Insights Operator pulling and exposing data from OCM API

enhancements/insights/pulling-data-from-ocm.md

@@ -0,0 +1,87 @@
+---
+title: pulling-and-exposing-data-from-ocm
+authors:
+  - "@tremes"
+reviewers:
+  - "@sbose78"
+  - "@0sewa0"
+  - "@inecas"
+  - "@smarterclayton"
+approvers:
+  - "@sbose78"
+  - "@smarterclayton"
+creation-date: 2021-03-04
+last-updated: 2021-03-09
+status: implementable
+see-also:
+replaces:
+superseded-by:
+---
+
+# Insights Operator pulling and exposing data from the OCM API
+
+## Release Signoff Checklist
+
+- [x] Enhancement is `implementable`
+- [ ] Design details are appropriately documented from clear requirements
+- [ ] Test plan is defined
+- [ ] Graduation criteria for dev preview, tech preview, GA
+- [ ] User-facing documentation is created in [openshift-docs](https://github.com/openshift/openshift-docs/)
+
+## Summary
+
+This enhancement will enable the Insights Operator to pull the data (SCA certs)
+from the OCM (OpenShift Cluster Manager) API. The data will be exposed by the Insights Operator 
+in the OpenShift API to allow users to use them when consuming and building container images 
+on the platform.  
+
+## Motivation
+
+Users could consume RHEL content and container images using the RHEL subscription in the OpenShift 3.x.
+In the OpenShift 4, this is no longer possible because the Red Hat Enterprise Linux Core OS (RHCOS) does not
+provide any attached subscription. This enhancement is to provide users the Simple Content Access (SCA) certs
+from Red Hat Subscription Manager (RHSM). 
+
+### Goals
+
+- Extend the Insights Operator config with an OCM API URL to be able to query the data
+- Periodically pull the data from the OCM API and expose it in the OpenShift API
+
+### Non-Goals 
+
+- Insights Operator providing any transformation or post-processing of the data pulled 
+  from the OCM API
+
+## Proposal
+
+### User Stories
+
+#### Consume SCA certs exposed in the API
+
+As an OpenShift user 
+I want to consume SCA certs to be able to consume RHEL content and to build
+corresponding container images. 
+
+### Risks and Mitigations
+
+#### OCM API is down
+
+Risk: OCM API is down or doesn't provide up to date data.
+
+Risk: Insights Operator is unable to expose/update the data in the OpenShift API
+
+Mitigation: We can introduce a new state in the Insights Operator (e.g "ObsoleteSubscriptionData"), but a new alert would be probably better.  
+
+## Design Details
+
+### Open questions
+- OCM API authentication - can we use existing "pull-secret" token to access the OCM API as well? If not, what are the alternatives?
+- Where to expose the new data? New secret in the "openshift-config" namespace? Are there some naming conventions for the secret? 
+- How often should the Insights Operator query the OCM API? Every 4 hours? Do we always need to download the full SCA cert data? 
+- Where to verify that the SCA certs are valid (user can use it to consume RHEL content) ? Insights Operator integration tests?
+
+### Test Plan
+
+- `insights-operator-e2e-tests` suite can verify the SCA cert data
+  is available
+- the validity of the SCA certs can be tested as well (see the open questions)