-
Epic
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
CAPS | Initial implementation
-
Product / Portfolio Work
-
False
-
-
False
-
Unset
-
To Do
-
-
-
Review the CRCPLAN parent feature for additional context, including the feature overview, goals, user stories and use cases, acceptance criteria, designs, dependencies, risks, assumptions, pending questions and documentation callouts.
Summary and goal
The goal is to create an initial implementation of the CAPS (Context and Policy Service) service, as defined by ADR-080. In this initial version, the support for authentication schemes will be limited to sso.redhat.com OIDC. This new service will issue the x-rh-identity header of type User and will be equivalent in behavior to the current 3scale implementation. The functionality of the service will be expose via an ext_authz compatible API, allowing it to be used as an external authorizer in a Gateway API implementation. It will also have built-in support for observability through Prometheus metrics and CloudWatch logs.
Acceptance Criteria
- CAPS supports the sso.redhat.com OIDC authentication scheme
- the x-rh-identity header of type User is issued after authentication
- the behavior of the new service is equivalent to the current 3scale implementation
- the functionality is exposed as an ext_authz API
- the gateway service has built-in support for observability (Prometheus metrics and CloudWatch logs)
Checklist
| Checklist Item | Required | Notes or Comments |
|---|---|---|
| Workstream or external team dependencies? | Y / N | |
ADR Required?
|
Y / N | |
Testing plans
|
Y / N | |
Known dependencies?
|
Y / N |
Open Questions
- What is the specific name for this new service? ("gateway service" is only a working name)
- Will this be built as a standalone service, a Keycloak plugin, or something else?
- is depended on by
-
-
- Refinement
-
- relates to
-
-
- Refinement
-