-
Notifications
You must be signed in to change notification settings - Fork 487
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add proposal for credentials management outside the openshift cluster
- Loading branch information
1 parent
037fe0e
commit 3435a57
Showing
1 changed file
with
129 additions
and
0 deletions.
There are no files selected for viewing
129 changes: 129 additions & 0 deletions
129
enhancements/installer/credentials-management-outside-openshift-cluster.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| --- | ||
| title: Credentials Management outside OpenShift Cluster | ||
| authors: | ||
| - "@akhil-rane" | ||
| reviewers: | ||
| - "@abhinavdahiya" | ||
| - "@dgoodwin" | ||
| - "@joelddiaz" | ||
| approvers: | ||
| - "@derekwaynecarr" | ||
| - "@sdodson" | ||
| creation-date: 2021-03-25 | ||
| last-updated: 2021-03-25 | ||
| status: provisional | ||
| --- | ||
|
|
||
| # Credentials Management outside OpenShift Cluster | ||
|
|
||
| ## Release Signoff Checklist | ||
|
|
||
| - [ ] Enhancement is `implementable` | ||
| - [ ] Design details are appropriately documented from clear requirements | ||
| - [ ] Test plan is defined | ||
| - [ ] Operational readiness criteria is defined | ||
| - [ ] Graduation criteria for dev preview, tech preview, GA | ||
| - [ ] User-facing documentation is created in [openshift-docs](https://github.com/openshift/openshift-docs/) | ||
|
|
||
| ## Summary | ||
|
|
||
| The intent of this enhancement is to take the process of credentials management outside the OpenShift cluster for new | ||
| platforms. We propose to make *manual* mode as default for clusters on new platforms. | ||
|
|
||
| ## Motivation | ||
|
|
||
| The main motivation behind this enhancement is to satisfy the customer requirement to follow the best security practices | ||
| by not storing admin credentials inside the cluster | ||
|
|
||
| ### Goals | ||
|
|
||
| As part of this enhancement we plan to do the following: | ||
| * Set *manual* as default/preferred credentials mode for OpenShift | ||
| * Not store admin level cloud credentials inside a cluster | ||
| * Provide a tooling design for credentials management outside the cluster | ||
|
|
||
| ### Non-Goals | ||
|
|
||
| * We do not plan to go into design details on how this tool will be ported to cloud providers other than AWS. | ||
|
|
||
| ## Proposal | ||
|
|
||
| Currently, *mint* is a default credentials mode for OpenShift. In this mode we run OpenShift installer with an admin | ||
| level cloud credential. The admin credential is stored in kube-system namespace and then used by the cloud credential | ||
| operator to process the CredentialRequests in the cluster and create new users with fine-grained permissions. | ||
| The customers have reported that the need to store admin credentials inside the cluster is a major disadvantage. Based | ||
| on the feedback, we propose to run credentials related setup outside a cluster and then start installation process in a | ||
| *manual* mode without providing admin credentials to the installer. | ||
|
|
||
| ### User Stories | ||
|
|
||
| #### Story 1 | ||
| As a OpenShift cluster administrator I should be able to extract the CredentialsRequest manifests from the release image | ||
| and create credentials in the underlying cloud provider. | ||
|
|
||
| #### Story 2 | ||
| As a OpenShift cluster administrator I should be able to extract the CredentialsRequest manifests from the release image | ||
| and create Kubernetes Secrets in to satisfy all CredentialsRequests. | ||
|
|
||
| #### Story 3 | ||
| As a OpenShift cluster administrator I should be able to install a OpenShift cluster, without providing admin credentials | ||
| to the installer, by injecting precreated Kubernetes Secrets. | ||
|
|
||
| ### Risks and Mitigations | ||
|
|
||
| ## Design Details | ||
|
|
||
| We intend to build an optional tool **ccoctl** which will handle credentials management of the cluster in *manual* mode. | ||
| The following is the set of requirements for the current prototype (for AWS). We can have something similar for other | ||
| platforms. | ||
|
|
||
| * ccoctl should be able to setup Identity Provider to authenticate OpenShift components | ||
| * ccoctl should be to take a list of CredentialsRequests from the release image and create/update Roles with | ||
| appropriate permissions. | ||
| * ccoctl should be to take list of CredentialsRequests for a release image, and the Identity Provider URL to generate | ||
| the objects that need to be passed to the installer for successful installation | ||
| * ccoctl should be able to delete all the resources that it had created in the cloud | ||
|
|
||
| We envision **ccoctl** as a recommended tool to setup credentials on new platforms but customers are free to use other | ||
| tools like Terraform/AWS CloudFormation to do the above mentioned tasks. Read more about AWS implementation details [here](https://github.com/openshift/cloud-credential-operator/blob/master/docs/ccoctl.md) | ||
|
|
||
| We also plan to have a detailed documentation in place to guide new cloud providers to implement *manual* mode. | ||
|
|
||
| ### Open Questions | ||
|
|
||
| ### Test Plan | ||
|
|
||
| We plan to have a e2e test that will externally set up a credentials management infrastructure and then kickstart | ||
| install in a *manual* mode. | ||
|
|
||
| ### Graduation Criteria | ||
|
|
||
| ### Upgrade / Downgrade Strategy | ||
|
|
||
| To upgrade we need to execute following steps: | ||
| * Examine the CredentialsRequests in the new OpenShift release. Check if permissions in the existing CredentialsRequest | ||
| have changed. | ||
| * Create/update credentials in the underlying cloud provider, and also create/update Kubernetes Secrets in the correct | ||
| namespaces to satisfy all CredentialsRequests in the new release. | ||
| * Set an appropriate annotation `cloudcredential.openshift.io/upgradeable-to` to a new upgradable version. | ||
|
|
||
| We also plan to have provision in ccoctl to help in upgrades. Details in [this](https://issues.redhat.com/browse/CCO-84) card. | ||
|
|
||
| ### Version Skew Strategy | ||
|
|
||
| ## Implementation History | ||
|
|
||
| We currently have a work-in-progress CLI tool [ccoctl](https://github.com/openshift/cloud-credential-operator/blob/master/docs/ccoctl.md) | ||
| to create and manage cloud credentials outside the cluster for AWS cloud. The design details of this tool is discussed above. | ||
|
|
||
| ## Drawbacks | ||
|
|
||
| * Taking the credentials management outside the cluster will create additional overhead for the customer to make sure all | ||
| the required infrastructure is in place before starting the installation process. Current tooling we have only supports | ||
| the AWS cloud, we do not have anything planned for other cloud providers. | ||
| * Push-button upgrades will not work in *manual* mode. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| ## Infrastructure Needed [optional] | ||
|
|