Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-933

Hypershift guest cluster can use external OIDC token issuer


    • False
    • Hide


    • False
    • XCMSTRAT-365ROSA must support external OIDC token issuers
    • 20% To Do, 0% In Progress, 80% Done
    • L
    • 1
    • 0
    • 0
    • Program Call
    • Proposed

      Feature Overview (aka. Goal Summary)

      A guest cluster can use an external OIDC token issuer.  This will allow machine-to-machine authentication workflows

      Goals (aka. expected user outcomes)

      A guest cluster can configure OIDC providers to support the current capability: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens and the future capability: https://github.com/kubernetes/kubernetes/blob/2b5d2cf910fd376a42ba9de5e4b52a53b58f9397/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go#L164 with an API that 

      1. allows fixing mistakes
      2. alerts the owner of the configuration that it's likely that there is a misconfiguration (self-service)
      3. makes distinction between product failure (expressed configuration not applied) from configuration failure (the expressed configuration was wrong), easy to determine
      4. makes cluster recovery possible in cases where the external token issuer is permanently gone
      5. allow (might not require) removal of the existing oauth server


      Requirements (aka. Acceptance Criteria):

      A list of specific needs or objectives that a feature must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during Refinement status.

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.

      Out of Scope

      High-level list of items that are out of scope. Initial completion during Refinement status.


      Provide any additional context is needed to frame the feature. Initial completion during Refinement status.

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.

      Interoperability Considerations

      Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.

            azaalouk Adel Zaalouk
            deads@redhat.com David Eads
            Adel Zaalouk, Alberto Garcia Lamela, Anjali Telang, Antoni Segura Puimedon, David Eads, Mike Worthington, Seth Jennings, Xingxing Xia
            He Liu He Liu
            Shashank Karanth Shashank Karanth
            Alberto Garcia Lamela Alberto Garcia Lamela
            Adel Zaalouk Adel Zaalouk
            Dave Mulford Dave Mulford
            0 Vote for this issue
            12 Start watching this issue