Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-16620

Application Credential support for service users in service operators

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhos-18.0.17 FR 5
    • None
    • None
    • None
    • Application Credential support in service operators
    • False
    • Hide

      None

      Show
      None
    • False
    • RHOSSTRAT-990Zero downtime password rotation [FR5]
    • Not Selected
    • Proposed
    • Proposed
    • In Progress
    • RHOSSTRAT-990 - Zero downtime password rotation [FR5]
    • Proposed
    • Proposed
    • 93% To Do, 7% In Progress, 0% Done

      Goal:

      Enable service operators to consume Keystone ApplicationCredentials  instead of static passwords, and automatically roll pods when those credentials rotate.

      •  Service controllers watches and read the AC CR
      •  Fetch the AC oc secret (ID+SECRET), verify it, and render it to the pod
      • Compute the secret-hash and trigger a rolling restart when it changes
      • Fall back to password-based auth only if no AC Secret is configured
      • In those operators that manages services that need AC on dataplane implement dataplane support, see Jira - https://issues.redhat.com/browse/OSPRH-14740

      Acceptance Criteria:

      • Proper reconciliation logic
      • Functional/kuttl tests

      Open questions:

       

              rh-ee-vfisarov Veronika Fisarova
              rh-ee-vfisarov Veronika Fisarova
              rhos-dfg-security
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: