Use unrestricted app cred for capi mgmt node and 2ndary restricted app creds for capo and for CSI and OCCM #109
Labels
Container
Issues or pull requests relevant for Team 2: Container Infra and Tooling
enhancement
New feature or request
Sprint Izmir
Sprint Izmir (2023, cwk 32+33)
Comments
garloff
changed the title
|
This should also prepare for having multiple clouds configured in ~/.config/openstack/clouds.yaml and secrets.yaml and avoid assuming particular formatting of it. (It could as well have std user/password combo in there.) This also nicely decouples the need for OCCM clouds.yaml to have project_id (despite using appcreds, where std openstackclient does neither need nor tolerate project_id). |
garloff
added a commit
that referenced
this issue
Mar 17, 2022
This will allow subordinate appcreds per cluster (#109), which are however not yet implemented. As this affects the mgmt node creation, we want to have it done already, as the incremental changes then can be done without recreation of the mgmt node. Signed-off-by: Kurt Garloff <kurt@garloff.de>
garloff
added a commit
that referenced
this issue
Mar 17, 2022
This will allow subordinate appcreds per cluster (#109), which are however not yet implemented. As this affects the mgmt node creation, we want to have it done already, as the incremental changes then can be done without recreation of the mgmt node. Signed-off-by: Kurt Garloff <kurt@garloff.de>
|
Work on deployment node done (we generate an unrestricted application credential, #177), |
garloff
added a commit
that referenced
this issue
May 13, 2022
We want to be able to have an app cred per cluster (instead of a global per mgmt host one). This is implementing #109. Signed-off-by: Kurt Garloff <kurt@garloff.de>
|
This is fully addressed in PR #226. |
garloff
added a commit
that referenced
this issue
Jul 11, 2022
* Start moving app cred creation to cluster creation. We want to be able to have an app cred per cluster (instead of a global per mgmt host one). This is implementing #109. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Tool to generate/manipulate clouds.yaml. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Split out app cred creation and clouds.yaml creation. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Bug fixes. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Clean up appcred again. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Some fixed for app cred cleanup. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Use print-cloud to remove clouds. Allow secret oupput. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Fix OLD_OPENSTACK_CLOUD storage, use it for appcred mgmt. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Fixes. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Stop outputting b64 encoded secrets. Signed-off-by: Kurt Garloff <kurt@garloff.de> * project_id needs to be in auth section. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Only clean up app-cred ... when we use them. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Be careful backing up clouds.yaml. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Be informative about app cred. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Only create OLD_OPENSTACK_CLOUD backup if needed. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Leave existing clusters alone. Robust clouds.yaml config generation. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Output note on new OS_CLOUD. Signed-off-by: Kurt Garloff <kurt@garloff.de> * Clean per-cluster appcred in cleanup. Signed-off-by: Kurt Garloff <kurt@garloff.de>
|
@garloff can you close this one, please? |
chess-knight
added
the
Container
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We should have capability to create further app creds for clusters on the capi mgmt node.
This is a first step into managing clusters across clouds from the same mgmt node.
We should then create two (!) restricted app creds per cluster:
The latter is subject to abuse if hostile users within the cluster want to do evil things. So be prepared to independently revoke these app creds.
The text was updated successfully, but these errors were encountered: