Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: openshift-4.18
Labels:
None

Work Type:
BU Product Work
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Direct External OIDC Provider for Standalone OCP
Feature Link:
OCPSTRAT-306 - Support for bring your own external OIDC based Auth provider for direct API Server access [Standalone OCP][TechPreview]
Intelligence Requested:
Market:

Sprint:
Auth - Sprint 250

Target Version:

openshift-4.18

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

The CAO and KAS-o both need to work and enable structured authentication configuration for the KAS static pods.

CAO:

a controller tracks the auth CR for auth type OIDC
generates structured auth config object and serializes it into a configmap
syncs the configmap into openshift-config

KAS-o:

a config observer tracks the auth CR for type OIDC
syncs the auth configmap from openshift-config into openshift-kube-apiserver and enables the `--authentication-config` CLI arg for the KAS pods
the auth-metadata and webhook-authenticator config observers remove their resources and CLI args accordingly
a revision controller syncs that configmap into a static file

links to

openshift/cluster-authentication-operator#713: AUTH-541: OIDC structured auth config

openshift/cluster-kube-apiserver-operator#1760: AUTH-541: OIDC structured auth config

Assignee:: Ilias Rinis

Reporter:: Ilias Rinis

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/09/18 10:10 AM

Updated:: 2024/11/18 9:23 PM