plugin/pkg/client/auth: add openstack auth provider

[zhouhaibing089]

This is an implementation of auth provider for OpenStack world, just like python-openstackclient, we read the environment variables of a list OS_*, and client will cache a token to interact with each components, we can do the same here, the client side can cache a token locally at the first time, and rotate automatically when it expires.

This requires an implementation of token authenticator at server side, refer:

1. [made by me] #25536, I can carry this on when it is fine to go.
2. [made by @kfox1111] #25391

The reason why I want to add this is due to the client-side nature, it will be confusing to implement it downstream, we would like to add this support here, and customers can get kubectl like they usually do(brew install kubernetes-cli), and it will just work.

When this is done, we can deprecate the password keystone authenticator as the following reasons:

1. as mentioned at some other places, the domain is another parameters which should be provided.
2. in case the user supplies apikey and secrets, we might want to fill the UserInfo with the real name which is not implemented for now.

cc @erictune @liggitt

add openstack auth provider

[k8s-ci-robot]

Hi @zhouhaibing089. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-reviewable]

This change is 

[anguslees]

@k8s-bot ok to test
/lgtm

[k8s-ci-robot]

@anguslees: you can't LGTM a PR unless you are an assignee.

In response to this comment:

@k8s-bot ok to test
/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[anguslees]

@idvoretskyi sig-openstack area tag please

[liggitt]

Is an openstack token ever obtained from then env directly? cc @kfox1111

[zhouhaibing089]

@liggitt no it is not, it needs to call keystone with these env vars, and then, a token will be returned.

[liggitt]

It looks like the first time, the token will always be blank. Is that expected?

[zhouhaibing089]

well, you catch it! it still works though(the auto renew). I will add a call once the round tripper is initialized.

[liggitt]

Is the same auth provider reused if a single CLI instance makes multiple API calls? I think @ericchiang just made some changes to the OIDC auth provider to avoid multiple expensive reconstructions in that case. Would be worth logging the number of times a token is requested and making sure it only happens once in the normal case.

[liggitt]

I'm also not seeing where the retrieved token is persisted.

[zhouhaibing089]

@liggitt each call via cli(kubectl), it will be reconstructed, this is true. a better way to handle this is to cache(truly) the token into the kubeconfig, if that do makes it better.

[ericchiang]

I think @ericchiang just made some changes to the OIDC auth provider to avoid multiple expensive reconstructions in that case.

To reiterate the auth provider is going to be constantly re-initialized within the span on a single kubeclt call. We remedied that by having a global cache of clients and did a lookup on initialization. If initialization is expensive, you'll need to cache the results.

[liggitt]

You need your own instance of math.Rand seeded with something actually random

[liggitt]

Well, maybe not in a test

[liggitt]

cc @kubernetes/sig-openstack-misc

[wjun]

As long as any approach cannot keep end users unaware of openstack specific information besides domain name, username, password which other systems also have, we cannot remove the current username/password authn which hide openstack specific information from end users perfectly. k8s users do not need to know openstack's information in some cases.

[ericchiang]

Maybe we should just remove this from the interface? Nothing implements it and there's no way to trigger it.

[zhouhaibing089]

well, I think it is not tied with this pr, but I am wiling to check and remove it.

[ericchiang]

We removed similar logic from the OIDC plugin. I don't think http.RoundTrippers should be retrying requests. Is there a way to determine if a token is invalid without getting back a StatusUnauthorized?

[zhouhaibing089]

Is there a way to determine if a token is invalid without getting back a StatusUnauthorized?

As far as I know, there is no easy way:

1. call keystone token api, but it requires admin role(at least in our openstack deployment).
2. local validation, the PKI token can be validated locally by: 1) download the keystone certificate, 2) decode the token. but it only handles PKI tokens, also if it is totally local, the revocation will not be aware of.

[zhouhaibing089]

Well, I have no idea on why the Jenkins verification failed, I've already fixed the bazel things as I can see..

[zhouhaibing089]

@sttts @liggitt is this PR in good shape now and can we get this in?

[sttts]

The plumbing looks fine. Do you have anybody reviewing the actual plugin logic in staging/src/k8s.io/client-go/plugin/pkg/client/auth/openstack/openstack.go ? @liggitt ?

[zhouhaibing089]

@sttts I think @liggitt and @ericchiang and folks in sig-openstack already give it a review.

[sttts]

Alright.

/lgtm
/approve no-issue

[k8s-ci-robot]

@zhouhaibing089: you can't request testing unless you are a kubernetes member.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sttts]

/retest

[zhouhaibing089]

updated BUILD file.

[dims]

/ok-to-test

[dims]

/lgtm

[k8s-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anguslees, dims, sttts, zhouhaibing089

Associated issue requirement bypassed by: sttts

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• staging/src/k8s.io/client-go/OWNERS [sttts]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[zhouhaibing089]

just run ./hack/update-staging-godeps.sh..

[dims]

/retest

[sttts]

/retest

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[k8s-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 50087, 39587, 50042, 50241, 49914)