ROX-14544 - Add CentralRequest field documentation

[SimonBaeumer]

Description

Added CentralRequest documentation.

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Evaluated and added CHANGELOG.md entry if required
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.

Test manual

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[SimonBaeumer]

Double-check in production in production system

[stehessel]

Cloud provider that runs the data plane instance. Also the cloud provider that owns the customer account we bill again.

[SimonBaeumer]

done

[SimonBaeumer]

Double-check in production in production system. Maybe remove it (cc @johannes94)

[SimonBaeumer]

Maybe it is used by @kovayur, see:

rr.BillingMarketplaceAccount(dinosaur.CloudAccountID)

[stehessel]

This is the billing cloud account, definitely don't remove or we won't get paid ;-).

[SimonBaeumer]

done

[SimonBaeumer]

Lifecycle status of the CentralRequest, link to constants

[SimonBaeumer]

done

[SimonBaeumer]

by @kovayur

SubscriptionID is returned by ams (ocm) when the user’s (owner) quota is reserved for Central

[SimonBaeumer]

Owner = OCM owner who created the tenant (email), how is it populated? (Identify ID type, seems to be different for RH employees joined after a specific date, or based on the preferred username (OpenID feature, ocm whoami prints the active username))
OwnerAccountID and OrganisationID maybe the same fields.

Code snippet:

dinosaurRequest.Owner, _ = claims.GetUsername()
dinosaurRequest.OrganisationID, _ = claims.GetOrgID()
dinosaurRequest.OwnerAccountID, _ = claims.GetAccountID()
dinosaurRequest.OwnerUserID, _ = claims.GetUserID()
tenantUsernameClaim = "username"

//-------------- 

// GetUsername ...
func (c *ACSClaims) GetUsername() (string, error) {
	if idx, val := arrays.FindFirst(func(x interface{}) bool { return x != nil },
		(*c)[tenantUsernameClaim], (*c)[alternateTenantUsernameClaim]); idx != -1 {
		if userName, ok := val.(string); ok {
			return userName, nil
		}
	}
	return "", fmt.Errorf("can't find neither %q or %q attribute in claims",
		tenantUsernameClaim, alternateTenantUsernameClaim)
}

//--------------

// sso.redhat.com token claim keys.
	alternateTenantUsernameClaim = "preferred_username"
	tenantUserIDClaim            = "account_id"
	tenantSubClaim               = "sub"
	// Only service accounts that have been created via the service_accounts API have this claim set.
	alternateTenantIDClaim = "rh-org-id

[SimonBaeumer]

OwnerUserID, OwnerAccountID needs investigation. Is the same in @johannes94 database. Not equal to organisation ID.

[stehessel]

organisation ID and organisation name are the Red Hat SSO organisation identifiers - it identifies a customer organisation, e.g. 16678382 and IBM. We need the id for authn/z, and the name for observability purposes. There can be many users that part of one customer organisation - for example, all Red Hat employee accounts are part of org_id=11009103.

OwnerAccountID will be used in telemetry, it is the account_id claim of the Red Hat SSO token. OwnerUserID is the subject claim (confusingly it is NOT the user_id claim) of the Red Hat SSO token - this one I don't know if we use it anywhere.

[stehessel]

Owner is the Red Hat SSO login name. It is either the email, or the user name, depending on what the user chose to login with. It's displayed in the console UI.

[SimonBaeumer]

@stehessel Where do you see the OrganisationName? I could find the field in the CentralRequest struct.

[SimonBaeumer]

Rebased and added it

[stehessel]

SubscriptionID is returned by AMS and identifies a Central instance in their system. We need it to deregister instances again from AMS.

[SimonBaeumer]

done

[stehessel]

Can you end sentence comments with a "." everywhere?

[SimonBaeumer]

done

[stehessel]

I'd spell out availability zone in the explanation.

[SimonBaeumer]

done

[stehessel]

Suggested change

	// Owner is the Red Hat SSO login name. It is either the email, or the user name, depending on what the user chose to login with. It's displayed in the console UI.
	// Owner is the Red Hat SSO login name of the user who created the instance. It is either the email, or the user name, depending on what the user chose to login with. It's displayed in the console UI.

[SimonBaeumer]

done

[stehessel]

We switched to user_id claim in telemetry. owner_account_id is no longer used as far as I can tell.

[SimonBaeumer]

It is never read anywhere, only set once in fleet-manager. Is it safe to assume that we can remove it?

[SimonBaeumer]

How could I test that the change worked?

[stehessel]

How could I test that the change worked?

You can take a look at Telemetry events in https://app.segment.com/redhat-devtools/sources/acs_instances_backend_dev/debugger.

Is it safe to assume that we can remove it?

I think we can remove this field, yes. Just need to be careful with backwards/forwards compatibility.

[SimonBaeumer]

Would it be okay for you to mark it here as deprecated and removing the field in a follow-up ticket?

[stehessel]

Yeah that makes sense.

[stehessel]

This is not 100% true (depends on definition of customer), it is just one customer organisation. For example IBM has many Red Hat orgs.

[SimonBaeumer]

Changed it to:
// OrganisationID identifies a customer's organisation. It is needed as an id for authn/z, and the name for observability purposes.

[stehessel]

Organisation names not unique. Its purpose is mostly human readability and observability purposes (e.g. display in dashboards).

[SimonBaeumer]

done

[stehessel]

Thanks for going over these 🚀

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SimonBaeumer, stehessel

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [SimonBaeumer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.