Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insights Operator pulling and exposing data from the OCM API #683

Merged
merged 19 commits into from Aug 18, 2021
Merged

Insights Operator pulling and exposing data from the OCM API #683

Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
b0bddb0
Insights Operator pulling and exposing data from OCM API
tremes Mar 5, 2021
156811e
Update IO - OCM communication proposal
tremes Mar 16, 2021
520dfca
Update names
tremes Mar 23, 2021
f380524
Update namespace name
tremes Apr 1, 2021
9072876
Address the open questions
tremes Apr 8, 2021
a9353f5
Update
tremes Apr 27, 2021
8e38be8
Add more sections from the newer template
tremes Jul 22, 2021
31ca41f
Linting update
tremes Jul 22, 2021
0113815
Add more sections
tremes Jul 22, 2021
83eb79d
Linting update
tremes Jul 22, 2021
0f921cd
Updates based on reviews
tremes Jul 28, 2021
20a7617
Mention the opt-in feature enabled with TechPreviewNoUpgrade feature set
tremes Jul 30, 2021
0b42cc6
Updates based on reviews - describe use of the SCA certs in a cluster
tremes Aug 10, 2021
5eeb9ce
Next update based on the feedback & review
tremes Aug 11, 2021
15ef7c0
Next update based on the feedback & review
tremes Aug 11, 2021
141a6ea
Added new section talking about configuration
tremes Aug 12, 2021
5e84453
Define the conditions for the degraded state more explicitly
tremes Aug 12, 2021
6089e73
Update
tremes Aug 17, 2021
bcebd4c
Mention the reason for the degraded status
tremes Aug 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
37 changes: 27 additions & 10 deletions ...cements/insights/pulling-data-from-ocm.md → ...ts/insights/pulling-sca-certs-from-ocm.md
View file
Open in desktop
@@ -1,31 +1,35 @@
---
title: pulling-and-exposing-data-from-ocm
title: pulling-and-exposing-sca-certs-from-ocm
authors:
- "@tremes"
reviewers:
- "@sbose78"
- "@inecas"
- "@petli-openshift"
- "@smarterclayton"
- "@bparees"
- "@dhellman"
- "@mfojtik"
- "@adambkaplan"
approvers:
- "@sbose78"
- "@smarterclayton"
- "@bparees"
- "@dhellman"
creation-date: 2021-03-04
last-updated: 2021-03-09
last-updated: 2021-08-10
status: implementable
see-also:
replaces:
superseded-by:
---

# Insights Operator pulling and exposing data from the OCM API
# Insights Operator pulling and exposing SCA certs from the OCM API

## Release Signoff Checklist

- [x] Enhancement is `implementable`
- [ ] Design details are appropriately documented from clear requirements
- [ ] Test plan is defined
- [ ] Graduation criteria for dev preview, tech preview, GA
- [x] Graduation criteria for dev preview, tech preview, GA
- [ ] User-facing documentation is created in [openshift-docs](https://github.com/openshift/openshift-docs/)

## Summary
Expand All @@ -41,7 +45,6 @@ Users could consume RHEL content and container images using the RHEL subscriptio
In the OpenShift 4, this is no longer possible because the Red Hat Enterprise Linux Core OS (RHCOS) does not
provide any attached subscription. This enhancement is to provide users the Simple Content Access (SCA) certs
from Red Hat Subscription Manager (RHSM).
The Insights Operator is now the only OCP component that connects an OpenShift cluster to a Red Hat subscription experience (console.redhat.com APIs). The consumers of the SCA certs are not only builds, but also shared resources, such as the CSI driver.

### Goals

Expand All @@ -56,6 +59,10 @@ The Insights Operator is now the only OCP component that connects an OpenShift c

## Proposal

### Why is it in the Insights Operator?

The Insights Operator is now the only OCP component that connects an OpenShift cluster to a Red Hat subscription experience (console.redhat.com APIs). The consumers of the SCA certs are not only builds, but also shared resources, such as the CSI driver.
tremes marked this conversation as resolved.
Show resolved Hide resolved

### User Stories

#### Consume SCA certs exposed in the API
Expand Down Expand Up @@ -84,12 +91,19 @@ available in the `pull-secret` (in the `openshift-config-managed` namespace).

The Insights Operator must provide a cluster ID as an identifier of the cluster.

### Data in API
### SCA certs in API

The SCA certificate is available via the `etc-pki-entitlement` secret in the `openshift-config-managed` namespace.
The SCA certificate is available via the `etc-pki-entitlement` secret in the `openshift-config-managed` namespace. The secret will be available for use in other namespaces by creating a cluster-scoped `Share` resource. Cluster admin creates a `clusterrolebinding` to allow a service account access to the `Share` resource.
tremes marked this conversation as resolved.
Show resolved Hide resolved
tremes marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not covered in this sentence is the structure of the Secret. Will a particular well-known key be used? If so, can we document it here, or is that a low-enough level of detail that it's not worth including in the enhancement proposal?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC the key name can be any .pem file. On a RHEL system the subscription cert key names have what appear to be a uuid for the file name.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should mention it here. I am using kubernetes.io/tls secret with tls.crt for the certificate and tls.key for the private key.


### Use of the SCA certs

- The SCA certificate can be mounted to a `Pod` as a CSI volume (where the volume attributes will reference the `Share` resource making the secret accessible)
- The SCA certificate can be mounted to a `Build` strategy as a CSI volume. The CSI driver is described in the [Share Secrets And ConfigMaps Across Namespaces via a CSI Driver](/enhancements/cluster-scope-secret-volumes/csi-driver-host-injections.md) enhancement.

### Update period
- Insights Operator query the OCM API every 8 hours and downloads the full data provided
- The time period is configurable and can be changed by the cluster admin. Cluster admin can temporarily set a shorter time period to try to refresh the SCA certs
tremes marked this conversation as resolved.
Show resolved Hide resolved
- The documentation will describe the steps how to pull the SCA certs and update the secret manually

### Test Plan

Expand Down Expand Up @@ -124,16 +138,19 @@ There is no upgrade/downgrade strategy needed.

There is no Skew strategy needed. This work should have no impact on the upgrade. It doesn't require any coordinated behavior in the control plane. No other components will change.

The format of the SCA certs is not checked by the Insights Operator.

## Implementation History

There are no other major milestones in the implementation history than the graduation criteria mentioned above.

## Drawbacks

There is no significant drawback.
The performance of the OCM API can be a possible drawback.

## Alternatives

- Alternative is to implement this functionality in another control plane component/operator (e.g openshift-controller-manager).
- Another option is to create a new component/operator for this functionality. This would probably require the most effort and would require additional CPU and memory resources in a cluster.
- Current state, which is the manual addition of the SCA certs to cluster worker nodes. This is not very convenient because the SCA certs change regularly and the change requires node reboot.