Description of problem (please be detailed as possible and provide log snippests): 1) Customer product has a requirement to manage the credentials for all the service accounts in the system, ODF Noobaa brings admin account and bucket user accounts. As part of product’s service accounts credential management, the product expects to change/rotate the credentials (password, access and secret keys) for these Noobaa accounts periodically or on-demand. This requirement needs REST APIs from Noobaa for the below use cases: a) Change the Noobaa admin account access key and secret key b) Change the Noobaa admin account password c) Change the Noobaa bucket account's access key and secret key What happens if this is not implemented: ODF Noobaa accounts credentials are stored in its internal database and also available in Kubernetes secrets. ODF Noobaa accounts credentials can be changed from Noobaa management UI. But when credentials changed on UI, Kubernetes secrets are not getting updated, so product applications break when credentials are changed from UI. Additionally product’s credential management application can't offer ODF Noobaa accounts credential change functionality. 2) Customer product’s credential management also stores the service accounts credentials securely in Vault database, and provides APIs to product applications to access the credentials. The product expects mechanism to retrieve Noobaa account credentials (password, access and secret keys) and store in its Vault database. This requirement needs REST APIs from Noobaa for the below use cases considered alternative to OBC as bucket user credentials need to be stored: a) create bucket with configuration like backing store pool, object versioning b) create bucket user account with configured bucket access c) read user account credentials What happens if this is not implemented: ODF Noobaa provides OBC custom resource to create bucket, it will internally create bucket user account and stores credentials in Kubernetes secrets. Product applications have to use Kubernetes secrets to read the credentials and persist in product’s credential management. Creating the buckets with OBC not supporting the bucket configuration like object versioning. Version of all relevant components (if applicable): ODF 4.8 and newer Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Yes Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? Can this issue reproducible? Can this issue reproduce from the UI? If this is a regression, please provide more details to justify this: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hi Liran and Nimrod, Below are the primary concerns of customer : 1. On changing noobaa admin account password from UI, the password is not updated in the noobaa-admin secret. The password should be updated in vault store and in noobaa db as well. 2. How to change the OBC secret keys. Currently, the option to regenerate credentials for OBC secret in GUI is graded out. Are these taken care of in the PR? Thanks Regards, Sonal Arora
Ivan, we are planning to provide a KCS with CLI commands. API is not something we want to start documenting at this point in time. Please verify it's applicable by the customer and update the BZ accordingly.
Please add doc text
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement & bugfix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6155
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days