-
Outcome
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
None
-
0% To Do, 0% In Progress, 100% Done
-
Not Selected
Feature Overview
Customers desire
- integration with 3rd party authentication providers that support machine to machine workflows (azure active directory resource owners, for instance)
- migration from existing kubernetes authentication (external OIDC is present and multiple provider support is coming soon)
- multi-cluster token issuer configuration (backstage and ACM)
This feature is about achieving that.
Success Criteria
To be successful
- we must be able to configure external OIDC providers
- we must be able to maintain those configurations over time, including efficient debugging and mutation as needs change
- support multiple token providers per cluster to allow migration
- have an easy to deploy reference architecture for an multi-cluster OIDC provider
- have all RH provided token consumers interoperate with external OIDC providers.
Expected Results (what, how, when)
_This Jira will have functionality similar to the BYO External OAuth feature delivered with ROSA HCP (See https://issues.redhat.com/browse/XCMSTRAT-365)_
Expected Workflow (Not exact workflow, but similar to below):
The platform engineer
Alice is the platform engineer who oversees the setup and maintenance of all ARO clusters. Before, managing separate credentials for ARO added unnecessary complexity and risk due to the added overhead. With external OIDC, Alice can:
- Simplify her workflow: By connecting ARO with the company's existing OIDC provider, Alice utilizes familiar tools and streamline access management.
- Enhance security: Centralizing authentication and authorization practices minimizes the risk of compromised credentials.
What Alice needs to do:
- Register an OAuth client: Coordinate with the OIDC provider to set up an OAuth client tailored for user and group management. See example with EntraID/AzureAD Tutorials for Red Hat OpenShift Service on AWS 4.
The cluster administrator
Bob is the cluster administrator tasked with managing permissions for different teams within the organization across multiple clusters. Previously, for each cluster Bob needed to administer, he had to replicate these permissions across the fleet of ARO clusters he manages, which was both time-consuming and prone to errors. Now, Bob can:
- Save time: By integrating the company's existing Identity Provider (IdP), Bob streamlines permissions across all the ARO clusters, ensuring consistency and reducing manual tasks.
- Empower teams: With this integration, teams utilize their existing credentials to access ARO, eliminating the need for Bob to create and manage separate accounts.
What Bob needs to do:
- Create a ARO cluster with external authentication enabled:{} az aro create cluster --hosted-cp --region --external-auth-providers=enabled ....
- Configure the external authentication provider: az aro create external-auth-provider.
- (Optional) Set up break-glass credentials for emergency access: {{az create break-glass-credentials }}
- Defines the necessary RBAC roles and permissions for users and groups.
(Refer to https://cloud.redhat.com/experts/idp/azuread-aro-cli/ for how OIDC was configured in ARO before. In this case the last step of OAuth config is ommited and instead the azure cli should configure KAS directly)
The developer
As a developer, Carol's role involves accessing ARO clusters to deploy and manage applications. Previously, juggling multiple logins was both frustrating and inefficient. Now, Carol can:
- Focus on development: Using a unified set of credentials, Carol efficiently navigates between different environments, enhancing her productivity.
- Easily access resources: The streamlined login process with external OIDC reduces the hassle of managing multiple passwords or tokens, allowing Carol to focus more on her development tasks.
What Carol needs to do:
- Authenticate with corporate credentials: Log in using her corporate credentials to obtain a token from the IdP.
- Use that token to directly access OpenShift/Kubernetes APIs using oc/kubectl (with the oc/ kubectl exec command) or the oc-oidc plugin.
Post Completion Review – Actual Results
After completing the work (as determined by the "when" in Expected Results above), list the actual results observed / measured during Post Completion review(s).
- blocks
-
OCPSTRAT-759 [Upstream] CAPZ provider for ARO with HCP
- Backlog
- clones
-
XCMSTRAT-365 ROSA must support external OIDC token issuers
- In Progress
- is depended on by
-
XCMSTRAT-410 ARO HCP (P3) - Private Preview
- New