Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-42728

Update KIC Stage Deployment for Auth and TLS

XMLWordPrintable

    • Product / Portfolio Work
    • 8
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • Unset
    • None

      As part of RHCLOUD-42397, the Kessel Inventory Consumer has been updated to the latest Inventory client to support using the new idempotency features. This change breaks in environments where authentication is enabled because GRPC requires authentication only be done through TLS which Inventory API currently isnt configured for

      HCM EngProd has been working with us to leverage kubernetes service certificates to secure Inventory API which has been implemented for the HTTP endpoint, but does not yet support GRPC or ensuring all other Clowder apps are provided the CA cert for trust.

      Once Clowder enables TLS proxying for GRPC endpoints, and ensures the CA cert is available to other ClowdApps, we can re-enable authentication in Stage for Kessel Inventory API. When that happens, the Inventory Consumer will also need to be updated to use TLS and provide the CA cert.

      An example of the changes needed to the Inventory Consumer config can be seen HERE. This will need to be done in stage and prod when ready.

      *Done Criteria*

      • Stage KIC config is updated to enable OIDC auth, secure client, and includes the CA Cert path for TLS communication
      • Prod KIC config is updated when Clowder changes are rolled out and Inventory API is properly serving TLSĀ 

              anatale.openshift Antony Natale
              anatale.openshift Antony Natale
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: