During the ARO-HCP f2f there was discussion around having separate components to handle the refreshing of several kinds of certificates and secrets refreshers.

Specifically, the following needs are included:

• Refresh ACR Image Pull Secrets
• Refresh APIServer SSL certificates
• Refresh Ingress SSL certificates

Additionally, we will also need to have an MSI Certificate refresher but that is not included in this Initiative because it will also be implemented for ARO Classic and it is tracked in another initiative. Specifically, under the https://issues.redhat.com/browse/XCMSTRAT-470 initiative, https://issues.redhat.com/browse/ARO-5203 story.

Some additional notes that were written down in the f2f:

• For the case of the MSI Certificate refresher, the implementation with ARO classic can be reused for HCP. This is tracked in another initiative than this one.
• MSI components implementation owned by MSFT

This initiative is about evaluating if we want to go forward with the approach, and if that's the case come up with a design and implement it

Unknowns

• Are we going to follow the approach of having separate refreshers or are we going to implement it in CS and/or the RP itself?
• If we go for the approach of having separate refreshers, are we going to have one per each need or we are going to have a single refresher that covers the refreshing of several areas?
• If we go with the concept of refreshers, are they going to provide their own API that will be called by someone? If so, who is that someone? the RP? Geneva action directly? other?
• If we go with the concept of refreshers, are the refreshers going to act directly within the customers' OCP control plane / data planes? or through some intermediate component like Maestro and/or CS? If it is against CS, what would be the point of having refreshers themselves and not just using CS directly?
• We are possibly going to support user-provided image pull secrets. How would we deal with that in the ACR Image Pull Secrets refresher when rotation happens? We need to be careful that the rotation does not remove the user-provided image pull secrets (if any)

Goal

What is our purpose in implementing this? What are we enabling by doing this work? Time-box goals to 4-6 months.

Benefit Hypothesis:

What are the benefits (to Red Hat, eventually to customers, to the community, etc.)? Does it improve security, performance, supportability, etc? Why is work a priority?

We believe that the result of doing this work will be ...

Resources

Add any resources (docs, slides, etc.) pertinent to the definition of the work. These might not be known until later. Update as necessary.

Responsibilities

Indicate which roles and/or teams will be responsible for contributing to the initiative and generally what they might be expected to do.

Success Criteria

Provide some examples of how we will know if we have achieved the goal. What can be measured to determine success? What observable actions/outcomes that can be seen to determine success? Specific, Measurable, Achievable, fits within the Time-box.

Results

Add results here once the Initiative is started. Recommend discussions & updates once per quarter in bullets.