Application Credential support #1055
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Deydra71 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
I left out app cred auth from oslo_limit config section, because it needs system-scoped token, and our app creds are tied to user and project. Kuttl tests will be added soon. |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/2e7e6c4092c549b9b63701580d6c34f4 ✔️ openstack-meta-content-provider SUCCESS in 2h 41m 25s |
SeanMooney
left a comment
SeanMooney
left a comment
There was a problem hiding this comment.
This has the same design question as the watcher CRDs
specficily should the applaiction credtail secret be watched by the top level nova contoler only and embeded into the per servce cr screats that we generated or should each contoller monitor the applciation credetial secreate sepreatly.
the later will increase the load on the k8s api/etcd server and is really only useful if and only if we intended to be able to have nova-schduler use a diffent appclaition credetial form nova-conductor
if that is not the intent (i dont think it is) we shoudl not add the auth section ot the sub CRs for nova-api nova schduler ectra and should only add it to the top levele nova CRD
i dont think we have a usecase today to have seperate applciation creditals per cell but that might be reasonable so that you can rotate each cells seperately since that requires dataplane deployment to complete.
that probaly need wider dicsusion with kamil and gibi before proceeding
Deydra71
force-pushed
the
appcred-support
branch
from
b110919 to
46c6710
Compare
Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
Deydra71
force-pushed
the
appcred-support
branch
from
46c6710 to
9d8ab81
Compare
|
@Deydra71: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/bc2c43d9a4bd4faca56dd814cfd0698b ✔️ openstack-meta-content-provider SUCCESS in 2h 39m 42s |
2 participants
Jira: https://issues.redhat.com/browse/OSPRH-16626
Adds end-to-end support for consuming Keystone Application Credentials (AC) in the nova-operator, enabling Nova control plane components (NovaAPI, Scheduler, Conductors/Cells, Metadata NoVNCProxy) to use AC-based authentication when available.
API changes:
Adds an optional authentication field to the Nova CR:
spec.auth.applicationCredentialSecret— name of the Secret that contains the Keystone Application Credential ID and Secret (AC_IDandAC_SECRET).Reconcile behavior:
spec.auth.applicationCredentialSecret.AC_ID/AC_SECRETfrom the referenced Secret (via the Keystone helper).Once the AC Secret is ready with valid
AC_IDandAC_SECRETfields:nova.conffor relevant auth sections (e.g.[keystone_authtoken]and service client auth stanzas such as[placement]/[neutron]/[glance]/[cinder]/[barbican]/[service_user], where applicable).nova) is used, and the same AC Secret is propagated across Nova subcomponents so all Nova pods authenticate consistently via the same credential source.Depends-on: openstack-k8s-operators/keystone-operator#567