Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-29995

Update policy add-ons to support token-based registration

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • ACM 2.17.0
    • ACM 2.17.0
    • GRC
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Provide the required acceptance criteria using this template.

      • ...
      Show
      Provide the required acceptance criteria using this template. ...
    • Not Selected
    • Important
    • None

      Value Statement

      Amazon EKS does not provide a built-in signer for CSRs created with the kubernetes.io/kube-apiserver-client signer name. Although such CSRs can be created and even approved, no client certificate is issued for the approved requests. As a result, CSR-based authentication does not work and blocks add-on registration when MCE is deployed on an EKS hub cluster.

      To address this limitation, token-based add-on registration was introduced in ACM 2.16 / MCE 2.11. It included API changes and some foundational enhancements (addon-manager, klusterlet agent and addon-framework).

      However, updates are also required from individual add-on in order to fully support this feature in 2.17 release. These include:

      • Upgrading the addon-framework to the latest version;

      How to verify

      1. Install MCE.
      1. Configure addOnKubeClientRegistrationDriver to use token as the authType: 
        apiVersion: config.open-cluster-management.io/v1alpha1
kind: KlusterletConfig
metadata:
  name: global
spec:
  addOnKubeClientRegistrationDriver:
    authType: token
      • Verify that the add-on functions correctly.

      Definition of Done for Engineering Story Owner (Checklist)

      • ...

      Development Complete

      • The code is complete.
      • Functionality is working.
      • Any required downstream Docker file changes are made.

      Tests Automated

      • [ ] Unit/function tests have been automated and incorporated into the
        build.
      • [ ] 100% automated unit/function test coverage for new or changed APIs.

      Secure Design

      • [ ] Security has been assessed and incorporated into your threat model.

      Multidisciplinary Teams Readiness

      • [ ] Create an informative documentation issue using the Customer

      Portal Doc template that you can access from [The Playbook](

      https://docs.google.com/document/d/1YTqpZRH54Bnn4WJ2nZmjaCoiRtqmrc2w6DdQxe_yLZ8/edit#heading=h.9fvyr2rdriby),

      and ensure doc acceptance criteria is met.

      • Call out this sentence as it's own action:
      • [ ] Link the development issue to the doc issue.

      Support Readiness

      • [ ] The must-gather script has been updated.

              jkulikau@redhat.com Justin Kulikauskas
              leyan@redhat.com Le Yang
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: