Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-2022

Support the standardized STS configuration flow via OLM and CCO for OADP in OCP 4.14

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • OADP 1.2.2
    • None
    • None
    • None
    • Standard STS config via CCO for OCP 4.14
    • False
    • Hide

      None

      Show
      None
    • False
    • QE - Ack
    • Green
    • To Do
    • OCPSTRAT-235 - STS enablement for critical OLM-managed operators
    • OCPSTRAT-235STS enablement for critical OLM-managed operators
    • ToDo
    • 0% To Do, 0% In Progress, 100% Done
    • If Release Note Needed, Set a Value
    • 0
    • 0
    • Very Likely
    • 0
    • None
    • Unset
    • Unknown

      Goals

      Establish a common and simplified configuration experience for the OADP operator on STS-enabled clusters using the new, standardized configuration flow described in OCPBU-559. Users have a repeatable process to configure for the OADP operator for STS with well-known inputs and behavior and can reuse the knowledge about that process with other operators.

      Non-Goals

      Support for any older version of OCP than 4.14.

      Motivation

      Today, the support for AWS STS authentication is well established in our core platform but fragmented at best among our layered products and OLM-managed operators. The configuration experience is also different between individual OLM-managed operators that support STS. OCPBU-4 aims to solve this for all cloud providers using the CloudCredentialOperator (CCO) and its CredentialRequest API.

      Based on this, customers get a repeatable and simple experience of installing and configuring for the OADP operator, or any OLM-managed operator that supports it, for tokenized authentication with their cloud provider.

      The OADP operator has been identified as one of the first critical operators to support that flow to act on customer feedback from ROSA and OSD customers.

      Alternatives

      None.

      Acceptance Criteria

      • OADP operator implements the standardized configuration flow for STS-enabled clusters using CCO and CredentialRequests described here: https://docs.google.com/document/d/1iFNpyycby_rOY1wUew-yl3uPWlE00krTgr9XHDZOTNo/edit#
      • OADP operator gracefully falls back to regular operations when no role ARN is provided
      • OADP operator degrades when the role ARN is provided but CCO does not reconcile the CredentialRequest (either due to a bug or due to running on an older than OCP 4.14 release)
      • OADP operator documents what specific IAM permissions are needed when integrating with AWS using STS and provides easy to consume instructions to create those
      • OADP operator supports this workflow and provides the documentation from 4.14 onwards

      Risk and Assumptions

      • Assumption: you don't currently have an existing way to integrate with STS
      • Risk: if the above assumption is wrong, you need to deprecate this configuration flow in favor of the flow defined in OCPBU-559

      Documentation Considerations

      • OADP operator should rely on documentation the OLM portion of the OCP docs on how to carry out the configuration flow using either the OCP console or the CLI
      • OADP operator in its own documentation section shall supply the required IAM credential instructions

      Open Questions

      Additional Notes

              wnstb Wes Hayutin
              DanielMesser Daniel Messer
              Prasad Joshi Prasad Joshi
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: