managed-cluster-config icon indicating copy to clipboard operation
managed-cluster-config copied to clipboard

Published 20 hours ago verified publisher icon openshift

ROX-27758: Allow ACS team read secured cluster namespace secrets

Open kurlov opened this issue 9 months ago • 7 comments

What type of PR is this?

feature

What this PR does / why we need it?

Which Jira/Github issue(s) this PR fixes?

ACS team has ACS Central connected to the ACSCS clusters and has secured cluster configured under rhacs-secured-cluster namespace. ACS team owns Central of this Secured Cluster instance. The secured cluster requires to fetch secrets to debug or test specific features

Fixes ROX-27758

Special notes for your reviewer:

Pre-checks (if applicable):

  • [ ] Tested latest changes against a cluster

  • [ ] Included documentation changes with PR

  • [ ] If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

kurlov avatar Feb 10 '25 05:02 kurlov

@kurlov: This pull request references ROX-27758 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.19.0" version, but no target version was set.

In response to this:

What type of PR is this?

feature

What this PR does / why we need it?

Which Jira/Github issue(s) this PR fixes?

ACS team has ACS Central connected to the ACSCS clusters and has secured cluster configured under rhacs-secured-cluster namespace. ACS team owns this Central and sometimes it requires to fetch secrets to debug or test specific feature on this Central

Fixes ROX-27758

Special notes for your reviewer:

Pre-checks (if applicable):

  • [ ] Tested latest changes against a cluster

  • [ ] Included documentation changes with PR

  • [ ] If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Feb 10 '25 05:02 openshift-ci-robot

@kurlov: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Feb 10 '25 06:02 openshift-ci[bot]

@kurlov: This pull request references ROX-27758 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.19.0" version, but no target version was set.

In response to this:

What type of PR is this?

feature

What this PR does / why we need it?

Which Jira/Github issue(s) this PR fixes?

ACS team has ACS Central connected to the ACSCS clusters and has secured cluster configured under rhacs-secured-cluster namespace. ACS team owns Central of this Secured Cluster instance. The secured cluster requires to fetch secrets to debug or test specific features

Fixes ROX-27758

Special notes for your reviewer:

Pre-checks (if applicable):

  • [ ] Tested latest changes against a cluster

  • [ ] Included documentation changes with PR

  • [ ] If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Feb 28 '25 14:02 openshift-ci-robot

/lgtm this does not expose customer secrets, rather internal instances aka dogfood instances of ACS centrals

T0MASD avatar Mar 11 '25 11:03 T0MASD

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kurlov, T0MASD Once this PR has been reviewed and has the lgtm label, please assign bng0y, jharrington22 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Mar 11 '25 11:03 openshift-ci[bot]

/hold

cblecker avatar Apr 07 '25 21:04 cblecker

@cblecker the jira ROX-2775 was updated with the scope and impact of the permission

T0MASD avatar Apr 23 '25 11:04 T0MASD

See ticket comments for details

kurlov avatar Jun 16 '25 10:06 kurlov