Allow using API tokens for Proxmox authentication

[mraerino]

Proxmox allows people to create API tokens with limited privileges that can be rotated without deleting a user account. It is usually useful for giving automated systems specific access to parts of the Proxmox API, e.g. a single VM resource pool.

API tokens allow stateless access to most parts of the REST API by another system, software or API client. Tokens can be generated for individual users and can be given separate permissions and expiration dates to limit the scope and duration of the access. Should the API token get compromised it can be revoked without disabling the user itself.
https://pve.proxmox.com/wiki/User_Management#pveum_tokens

The current authentication flow used for the Proxmox client is not compatible though:

POST /api2/json/access/ticket
This API endpoint is not available for API tokens.
https://pve.proxmox.com/pve-docs/api-viewer/#/access/ticket (POST tab)

Instead the required auth flow for API tokens is described here:

To use an API token, set the HTTP header Authorization to the displayed value of the form PVEAPIToken=USER@REALM!TOKENID=UUID when making API requests
https://pve.proxmox.com/wiki/User_Management#pveum_tokens

---

This PR introduces a new parameter token for the Proxmox builder which allows using the alternative API token flow.
It will take precedence over password if both are given.

Tests are provided, docs have been updated.
I tested a development build with a proxmox setup locally.

[hashicorp-cla]

All committers have signed the CLA.

[codecov]

Codecov Report

Merging #10797 (331e603) into master (667f930) will increase coverage by 0.01%.
The diff coverage is 74.07%.

Impacted Files	Coverage Δ
builder/proxmox/common/builder.go	0.00% <0.00%> (ø)
builder/proxmox/common/client.go	71.42% <71.42%> (ø)
builder/proxmox/common/config.go	46.00% <100.00%> (+0.82%)	⬆️

[mraerino]

Upstream PR is open, let's see which one wins: Telmate/proxmox-api-go#108

[mraerino]

now using the method from the client lib

[carlpett]

Thanks @mraerino! This all looks really good (getting the token auth into the upstream library was the best way to go IMO), just a linter failure to take care of

[carlpett]

There's a linter failure because these are unused. I suppose they are from before moving the bits upstream?

[mraerino]

removed (2162e7d)

[carlpett]

Nit: This strictly doesn't need to be exported, right?

[mraerino]

fixed (331e603)

[sylviamoss]

Nice! I'll merge it once @carlpett's comments are addressed.

[mraerino]

is there something that will let me know once this lands in a stable release?

[nywilken]

Hey 👋 @mraerino, there is no automatic notification. This feature will be available for use in our next nightly release which is a glimpse of what you can expect in the next v1.7.1 release which is set to go out next week.

As far as notifications go we announce Packer releases to the Packer email distribution list. You can also subscribe to the GitHub RSS feeds so that you can see when new releases drop https://github.com/hashicorp/packer/releases.atom

Thanks again for making this change.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.