XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Major
Fix Version/s: ACM 2.13.0
Affects Version/s: None
Component/s: Application Lifecycle, Cluster Lifecycle, Console, Edge, Global Hub, HyperShift, Installer, Multicluster Networking, Search, Security, Server Foundation
Labels:
- cross-squad

Epic Name:
Standard STS config via CCO for ACM
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Feature Link:
OCPSTRAT-127 - Continued STS enablement for selected OLM-managed operators
Parent Link:
OCPSTRAT-127Continued STS enablement for selected OLM-managed operators
Hierarchy Progress Bar:

50% To Do, 0% In Progress, 50% Done
Target Version:

ACM 2.11.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

Goals

Establish a common and simplified configuration experience for ACM on STS-enabled OpenShift clusters using the new, standardized configuration flow described in ~~OCPSTRAT-171~~. Users have a repeatable process to configure the ACM operator for STS with well-known inputs and behavior and can reuse the knowledge about that process with other operators. The support should be introduced in a release of the ACM operator in 2023.

Non-Goals

Support for any older version of OCP than 4.14.

Motivation

Today, the support for AWS STS authentication is well established in our core platform but fragmented at best among our layered products and OLM-managed operators. The configuration experience is also different between individual OLM-managed operators that support STS. OCPSTRAT-6 aims to solve this for all cloud providers using the CloudCredentialOperator (CCO) and its CredentialRequest API.

Based on this, customers get a repeatable and simple experience of installing and configuring the ACM operator, or any OLM-managed operator that supports it, for tokenized authentication with their cloud provider.

The ACM operator has been identified as an operators capable of integrating with AWS APIs and therefor should support that flow to act on customer feedback from ROSA and OSD customers.

STS enabled AWS API communication is considered a security-relevant issue for a majority of the customers and increasingly becomes a hard requirement.

Alternatives

None.

Acceptance Criteria

the ACM operator implements the standardized configuration flow for STS-enabled clusters using CCO and CredentialRequests described here: https://docs.google.com/document/d/1iFNpyycby_rOY1wUew-yl3uPWlE00krTgr9XHDZOTNo/edit#
the ACM operator gracefully falls back to regular operations when no role ARN is provided
the ACM operator degrades when the role ARN is provided but CCO does not reconcile the CredentialRequest (either due to a bug or due to running on an older than OCP 4.14 release)
the ACM operator documents what specific IAM permissions are needed when integrating with AWS using STS and provides easy to consume instructions to create those
the ACM operator supports this workflow and provides the documentation from the appropriate release onwards

Risk and Assumptions

Assumption: you don't currently have an existing way to integrate with STS
Risk: if the above assumption is wrong, you need to deprecate this configuration flow in favor of the flow defined in ~~OCPSTRAT-171~~

Documentation Considerations

the ACM operator should rely on documentation the OLM portion of the OCP docs on how to carry out the configuration flow using either the OCP console or the CLI
the ACM operator in its own documentation section shall supply the required IAM credential instructions