Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-110

Hypershift-enablement for short-lived token authentication flows with OLM-managed operators with CCO

    XMLWordPrintable

Details

    • True
    • Hide

      Completion of AWS security audit work.

      Show
      Completion of AWS security audit work.
    • False
    • OCPSTRAT-6Tokenized Auth Enablement for OLM-managed Operators on Cloud Providers
    • 75
    • 75% 75%
    • L
    • 0
    • 0

    Description

      Feature Overview:

      Hypershift-provisioned clusters, regardless of the cloud provider support the proposed integration for OLM-managed integration outlined in OCPBU-559 and OCPBU-560.

       

      Goals 

      There is no degradation in capability or coverage of OLM-managed operators support short-lived token authentication on cluster, that are lifecycled via Hypershift.

       

      Requirements:

      • the flows in OCPBU-559 and OCPBU-560 need to work unchanged on Hypershift-managed clusters
      • most likely this means that Hypershift needs to adopt the CloudCredentialOperator
      • all operators enabled as part of OCPBU-563, OCPBU-564, OCPBU-566 and OCPBU-568 need to be able to leverage short-lived authentication on Hypershift-managed clusters without being aware that they are on Hypershift-managed clusters
      • also OCPBU-569 and OCPBU-570 should be achievable on Hypershift-managed clusters

       

      Background

      Currently, Hypershift lacks support for CCO.

      Customer Considerations

      Currently, Hypershift will be limited to deploying clusters in which the cluster core operators are leveraging short-lived token authentication exclusively.

      Documentation Considerations

      If we are successful, no special documentation should be needed for this.

       

      Attachments

        Issue Links

          depends on

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-27103 Failed to create secret on HyperShift Hosted Cluster with short-lived token was enabled by CCO.

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-25897 Failed to create secret on HyperShift Hosted Cluster with short-lived token was enabled by CCO.

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-171 CloudCredentialOperator-based flow for OLM-managed operators and AWS STS

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-235 STS enablement for critical OLM-managed operators

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          Web Link CCO on HyperShift

          Web Link STS enablement enhancement

          Activity

            People

              azaalouk Adel Zaalouk
              DanielMesser Daniel Messer
              Daniel Geoffroy, James Harrington, Jeremiah Stuever, Jianping Shu, Lance Galletti, Mike Worthington, Steve Kuznetsov
              Jianping Shu Jianping Shu
              Stephanie Stout Stephanie Stout
              Steve Kuznetsov Steve Kuznetsov
              Dave Mulford Dave Mulford
              Votes:
              0 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated: