Summary : Automate m2m oc/kubectl communication between a job running as .github/workflow and RHTAP ocp4 clusters running on console.redhat.com
Use case description: The use case should be to support to automate tests running part of a github flow where the oc or kubectl client will execute commands against RHTAP (= ocp clusters running here https://console.redhat.com/preview/hac/application-pipeline) AND without the need to use a personal red hat account but instead a service account.
According to Alexey Kazakov, the preferre_username is the service account name but not the username which generated the SA token. So, we can't map the sso SA to any RHTAP workspace.
Right now we require a username because we can tell if this user has permissions to work with specific workspace. We have no idea if some random SA issued by sso has any permissions in a specific workspace (well… we know it doesn’t).
Suggestions to solve it:
“registering” SAs in the workspace. Like adding users to the workspace but instead adding SAs. We don’t have it atm.
Another option is for sso start supporting user groups. Then we could manage groups on sso (for users and SAs). And also we would need to support groups on the RHTAP side. Then you just grand permissions to groups on the RHTAP side but then can add users and SAs to the groups on the sso side.
Todo
Summary : Automate m2m oc/kubectl communication between a job running as .github/workflow and RHTAP ocp4 clusters running on console.redhat.com
Use case description: The use case should be to support to automate tests running part of a github flow where the
oc
orkubectl
client will execute commands against RHTAP (= ocp clusters running here https://console.redhat.com/preview/hac/application-pipeline) AND without the need to use a personal red hat account but instead a service account.The use case will require to have/support:
clientId
andsecretId
which can used part of a query to get a token from the OIDC provider: https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token)service_account_name_uid
We can configure locally the kubectl/oc client (= kube config) to use the token but the ocp's RHTAP cluster will fail to authenticate the OIDC token as they are not configured to accept the OIDC token. See such a config here: https://medium.com/@charled.breteche/kind-keycloak-securing-kubernetes-api-server-with-oidc-371c5faef902
According to Alexey Kazakov, the RHTAP Proxy accepts as OIDC parameters:
721e665b-93d9-4c12-a772-b69eaee5905a
service-account-391f1c4c-fe45-4935-bcee-667b075a9962
Example of OIDC response received using clientId and SecretID
According to Alexey Kazakov, the
preferre_username
is the service account name but not the username which generated the SA token. So, we can't map the sso SA to any RHTAP workspace. Right now we require a username because we can tell if this user has permissions to work with specific workspace. We have no idea if some random SA issued by sso has any permissions in a specific workspace (well… we know it doesn’t).Suggestions to solve it:
Remark: Such a demand already exists https://issues.redhat.com/browse/CRCPLAN-185