Epic Goal

• Unified Console needs API driven authentication and access control to managed clusters

Why is this important?

• Seamless login across the managed OpenShift clusters
•  

Scenarios

1. Cluster proxy service  slack thread
2. NOTE: IDP config is limited to only the ‘user’ auth path
3. Today in Tech Preview: Get the token from cluster to manage APIs on the spokes
   1. Oauth from each spoke is used with public API server 
   2.  console backend proxies all the request headers for the cluster name
   3. Dance / handshake to get token for each cluster get stored to cookies in browser
      BLOCKER: Using ManagedClusterAction is a permission escalation to the console operator SA

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. …

Open questions:

1. Can Token Review webhook be used? https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>