3/buckets/feng-bucket
        secretRef:
          name: secret-dev
        configMapRef:
          name: obj-ca

      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: obj-ca
        namespace: ch-object-dev
      data:
        caCerts: |
          # minio root CA

          ---{}BEGIN CERTIFICATE{}---
          ...sample cert...
          ---{}END CERTIFICATE{}---

      Secure Design

      • [ ] Security has been assessed and incorporated into your threat model.

      Multidisciplinary Teams Readiness

      • [ ] Create an informative documentation issue using the Customer

      Portal Doc template that you can access from [The Playbook](

      https://docs.google.com/document/d/1YTqpZRH54Bnn4WJ2nZmjaCoiRtqmrc2w6DdQxe_yLZ8/edit#heading=h.9fvyr2rdriby),

      and ensure doc acceptance criteria is met.

      • Call out this sentence as it's own action:

      Support Readiness

      • [ ] The must-gather script has been updated.

              fxiang@redhat.com Feng Xiang
              fxiang@redhat.com Feng Xiang
              Yupeng Chang Yupeng Chang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: