Bug 2014557

Summary: RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target
Product: Red Hat Advanced Cluster Management for Kubernetes Reporter: Daniel Schimpfoessl <dschimpf>
Component: GRC & PolicyAssignee: Gus Parvin <gparvin>
Status: CLOSED ERRATA QA Contact: Derek Ho <dho>
Severity: high Docs Contact: Mikela Dockery <mdockery>
Priority: unspecified    
Version: rhacm-2.3CC: juhsu, jwakely, rjung, xiangli, yahliu, yuhe
Target Milestone: ---Flags: ming: rhacm-2.5+
Target Release: rhacm-2.5   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-09 02:07:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Schimpfoessl 2021-10-15 14:35:12 UTC 
Description of the problem:
When there is a unique secret for each managed cluster on the hub, how do you copy each secret from the hub in a source namespace with a specific name to a selected managed cluster in a different namespace with a different name.

Release version:
2.3

Operator snapshot version:

OCP version:
4.8.13

Browser Info:
N/A

Steps to reproduce:
1. Create 20 managed clusters named user01-user20
2. Create a unique secret on the hub for each cluster
3. Copy each secret from the hub to the managed cluster in the proper namespace with the right name

Actual results:
No option

Expected results:
Each cluster specific secret should be on the managed cluster in the right namespace with the desired name. 
If I have one namespace on the hub "workshop-secrets" with secrets for each managed cluster "dashboard-env-user01"-"dashboard-env-user20", copy each secret to the managed cluster into namespace "lab-ocp-cns" with the name "dashboard-env". Alternatively, and maybe more applicable for users, we could have the secrets in the cluster namespace on the hub to control access by cluster vs by project. Such as the hub would have a secret named "dashboard-evn" in the "user01"-"user20" namespaces. So any variation of namespaceA.nameB for the secret on the hub will result in a namespaceC.nameD on the cluster. Where there needs to be a way to select what source maps to what cluster. Maybe have the secret have a specific label or annotation to key off like subscriptions use for filtering.

Additional info:
Comment 1 Roke Jung 2021-10-15 15:32:48 UTC 
The namespace subscription for copying secrets from hub to managed clusters are being deprecated. However, this could be a good user input to enhance policy to enhance its secret management capabilities in the future.

Daniel is currently working around the problem with the namespace secret subscription by creating a unique channel/subscription/placementrule for each managed cluster to copy the cluster specific password.
Comment 2 juhsu 2021-11-11 20:45:59 UTC 
Reassigning to product mgmt to prioritize as part of the GRC & policy roadmap.
Comment 3 juhsu 2021-12-13 22:44:48 UTC 
Comment from Yu Cao:  This issue will be addressed in 2.5 by https://issues.redhat.com/browse/ACM-1043
Comment 4 yahliu 2022-05-12 04:08:57 UTC 
Already verified the feature https://issues.redhat.com/browse/ACM-1043 in 2.5.
Comment 7 errata-xmlrpc 2022-06-09 02:07:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4956
Comment 9 jenny 2023-01-04 05:26:50 UTC Comment hidden (spam)
Comment 10 Rosestelzer 2023-01-05 06:37:43 UTC Comment hidden (spam)
Comment 12 Katherine561 2024-02-14 08:19:06 UTC Comment hidden (spam)
Comment 13 Ted 2024-03-11 06:58:04 UTC Comment hidden (spam)