-
Epic
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
ROSA HCP cluster must be configurable with external OIDC
-
False
-
-
False
-
To Do
-
XCMSTRAT-580 - [UI Portion] External OIDC Configuration via OCM in HCP
-
10% To Do, 0% In Progress, 90% Done
-
OCM Core Sprint 252, OCM Core Sprint 253, OCMUI Core Sprint 254, OCMUI Core Sprint 255, OCMUI Core Sprint 256, OCMUI Core Sprint 257
UI Scope needs to be refined:
Option 1: <wgordon> It's my understanding, for an initial deliverable, we won't need a UI. We'll definitely still need some amount of UI work...with the BYO Auth, our existing Identity Provider stuff doesn't work, so we should hide/disable that page (and I think the groups page too)
Option 2: whether we need "full" integration is unclear...it might be "good enough" to have this available in the planned "code view" instead of making input fields for this advanced configuration (if we go with this option, we need to assess UX and UI impact and scope this epic. Currently this is committed to based on Option 1)
Context on feature
A customer can configure OIDC providers to support the current capability: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens and the future capability: https://github.com/kubernetes/kubernetes/blob/2b5d2cf910fd376a42ba9de5e4b52a53b58f9397/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go#L164 with a mechanism that
- allows fixing mistakes
- makes cluster recovery possible in cases where the external token issuer is permanently gone
- allow (might not require, not sure yet) removal of the existing oauth server
Given likely re-use, it might be useful to allow configuration of not-commonly changing information distinct from commonly changing. For instance, most kube cluster should have unique audiences, but the issuer-url and username-claim is probably the same for all clusters.
- is related to
-
OCPSTRAT-956 Enable Break Glass access Mechanism for Cloud Services (ROSA as MVP)
-
- Closed
-
