Uploaded image for project: 'Service Binding'
  1. Service Binding
  2. APPSVC-1291

Provide Permissions to Workers' identity

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • Primaza 0.1
    • None
    • Service Binding
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Feature: Give permissions to agent identities

      Scenario: On creation of Cluster Environment with serviceNamespaces, Service Agent role is provided to agent identity

      Given Primaza Cluster "primaza-main" is running
      And Worker Cluster "primaza-worker" for "primaza-main" is running
      And Clusters "primaza-main" and "primaza-worker" can communicate
      And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published
      And On Worker Cluster "primaza-worker", Service namespace "services" exists
      When On Primaza Cluster "primaza-main", Resource is created
      """
      apiVersion: primaza.io/v1alpha1
      kind: ClusterEnvironment
      metadata:
      name: primaza-worker
      namespace: primaza-system
      spec:
      environmentName: dev
      clusterContextSecret: primaza-kw
      serviceNamespaces:

      • services
        """
        Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-service-agent" exists

      Scenario: On creation of Cluster Environment with applicationNamespaces, Application Agent role is provided to agent identity

      Given Primaza Cluster "primaza-main" is running
      And Worker Cluster "primaza-worker" for "primaza-main" is running
      And Clusters "primaza-main" and "primaza-worker" can communicate
      And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published
      And On Worker Cluster "primaza-worker", Application namespace "applications" exists
      When On Primaza Cluster "primaza-main", Resource is created
      """
      apiVersion: primaza.io/v1alpha1
      kind: ClusterEnvironment
      metadata:
      name: primaza-worker
      namespace: primaza-system
      spec:
      environmentName: dev
      clusterContextSecret: primaza-kw
      applicationNamespaces:

      • applications
        """
        Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-application-agent" exists
      Show
      Feature: Give permissions to agent identities Scenario: On creation of Cluster Environment with serviceNamespaces, Service Agent role is provided to agent identity Given Primaza Cluster "primaza-main" is running And Worker Cluster "primaza-worker" for "primaza-main" is running And Clusters "primaza-main" and "primaza-worker" can communicate And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published And On Worker Cluster "primaza-worker", Service namespace "services" exists When On Primaza Cluster "primaza-main", Resource is created """ apiVersion: primaza.io/v1alpha1 kind: ClusterEnvironment metadata: name: primaza-worker namespace: primaza-system spec: environmentName: dev clusterContextSecret: primaza-kw serviceNamespaces: services """ Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-service-agent" exists Scenario: On creation of Cluster Environment with applicationNamespaces, Application Agent role is provided to agent identity Given Primaza Cluster "primaza-main" is running And Worker Cluster "primaza-worker" for "primaza-main" is running And Clusters "primaza-main" and "primaza-worker" can communicate And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published And On Worker Cluster "primaza-worker", Application namespace "applications" exists When On Primaza Cluster "primaza-main", Resource is created """ apiVersion: primaza.io/v1alpha1 kind: ClusterEnvironment metadata: name: primaza-worker namespace: primaza-system spec: environmentName: dev clusterContextSecret: primaza-kw applicationNamespaces: applications """ Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-application-agent" exists

      Owner: Architect:

      Francesco Ilario

      Story (Required)

      As a Primaza Administrator, I would like Primaza to manage worker's namespaces identities authorizations so that Agents can access Primaza's cluster

      Background (Required)

      As defined in the Primaza architecture document, Agents should be able to report to Primaza.
      When an application or service namespace is initialized on a Worker cluster, an identity is created on Primaza cluster to provide to it's agent (cfr. APPSVC-1283).
      When a Cluster Environment is created we need to update it's permissions in order to report changes to Primaza.
      As an example, Service Agents should be able to create RegisteredServices, while Application Agents should be able to update their status.

      See epic for arch document link.

      Glossary

      See glossary in architecture document

      Out of scope

      • agent communication with Primaza
      • creation of the roles on Primaza cluster (needed for the agent to communicate with Primaza)

      In Scope

      • user creation in primaza cluster
      • user permissions configuration

      Approach(Required)

      When a Cluster Environment is created, Primaza needs to bind identities for ClusterEnvironment's namespaces to related role.
      In the following, assume the roles to bind to agents have already been created.

      Roughly, the procedure will perform the following actions on the Primaza cluster:

      • if the cluster environment has at least one application namespace, create the RoleBinding that binds the agent's user (CSR) to the role for Application Agents
      • if the cluster environment has at least one service namespace, create the RoleBinding that binds the agent's user (CSR) to the role for Service Agents

      When a cluster environment is deleted or an application or service namespace is removed, the identity must be unbound from the role.

      Demo requirements(Required)

      NA

      Dependencies

      Edge Case

      NA

      BDD Tests

      You can find BDD Test specification for this story in the "Testing Instructions" Field Tab or in the GitHub Issue linked to this story.
      Click here for all BDD Tests Issues.

      Acceptance Criteria

      • Development
        ClusterEnvironment controller
        checks whether it has all the needed permissions for working on target namespaces
      • QE
        There are test cases for ...
      • Docs
        There is a page in our docs dedicated to explaining what a ...
        Update architecture document with any changes while implementing
        There is a link in our main readme to the .... page

      INVEST Checklist

      Dependencies identified
      Blockers noted and expected delivery timelines set
      Design is implementable
      Acceptance criteria agreed upon
      Story estimated

      Legend

      Unknown
      Verified
      Unsatisfied

              Unassigned Unassigned
              rh-ee-filario Francesco Ilario
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: