Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-222

Add ccoctl option to create private s3 bucket with OIDC configurations served through public CloudFront URL

    XMLWordPrintable

Details

    • False
    • None
    • False

    Description

      Currently, ccoctl creates a public S3 bucket to host OIDC endpoint that is accessible over the internet. Many customers have complained about this approach as their security policies do not allow creation of public S3 bucket. We have explored the option of making S3 bucket private and having public CloudFront URL to access OIDC configuration files in S3. We already have this tested and documented by SPLAT team. As part of this card, we need to automate this process through ccoctl by having an optional parameter.

      The sample ccoctl command to create the above-mentioned configuration can be

      ccoctl aws create-all --name=<name> --region=<aws-region> --credentials-requests-dir=<path-to-directory-with-list-of-credentials-requests> --enable-cloudfront

       

      SPLAT document : https://drive.google.com/file/d/1z16Gi11Bt4ox-55YuRnvLSm65N9hV8a1/view

      Attachments

        Issue Links

          blocks

          Feature Request - Feature requests from customers and/or users RFE-2898 OCP on AWS with manual STS requires private S3 bucket to host OIDC endpoint

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Accepted
          is depended on by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2280 [release-4.12] Add ccoctl option to create private s3 bucket with OIDC configurations served through public CloudFront URL

          • Undefined - Priority not specified.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2278 [release-4.11] Add ccoctl option to create private s3 bucket with OIDC configurations served through public CloudFront URL

          • Undefined - Priority not specified.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2279 [release-4.10] Add ccoctl option to create private s3 bucket with OIDC configurations served through public CloudFront URL

          • Undefined - Priority not specified.
          • Closed
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-219 Explore the option of creating private S3 bucket to host OIDC endpoint

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-281 AWS STS Implement procedure for migrating from a public s3 bucket OIDC to a private s3 bucket OIDC with CloudFront Distribution

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • To Do
          links to

          GitHub openshift/cloud-credential-operator#486: Add ccoctl support to create OIDC endpoint with private S3 bucket

          GitHub openshift/cloud-credential-operator#500: [release-4.11] OCPBUGS-2278: Add ccoctl support to create OIDC endpoint with private S3 bucket

          GitHub openshift/cloud-credential-operator#501: [release-4.10] Add ccoctl support to create OIDC endpoint with private S3 bucket

          Activity

            People

              mworthin@redhat.com Mike Worthington
              akhilrane Akhil Rane (Inactive)
              Jianping Shu Jianping Shu
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: