Open DinaBelova opened 3 weeks ago
The following describes the process of using the credentials:
Credential object
and reference the cluster identity from the step 1ManagedCluster
where it's referencing the Credential
object in the same namespace..status.credentialState
is set and provisioning stops (no HelmRelease
objects created)..spec.config
with values of the cluster identity referenced. These values must be uniform across all templates and well-known. If the user specified the same values they have lesser precedence and thus will be overwritten.Cluster
is ready Controller applies necessary Secrets for CCM/CSI on the managed cluster using kube API calls. Data required is different for each provider and it could be required to query several provider-specific objects to collect it. CCM/CSI controllers on the managed cluster must be configured accordingly to accept these Secrets
Goals
In order for CAPI to work it needs credentials to talk to the infra providers, which have quite the high amount of permissions. We need to ensure that such credentials can only be seen by a handful of roles in a cluster, enterprises use zero trust models and therefore even internal platform engineers should not see any credentials unless they really have to. Therefore this Epic Goal is to ensure that credentials added by Platform Leads can only be seen by platform laeds, while still ensuring that for specific clusters a Platform Engineer could provide their own credentials.
Major deliverables
Who it benefits
Acceptance criteria
Assumptions
Out of scope
User stories
Tasks
321
322
324
325
326
327
328
392
445