-
Sub-task
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
False
-
-
False
-
Unset
-
CRCPLAN-232 - AuthZ | PRBAC v2 Service Provider Migration Initiation (Internal)
-
-
-
A&M Tech Debt Q10, Access & Management Sprint 95, Access & Management Sprint 95, Access & Management Sprint 96, Access & Management Sprint 97, Access & Management Sprint 98, Access & Management Sprint 99
The sink connector should have its own service account, which it can use to supply client id and secret for authenticating against the relations-api in stage and prod.
It should be determined whether a single service account will suffice for both stage or prod or whether two are required.
Definition of done:
- Service account(s) are created for the sink connector.
- Secrets are deployed on stage and prod with client id and client secret.
- Secrets are mounted as volumes at the locations referenced in https://github.com/project-kessel/kafka-relations-sink/blob/main/relations_sink.json.
- "relations-api.authn.mode" should be set to "oidc-client-credentials" in the above config.
- A test like the one in
RHCLOUD-35568continues to pass with authn now enabled. (Authn need not be enabled on the relations-api for the client to work, but obviously if it is not enabled, authn is not being fully tested.)
