Feature Overview (aka. Goal Summary)

Enable a "Break Glass Mechanism" in ROSA (Red Hat OpenShift Service on AWS) and other OpenShift cloud-services in the future (e.g., ARO and OSD) to provide customers with an alternative method of cluster access via short-lived certificate-based kubeconfig when the primary IDP (Identity Provider) is unavailable.

Goals (aka. expected user outcomes)

• Enhance cluster reliability and operational flexibility.
• Minimize downtime due to IDP unavailability or misconfiguration.
• The primary personas here are OpenShift Cloud Services Admins and SREs as part of the shared responsibility.
• This will be an addition to the existing ROSA IDP capabilities.

Requirements (aka. Acceptance Criteria)

• Enable the generation of short-lived client certificates for emergency cluster access.
• Ensure certificates are secure and conform to industry standards.
• Functionality to invalidate short-lived certificates in case of an exploit.

Better UX

• User Interface within OCM to facilitate the process.
• SHOULD have audit capabilities.
• Minimal latency when generating and using certificates (to reduce time without access to cluster).

 Use Cases (Optional)

• A customer's IDP is down, but they successfully use the break-glass feature to gain cluster access.
• SREs use their own break-glass feature to perform critical operations on a customer's cluster.

Questions to Answer (Optional)

• What is the lifetime of generated certificates? 7 days life and 1 day rotation?
• What security measures are in place for certificate generation and storage?
• What are the audit requirements?

Out of Scope

• Replacement of primary IDP functionality.
• Use of break-glass mechanism for routine operations (i.e., this is emergency/contingency mechanism)

 Customer Considerations

• The feature is not a replacement for the primary IDP.
• Customers must understand the security implications of using short-lived certificates.

Documentation Considerations

• How-to guides for using the break-glass mechanism.
• FAQs addressing common concerns and troubleshooting.
• Update existing ROSA IDP documentation to include this new feature.

Interoperability Considerations

• Compatibility with existing ROSA, OSD (OpenShift Dedicated), and ARO (Azure Red Hat OpenShift) features.
• Interoperability tests should include scenarios where both IDP and break-glass mechanism are engaged simultaneously for access.