Replace deprecated ACS init-bundle with Cluster Registration Secret (CRS)#148
Open
p-rog wants to merge 8 commits into
Open
Replace deprecated ACS init-bundle with Cluster Registration Secret (CRS)#148p-rog wants to merge 8 commits into
p-rog wants to merge 8 commits into
Conversation
…ift-image-registry.svc:5000/openshift/cli) to the public Red Hat registry (registry.redhat.io/openshift4/ose-cli)
… simpler and more intuitive
Replace the init-bundle Job with a Cluster Registration Secret (CRS) job per RHACS 4.10 recommendations. CRS uses a short-lived token instead of long-lived certificates, improving security posture. The CRS can be revoked after cluster registration without disconnecting the secured cluster. - Rename create-cluster-init-bundle.yaml to create-cluster-registration-secret.yaml - Switch API from /v1/cluster-init/init-bundles to /v1/cluster-init/crs - Simplify job logic: remove bundle listing/deletion/Python parsing - Add dual idempotency check (sensor-tls OR cluster-registration-secret) - Update comments in values files to reference CRS Co-authored-by: Cursor <cursoragent@cursor.com>
The CRS API rejects names that collide with existing init-bundles or CRS entries. Add logic to revoke legacy init-bundles and stale CRS entries with the same cluster name before generating a new CRS. Uses printf-based Python file writing to avoid YAML block scalar indentation issues with Helm template rendering. Tested on live cluster: CRS generation, init-bundle revocation, sensor registration via CRS init container all verified working. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
• Replace the deprecated init-bundle Job with a Cluster Registration Secret (CRS) job, per RHACS 4.10 recommendations
• CRS uses a short-lived token instead of long-lived certificates, allowing revocation after cluster registration without disconnecting the secured cluster
• The init-bundle API (/v1/cluster-init/init-bundles) is deprecated and scheduled for removal in a future RHACS release
Changes
• Removed charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml
• Added charts/acs-central/templates/jobs/create-cluster-registration-secret.yaml which:
•• Uses the CRS API (POST /v1/cluster-init/crs) instead of the deprecated init-bundles API
•• Revokes any legacy init-bundle or stale CRS with the same name before generating a new CRS (handles migration and re-run scenarios)
• Checks for both sensor-tls (legacy init-bundle) and cluster-registration-secret (CRS) to ensure idempotency and non-destructive upgrades
• Updated comments in charts/acs-central/values.yaml, charts/acs-secured-cluster/values.yaml, and values-hub.yaml to reference CRS
Testing
Tested on OCP 4.21 with RHACS Operator 4.11.0:
manually removing legacy secrets -- all ACS components (Sensor, Collector, Admission Control) reported HEALTHY via Central API.