Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-29994

Update add-ons to support token-based registration

XMLWordPrintable

    • Update add-ons to support token-based registration
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • To Do
    • ACM-29755 - Hub support on EKS (MCE 2.17) - Internal Feature
    • 100% To Do, 0% In Progress, 0% Done
    • Important

      OCP/Telco Definition of Done
      https://docs.google.com/document/d/1TP2Av7zHXz4_fmeX4q9HB0m9cqSZ4F6Jd4AiVoaF_2s/edit#heading=h.gaa58bzbvwde
      Epic Template descriptions and documentation.
      https://docs.google.com/document/d/14CUCEg6hQ_jpsFzJtWo29GfFVWmun2Uivrxq3_Fkgdg/edit
      ACM-wide Product Requirements (Top-level Epics)
      https://docs.google.com/document/d/1uIp6nS2QZ766UFuZBaC9USs8dW_I5wVdtYF9sUObYKg/edit

      *<--- Cut-n-Paste the entire contents of this description into your new
      Epic --->*

      Epic Goal

      Amazon EKS does not provide a built-in signer for CSRs created with the kubernetes.io/kube-apiserver-client signer name. Although such CSRs can be created and even approved, no client certificate is issued for the approved requests. As a result, CSR-based authentication does not work and blocks add-on registration when MCE is deployed on an EKS hub cluster.

      To address this limitation, token-based add-on registration was introduced in ACM 2.16 / MCE 2.11. It included API changes and some foundational enhancements (addon-manager, klusterlet agent and addon-framework).

      However, updates are also required from individual add-on in order to fully support this feature in 2.17 release. These include:

      • Upgrading the addon-framework to the latest version;

      How to verify

      1. Install MCE.
      1. Configure addOnKubeClientRegistrationDriver to use token as the authType: 
        apiVersion: config.open-cluster-management.io/v1alpha1
kind: KlusterletConfig
metadata:
  name: global
spec:
  addOnKubeClientRegistrationDriver:
    authType: token
      • Verify that the add-on functions correctly.

      Why is this important?

      ...

      Scenarios

      ...

      Acceptance Criteria

      ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions:

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Doc issue opened with a completed template. Separate doc issue
        opened for any deprecation, removal, or any current known
        issue/troubleshooting removal from the doc, if applicable.
      • Considerations were made for Extended Update Support (EUS)

              leyan@redhat.com Le Yang
              leyan@redhat.com Le Yang
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: