Uploaded image for project: 'Service Binding'
  1. Service Binding
  2. APPSVC-1291

Provide Permissions to Workers' identity

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • Primaza 0.1
    • None
    • Service Binding
    • None
    • False
    • None
    • False
    • Hide
      Feature: Give permissions to agent identities

          Scenario: On creation of Cluster Environment with serviceNamespaces, Service Agent role is provided to agent identity

              Given Primaza Cluster "primaza-main" is running
              And Worker Cluster "primaza-worker" for "primaza-main" is running
              And Clusters "primaza-main" and "primaza-worker" can communicate
              And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published
              And On Worker Cluster "primaza-worker", Service namespace "services" exists
              When On Primaza Cluster "primaza-main", Resource is created
              """
              apiVersion: primaza.io/v1alpha1
              kind: ClusterEnvironment
              metadata:
                  name: primaza-worker
                  namespace: primaza-system
              spec:
                  environmentName: dev
                  clusterContextSecret: primaza-kw
                  serviceNamespaces:
                  - services
              """
              Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-service-agent" exists

          Scenario: On creation of Cluster Environment with applicationNamespaces, Application Agent role is provided to agent identity

          Given Primaza Cluster "primaza-main" is running
          And Worker Cluster "primaza-worker" for "primaza-main" is running
          And Clusters "primaza-main" and "primaza-worker" can communicate
          And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published
          And On Worker Cluster "primaza-worker", Application namespace "applications" exists
          When On Primaza Cluster "primaza-main", Resource is created
          """
          apiVersion: primaza.io/v1alpha1
          kind: ClusterEnvironment
          metadata:
              name: primaza-worker
              namespace: primaza-system
          spec:
              environmentName: dev
              clusterContextSecret: primaza-kw
              applicationNamespaces:
              - applications
          """
          Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-application-agent" exists
      Show
      Feature: Give permissions to agent identities     Scenario: On creation of Cluster Environment with serviceNamespaces, Service Agent role is provided to agent identity         Given Primaza Cluster "primaza-main" is running         And Worker Cluster "primaza-worker" for "primaza-main" is running         And Clusters "primaza-main" and "primaza-worker" can communicate         And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published         And On Worker Cluster "primaza-worker", Service namespace "services" exists         When On Primaza Cluster "primaza-main", Resource is created         """         apiVersion: primaza.io/v1alpha1         kind: ClusterEnvironment         metadata:             name: primaza-worker             namespace: primaza-system         spec:             environmentName: dev             clusterContextSecret: primaza-kw             serviceNamespaces:             - services         """         Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-service-agent" exists     Scenario: On creation of Cluster Environment with applicationNamespaces, Application Agent role is provided to agent identity     Given Primaza Cluster "primaza-main" is running     And Worker Cluster "primaza-worker" for "primaza-main" is running     And Clusters "primaza-main" and "primaza-worker" can communicate     And On Primaza Cluster "primaza-main", Worker "primaza-worker"'s ClusterContext secret "primaza-kw" is published     And On Worker Cluster "primaza-worker", Application namespace "applications" exists     When On Primaza Cluster "primaza-main", Resource is created     """     apiVersion: primaza.io/v1alpha1     kind: ClusterEnvironment     metadata:         name: primaza-worker         namespace: primaza-system     spec:         environmentName: dev         clusterContextSecret: primaza-kw         applicationNamespaces:         - applications     """     Then On Primaza Cluster "primaza-main", RoleBinding "primaza-worker-application-agent" exists

      Owner: Architect:

      Francesco Ilario

      Story (Required)

      As a Primaza Administrator, I would like Primaza to manage worker's namespaces identities authorizations so that Agents can access Primaza's cluster

      Background (Required)

      As defined in the Primaza architecture document, Agents should be able to report to Primaza.
      When an application or service namespace is initialized on a Worker cluster, an identity is created on Primaza cluster to provide to it's agent (cfr. APPSVC-1283).
      When a Cluster Environment is created we need to update it's permissions in order to report changes to Primaza.
      As an example, Service Agents should be able to create RegisteredServices, while Application Agents should be able to update their status.

      See epic for arch document link.

      Glossary

      See glossary in architecture document

      Out of scope

      • agent communication with Primaza
      • creation of the roles on Primaza cluster (needed for the agent to communicate with Primaza)

      In Scope

      • user creation in primaza cluster
      • user permissions configuration

      Approach(Required)

      When a Cluster Environment is created, Primaza needs to bind identities for ClusterEnvironment's namespaces to related role.
      In the following, assume the roles to bind to agents have already been created.

      Roughly, the procedure will perform the following actions on the Primaza cluster:

      • if the cluster environment has at least one application namespace, create the RoleBinding that binds the agent's user (CSR) to the role for Application Agents
      • if the cluster environment has at least one service namespace, create the RoleBinding that binds the agent's user (CSR) to the role for Service Agents

      When a cluster environment is deleted or an application or service namespace is removed, the identity must be unbound from the role.

      Demo requirements(Required)

      NA

      Dependencies

      Edge Case

      NA

      BDD Tests

      You can find BDD Test specification for this story in the "Testing Instructions" Field Tab or in the GitHub Issue linked to this story.
      Click here for all BDD Tests Issues.

      Acceptance Criteria

      • Development
        ClusterEnvironment controller
        checks whether it has all the needed permissions for working on target namespaces
      • QE
        There are test cases for ...
      • Docs
        There is a page in our docs dedicated to explaining what a ...
        Update architecture document with any changes while implementing
        There is a link in our main readme to the .... page

      INVEST Checklist

      Dependencies identified
      Blockers noted and expected delivery timelines set
      Design is implementable
      Acceptance criteria agreed upon
      Story estimated

      Legend

      Unknown
      Verified
      Unsatisfied

              Unassigned Unassigned
              rh-ee-filario Francesco Ilario
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: