XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: ACM 2.9.0
Affects Version/s: ACM 2.9.0
Component/s: Application Lifecycle
Labels:

Epic Name:
Generate cluster secrets with RBAC SA/User used in ArgoCD push model
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Green
Epic Status:
To Do
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

Epic Goal

Currently in the ArgoCD push model, only cluster admin secret on each managed cluster is generated and imported to the ArgoCD server namespace on the hub cluster. As a result, ArgoCD users can deploy all kinds of resources to the managed cluster without RBAC control.

We are proposing to allow users to deploy a managed RBAC SA with specified clusterRoles and Roles on each selected managed cluster. In the ArgoCD push model, when an ArgoCD app is created on the hub cluster, the SA with appropriate RBAC control is used to deploy resources. If creating a kind of resource is not granted to the SA, the kind of resource deployment will be blocked by ArgoCD with a failure message.

design link:

https://docs.google.com/document/d/1Xi1YmX-KP0gI5LQPPpFeRdq9yTX1f-LGMzHTpST3_50/edit?pli=1#

Work scope and Timeline

In ACM 2.8 roadmap,

Create a new community repo for implementing the managedRBAC api and controller
Enhance the gitopsCluster api and controller in community repo multicloud-integrations

In ACM 2.9,

Onboard the managedRBAC repo to stolostron org for ACM 2.9 release
Merge the gitopsCluster api and controller changes to stolstron org for ACM 2.9 release

Why is this important?

...

Scenarios

...

Acceptance Criteria

...

Dependencies (internal and external)

Previous Work (Optional):

Open questions:

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub
Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

ACM Epic Done Checklist

See presentation and details.

Update with "Y" if Epic meets the requirement, "N" if it does not, or "N/A" if not applicable.

_ FIPS Readiness
_ Works in Disconnected
_ Global Proxy Support
_ Installable to Infrastructure Nodes
_ No impacts to Performance and Scalability
_ Backup and Restorable

is cloned by

ACM-7925 Generate cluster secrets with RBAC SA/User used in ArgoCD push model UX part

ACM-5842 performance issue due to tons of git clone actions

ACM-4410 [Upstream]Generate cluster secrets with RBAC SA/User used in ArgoCD push model

Closed

relates to

ACM-3286 ACM Options to configure permissions when adding Managed-Clusters into ArgoCD

Closed

Assignee:: Xiangjing Li

Reporter:: Xiangjing Li

QA Contact:: Yupeng Chang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/03/01 4:44 PM

Updated:: 2023/11/29 3:45 PM

Resolved:: 2023/10/12 4:11 PM

Details

Description

Epic Goal

Work scope and Timeline

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions:

Done Checklist

ACM Epic Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates