[RFE-7165] [RFE] OCM generate temporary cluster access-token | OSD cluster environment - Red Hat Issue Tracker

Type: Feature Request
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: openshift-4.17
Component/s: API, Auth
Labels:
None

PX Impact Score:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

1. Proposed title of this feature request: [RFE] OCM generate temporary cluster access-token | OSD cluster environment

2. What is the nature and description of the request?

Cx mentions:

~~~
We would like to know if it's possible through OCM API / OCM CLI to generate an OpenShift Dedicated Cluster service-account & token to permit access to the API when internal OAuth of the cluster is not working or there is a problem with current identity provider.
~~~

3. Why does the customer need this? (List the business requirements here)

~~~
Use Case:

Install OSD Private Cluster 4.17 in Google Cloud Project
Create additional Client PSC for accessing the API (for OSD Private Cluster) or access the cluster API when ingress is set to private (for OSD Public Cluster & Private Ingress )
OCM cli generate temporary token for service-account with cluster-admin rights
Access the cluster using oc login --token='sha256~xxxxxxx' https://api.cluster:6443

Details:

cannot authenticate when not-reaching the private default ingress-controller due to calls at https://oauth-openshift.<cluster_name>.<id>.p2.openshiftapps.com (based on the flow from https://api.cluster:6443/.well-known/oauth-authorization-server response)
when current setup of the Identity Provider is not working beside using a new HTPasswd file

Target implementation is for an internal OSD in-cluster service-account and token and it does not have link with OCM Offline Token nor ServiceAccount used for accessing GCP project (osd-ccs-admin)
~~~

This is requested form cx after observations:

~~~
We have the cluster installed and *we don't have an issue on creating the PSC to reach the cluster's API endpoints, it's more related to the capability to generate using OCM, a cluster-token to allow interaction with the API **without* a need to reach ingress-controller (authentication layer)
~~~

~~~
As per case 04018850 - customer had an issue with the initial oc login
They wouldn't have faced the issue if there was a possibility to directly create an admin service account

oc login - goes to the master then returns through oauth / LB (different path which complicates routing etc..)
Was there a service account then it has a token no need to path through oauth
~~~

Let us know your thoughts on this

Thanks in advance

Assignee:: Ramon Acedo

Reporter:: Utkarsh Wagh

Votes:: 0 Vote for this issue

Watchers:: 3
Start watching this issue

Created:: 2025/02/19 7:39 AM

Updated:: 2025/03/25 1:38 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide