Owner: Architect:

Francesco Ilario

Story (Required)

As a Primaza Developer,
I would like primazactl to leverage on Service Accounts
so that setup and key rotations would be easier

Background (Required)

As defined in the Primaza architecture document, we need to use Service Accounts (SA) instead of Certificate Signing Requests (CSR) to authenticate from Primaza to Workers and Workers to Primaza.
This solution is way easier to implement and maintain than the CSR-based.

See epic for arch document link.

Glossary

See glossary in architecture document

Out of scope

• Update Primaza's acceptance tests: in scope of APPSVC-1285
• Key rotation

In Scope

• move from CSR to SA

Approach(Required)

Introduce the concept of identity in primazactl.
Implement a module for identity management in primazactl and use it across the tool to create credentials and export their kubeconfigs.
Eventually, this module will also contain the logic for key rotation and identity management.

Demo requirements(Required)

NA

Dependencies

NA

Edge Case

NA

Acceptance Criteria

• Development
  Primazactl creates Service Accounts instead of CSR for Primaza authentication
  Primazactl has an identity module for management of credentials

• Docs
  There is a page in our docs dedicated to explaining authentication among clusters and how they are setup
  Update architecture document with any changes while implementing

INVEST Checklist

Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated

Legend

Unknown
Verified
Unsatisfied