Uploaded image for project: 'Agent-based Installer for OpenShift'
  1. Agent-based Installer for OpenShift
  2. AGENT-145

Add Authentication to internal Components of Agent Installer

XMLWordPrintable

    • Agent Installer Internal Authentication
    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Green
    • Done
    • OCPSTRAT-713 - Add Authentication to internal Components of Agent Installer
    • OCPSTRAT-713Add Authentication to internal Components of Agent Installer
    • 0% To Do, 0% In Progress, 100% Done
    • Hide

      Aug 8, 2024: This epic is technically dev-complete as the major functionality is already merged into master. There are 2 optional stories which are expected to land in the merge pool soon. AGENT-938 and  AGENT-937

       

      Aug 6, 2024: All the necessary development work to implement authentication for day-1 and day-2 operations has been merged into the master branch. I have also added a new optional story, AGENT-937, to guide users on the steps to take if the node.iso becomes unusable due to the embedded auth token expiring after 48 hours.

      25 July 2024: The epic was originally only planned for day1 authentication however, with 4.17 we have day2 support and hence the scope of this epic is increased to also cover the day2 authentication. With respect to authentication, the epic is in green status ( awaiting PR reviews)

       

      For authorization, a new epic should be created.

      Show
      Aug 8, 2024: This epic is technically dev-complete as the major functionality is already merged into master. There are 2 optional stories which are expected to land in the merge pool soon. AGENT-938 and  AGENT-937   Aug 6, 2024: All the necessary development work to implement authentication for day-1 and day-2 operations has been merged into the master branch. I have also added a new optional story, AGENT-937 , to guide users on the steps to take if the node.iso becomes unusable due to the embedded auth token expiring after 48 hours. 25 July 2024: The epic was originally only planned for day1 authentication however, with 4.17 we have day2 support and hence the scope of this epic is increased to also cover the day2 authentication. With respect to authentication, the epic is in green status ( awaiting PR reviews)   For authorization, a new epic should be created.
    • Sprint 248, Sprint 249, Sprint 250, Sprint 253, Sprint 254, Sprint 255, Installer Sprint 256, Installer Sprint 257

      Epic Goal

      • This epic scope was originally to encompass both authentication and authorization but we have split the expanding scope into a separate epic.
      • We want to add authorization to the internal components of Agent Installer so that the cluster install is secure. 

      Why is this important?

      • The Agent Installer API server (assisted-service) has several methods for Authorization but none of the existing methods are applicable tothe Agent Installer use case. 
      • During the MVP of Agent Installer we attempted to turn on the existing authorization schemes but found we didn't have access to the correct API calls.
      • Without proper authorization it is possible for an unauthorized node to be added to the cluster during install. Currently we expect this to be done as a mistake rather than maliciously.

      Brainstorming Notes:

      Requirements

      • Allow only agents booted from the same ISO to register with the assisted-service and use the agent endpoints
      • Agents already know the InfraEnv ID, so if read access requires authentication then that is sufficient in some existing auth schemes.
      • Prevent access to write endpoints except by the internal systemd services
      • Use some kind of authentication for read endpoints
      • Ideally use existing credentials - admin-kubeconfig client cert and/or kubeadmin-password
      • (Future) Allow UI access in interactive mode only

       

      Are there any requirements specific to the auth token?

      • Ephemeral
      • Limited to one cluster: Reuse the existing admin-kubeconfig client cert

       

      Actors:

      • Agent Installer: example wait-for
      • Internal systemd: configurations, create cluster infraenv, etc
      • UI: interactive user
      • User: advanced automation user (not supported yet)

       

      Do we need more than one auth scheme?

      Agent-admin - agent-read-write

      Agent-user - agent-read

      Options for Implementation:

      1. New auth scheme in assisted-service
      2. Reverse proxy in front of assisted-service API
      3. Use an existing auth scheme in assisted-service

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Previous Work (Optional):

      1. AGENT-60 Originally we wanted to just turn on local authorization for Agent Installer workflows. It was discovered this was not sufficient for our use case.

      Open questions::

      1. Which API endpoints do we need for the interactive flow?
      2. What auth scheme does the Assisted UI use if any?

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              ppinjark@redhat.com pawan pinjarkar
              lranjbar@redhat.com Lisa Ranjbar
              Biagio Manzari Biagio Manzari
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: