OpenStack: get rid of swift temp urls #2311
Conversation
openshift-ci-robot
added
the
size/L
openshift-ci-robot
added
the
approved
|
/hold we need to agree that we need this patch at 4.2 |
openshift-ci-robot
added
the
do-not-merge/hold
| if svc.Type == "object-store" { | ||
| for _, e := range svc.Endpoints { | ||
| if e.Interface == "public" { | ||
| swiftPublicURL = e.URL |
There was a problem hiding this comment.
shouldn't you break here? why going over the rest?
Fedosin
force-pushed
the
no_temp_urls
branch
from
2d9c499
to
85f5d64
Compare
Fedosin
changed the title
openshift-ci-robot
added
the
bugzilla/valid-bug
|
@Fedosin: This pull request references Bugzilla bug 1749367, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@Fedosin: This pull request references Bugzilla bug 1749367, which is valid. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
I pulled this PR locally and tried to use it. First run was sucessfull. Second fails with this error: |
yeah, we need to use alphanumeric characters for the object name. Thank you for finding this! |
Fedosin
force-pushed
the
no_temp_urls
branch
from
85f5d64
to
93e8fe3
Compare
openshift-ci-robot
removed
the
approved
Fedosin
force-pushed
the
no_temp_urls
branch
from
93e8fe3
to
763e690
Compare
openshift-ci-robot
added
the
approved
|
/test e2e-aws-upgrade |
1 similar comment
|
/test e2e-aws-upgrade |
|
/test e2e-libvirt |
|
@celebdor PTAL or delegate to someone else for review |
|
/assign I'm testing and reviewing it as we speak. |
|
Okay, I like it. I would really prefer if we kept using Swift temp urls since their behaviour and security profile are well understood, but not supporting OSP 13 + Ceph's RADOS Gateway would cut off a significant portion of the production users. That said, I am no security expert and as such I am a little nervous about this change -- especially this late in the game. To the best of my abilities, I've verified that:
There are some things I can see to make it even more solid:
I am tentatively in favour of this but I'd like to hold off from //cc @mandre (what do you think about the risks present here) and @racedo (what do you think about the impact of not shipping this feature in 4.2) |
|
/test e2e-gcp |
| DomainName: domainName, | ||
| } | ||
|
|
||
| serviceCatalog, err := tokens.Create(conn, &authOptions).ExtractServiceCatalog() |
There was a problem hiding this comment.
Hmm, i'm not sure what this does ? but does it create some resource that needs to be cleaned up on destroy?
There was a problem hiding this comment.
Here we want to obtain Swift public endpoint... By design this should be done by using https://www.terraform.io/docs/providers/openstack/d/identity_endpoint_v3.html but OpenStack default policies forbid to use this API for regular users.
On the other hand when you authenticate in OpenStack (i.e. get a token) it includes the whole service catalog in the output json. So we are able to parse it and get the endpoint from there https://docs.openstack.org/api-ref/identity/v3/?expanded=token-authentication-with-scoped-authorization-detail#token-authentication-with-scoped-authorization
In short the algorithm is:
- Authenticate in OpenStack:
tokens.Create(..) - Parse the token and extract the service catalog:
ExtractServiceCatalog() - Iterate through the catalog and find
publicendpoint forobject-store.
Unfortunately this feature is not supported by Terraform so I had to implement it here. No resources are created we just get endpoint data from OpenStack.
Btw, we do the same thing for Octavia service: https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/openstack/openstack.go#L141-L152
| return swiftPublicURL, nil | ||
| } | ||
|
|
||
| func getServiceCatalog(cloud string) (*tokens.ServiceCatalog, error) { |
There was a problem hiding this comment.
would love to see some comments on the function regarding what it does.
| @@ -62,3 +73,69 @@ func TFVars(masterConfig *v1alpha1.OpenstackProviderSpec, cloud string, external | |||
|
|
|||
| return json.MarshalIndent(cfg, "", " ") | |||
| } | |||
|
|
|||
| func getSwiftPublicURL(cloud string) (string, error) { | |||
There was a problem hiding this comment.
same as 5c3fbf5#r337229011
The new version contains random_password module required by OpenStack
Since not all the configurations of OSP support Swift temp urls, we have to find another way that will work on all supported clouds. To create a unified solution we can use the ACL mechanism to allow public access to the file, but deny access to the list of container files. From a technical point of view, it looks like this: ".r:*", but no ".rlistings". This allows anybody to download the ignition file. However, to do this, the exact name of the object must be known since users cannot list the objects in the container. The last step is to randomize the file name so that it cannot be matched - now it is hardcoded to "bootstrap.ign" The lifetime of such a file will be short, about 10 minutes necessary for bootstrapping. Further this file will be automatically removed by Terraform at the moment of bootstrap machine destruction. This way we can achieve the same effect as temp url, which will work on all types of storage.
|
/test e2e-openstack |
|
/test e2e-aws |
|
/test e2e-openstack |
|
/test e2e-aws-disruptive |
|
@Fedosin: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
8d04568 LGTM /approve while the rest i'll leave upto the openstack team to review |
openshift-ci-robot
added
the
approved
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, Fedosin, iamemilio, mandre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherrypick release-4.2 |
|
@Fedosin: #2311 failed to apply on top of branch "release-4.2": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
will this PR be available in 4.2? If we install 4.2 by compiling the 4.2 release this feature seems to be missing. Maybe due to the merge-conflict above? |
With openshift#2311 being merged, and having removed the need for Swift tempurls, the issue is no longer afflicting OpenStack installations. Ref.: openshift#2311
With openshift#2311 being merged, and having removed the need for Swift tempurls, the issue is no longer afflicting OpenStack installations. Ref.: openshift#2311
With openshift#2311 being merged, and having removed the need for Swift tempurls, the issue is no longer afflicting OpenStack installations. Ref.: openshift#2311
Since not all the configurations of OSP support Swift temp urls, we have to find another way that will work on all supported clouds.
To create a unified solution we can use the ACL mechanism to allow public access to the ignition file, but deny access to the list of container files. From a technical point of view, it looks like this: ".r:*", but no ".rlistings".
This allows anybody to download bootstrap ignition file. However, to do this, the exact name of the object must be known since users cannot list the objects in the container.
The last step is to randomize the file name so that it cannot be matched - now it is hardcoded to "bootstrap.ign"
The lifetime of such a file will be short, about 10 minutes necessary for bootstrapping. Further this file will be automatically removed by Terraform at the moment of bootstrap machine destruction.
This way we can achieve the same effect as temp url, which will work on all types of storage.