Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1523

Service Account Signer Key Rotation for AWS, Azure, and GCP

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 50% In Progress, 50% Done
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      An elevator pitch (value statement) that describes the Feature in a clear, concise way.  Complete during New status.

      As a cluster administrator, I want to rotate the bound service account signing key used by an OpenShift cluster.

      Goals (aka. expected user outcomes)

      The observable functionality that the user now has as a result of receiving this feature. Include the anticipated primary user type/persona and which existing features, if any, will be expanded. Complete during New status.

      Enable support for rotating service account signer keys for OIDC issuer for customers who configure AWS ManualMode w/ STS option.

      Ideally provide an automated tool to perform the rotation. If not possible (due to resource constraints or other limitations), then provide a tested and supported procedure that is published in OpenShift docs.

      Requirements (aka. Acceptance Criteria):

      A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

      <enter general Feature acceptance here>

       

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both Self-managed
      Classic (standalone cluster) Classic
      Hosted control planes TBD
      Multi node, Compact (three node), or Single node (SNO), or all All
      Connected / Restricted Network Connected
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) All
      Operator compatibility N/A
      Backport needed (list applicable versions) N/A
      UI need (e.g. OpenShift Console, dynamic plugin, OCM) TBD
      Other (please specify)  

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      <your text here>

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      <your text here>

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

      <your text here>

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

      Background taken from BZ1934363: "Any 3rd party integration that wants to verify bound tokens issued by a cluster needs to watch the configmap openshift-config-managed/bound-sa-token-signing-certs. This configmap contains the public keys needed to validate issued tokens. In the event of rotation the new public key will be added to the configmap and this key will be required to verify tokens issued by the new private key. Deploying a 3rd party integration statically with only a fixed set of public key(s) risks being unable to verify bound tokens issued after keypair rotation."

       

      See also https://github.com/abutcher/sa-key-rotation.

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

      <your text here>

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.

      <your text here>

      Interoperability Considerations

      Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

      <your text here>

              julim Ju Lim
              julim Ju Lim
              Antoni Segura Puimedon, Jeremiah Stuever, Mark Old
              Jeana Routh Jeana Routh
              Jeremiah Stuever Jeremiah Stuever
              Ju Lim Ju Lim
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: