Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-2312

ACM Investigate if we can/need to enhance TemplatizedPolicies to work with keycloak

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • GRC
    • ACM Investigate if we can/need to enhance TemplatizedPolicies to work with keycloak
    • False
    • None
    • False
    • Not Selected
    • To Do
    • ACM-33 - Multi-cluster Governance, Risk & Compliance (GRC)

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.
      ACM-wide Product Requirements (Top-level Epics).

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      • We want to use Keycloak for Fleet-Wide SSO for different services. Challenge is to ad a new client as automatic as possible.

      You need a few semi-static things like Keycloak URL, Client Secret (unique for each
      Client, i.e. for each hub cluster), Role name that you want to bind the cluster admin
      permissions to etc.

      Below you see some things which could be templatized:

      # get spoke cluster's redirect url
echo "$(oc get -n openshift-authentication cm v4-0-config-system-metadata -o jsonpath='{.data.oauthMetadata}' | jq -r '.issuer')/oauth2callback/keycloak"

# get route's ca
oc -n openshift-ingress-operator get secret router-ca -o jsonpath="{ .data.tls\.crt }" | base64 -d -i > ca.crt
oc -n openshift-config create cm keycloak-ca --from-file=ca.crt

# create client secret
oc -n openshift-config create secret generic keycloak-idp-secret --from-literal=clientSecret=<secret>

# check current idps status
oc describe oauth cluster

# create keycloak idp
oc apply -f ocp-idp.yaml

# create binding between cluster-admin group and role
oc apply -f cluster-admin-from-group.yaml

# remove default binding for unauthorized users
oc describe clusterrolebindings basic-users
oc patch clusterrolebindings basic-users --type json -p='[{"op": "remove", "path": "/subjects/0"}]'

      Why is this important?

      // Some comments here
public String getFoo()
{
    return foo;
}

      Scenarios

      1. ...

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            rhn-support-cstark Christian Stark
            rhn-support-cstark Christian Stark
            Derek Ho Derek Ho
            Gus Parvin Gus Parvin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: