• Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Normal Normal
    • Consoledot CY24Q4
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Unset
    • CRCPLAN-232 - AuthZ | PRBAC v2 Service Provider Migration Initiation (Internal)
    • A&M Tech Debt Q10, Access & Management Sprint 95, Access & Management Sprint 95, Access & Management Sprint 96, Access & Management Sprint 97, Access & Management Sprint 98

      The sink connector should have its own service account, which it can use to supply client id and secret for authenticating against the relations-api in stage and prod.

      It should be determined whether a single service account will suffice for both stage or prod or whether two are required.

      Definition of done:

      1. Service account(s) are created for the sink connector.
      2. Secrets are deployed on stage and prod with client id and client secret.
      3. Secrets are mounted as volumes at the locations referenced in https://github.com/project-kessel/kafka-relations-sink/blob/main/relations_sink.json. 
      4. "relations-api.authn.mode" should be set to "oidc-client-credentials" in the above config.
      5. A test like the one in RHCLOUD-35568 continues to pass with authn now enabled. (Authn need not be enabled on the relations-api for the client to work, but obviously if it is not enabled, authn is not being fully tested.)

            anatale.openshift Antony Natale
            mmclaugh@redhat.com Mark McLaughlin
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: