Bug 1569097

Summary: [RFE] Enable PIV authentication against OCP CLI
Product: OpenShift Container Platform Reporter: gmorgan
Component: RFEAssignee: Paul Weil <pweil>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.7.0CC: aos-bugs, awestbro, gmorgan, jokerman, jpullen, mmccomas, sknauss
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 11:57:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description gmorgan 2018-04-18 15:31:08 UTC 
-Proposed title for this feature request?

Enable PIV authentication against OCP CLI per DHS CA requirements

-Who is the customer behind the request?
Federal Emergency Management Agency (FEMA) - Acct: 5809707
TAM Customer: Yes
CSM Customer: Yes
Strategic: Yes
-What is the nature and description of the request?
Customer is looking for the ability to PIV enable the OpenShift CLI and leverage the required DHS x509v3 named constraint CA4

-Why does the customer need this? (List the business requirements here)

The Customer requires the specific name constrained to be enable to satisfy DHS-wide certificate requirements for PIV

-How would the customer like to achieve this? (List the functional requirements here)
The named constraint that needs to be enabled is found in the golang library 3.10 which is currently available only in upstream.  The current version in use by OC is 3.7.  

-For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Once the golang library with the required named constraint is available, the DHS customer would be able to test PIV authentication through the OC CLI.

-Is there already an existing RFE upstream or in Red Hat Bugzilla?
A similar one can be found here but the this RFE would specifically hone in on the named constraint requirement that DHS needs enabled.https://bugzilla.redhat.com/show_bug.cgi?id=1314526
A separate bug has also been opened but is still in "NEW" state: https://bugzilla.redhat.com/show_bug.cgi?id=1526837


-Does the customer have any specific timeline dependencies and which release would they like to to target?

Impacting ability to show immediate progress on the PIV requirement.  However we have an 11-month waiver before solution needs to be fully implemented.  They would like to target OCP 3.7 but upgrading to OCP 3.9 is feasible.

-Is the sales team involved in this request and do they have additional input?

RFE is being submitted by Solutions Architect (George Morgan) on behalf of FEMA GMM.  The account is very strategic since progress here will need to be replicated at other FEMA offices leveraging OCP and PIV in the future.

-List any affected packages or components.

OC


-Would the customer be able to assist in testing this functionality if implemented?

Yes with Red Hat consulting assistance
Comment 2 Kirsten Newcomer 2019-06-12 11:57:00 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.