Update OpenStack keystone integration #7304
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit bdb564f |
|
note from @liggitt |
|
/assign |
|
@dims do you need any help here? |
|
@ericchiang will check with @heckj and report back (or pick up the work) |
|
Sorry @dims - what did I miss? How can I help? I went ahead and assigned this to me to review, but it seemed still WIP so I didn't put much attention behind it. |
|
@heckj whoops. i remember someone volunteering for taking this over. sorry. will work on this today |
|
@dixudx i could use your help with this :) (mentioned it in kubernetes/kubernetes#60200) |
- removing the keystone password section - adding a subsection under "Webhook Token Authentication" that details configuration of kubectl with the openstack auth provider
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/M
dims
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
| @@ -486,6 +486,21 @@ An unsuccessful request would return: | |||
|
|
|||
| HTTP status codes can be used to supply additional error context. | |||
|
|
|||
| #### Using OpenStack Keystone authentication Webhook | |||
|
|
|||
| There are two parts to authentication with OpenStack Keystone. On the client-side, you can use `--auth-provider=openstack` option to reuse the `OS_*` environment variables: | |||
There was a problem hiding this comment.
I suspect there's a word missing that would make this better than changing authentication to authenticate, which also reads oddly, perhaps better phrasing:
There are two parts to support authentication with OpenStack Keystone.
| ``` | ||
| Note that you will also need to use `kubectl config set-context` and `kubectl config use-context` to activate the context. Please make sure you have `OS_DOMAIN_NAME` to use Keystone V3 API. | ||
|
|
||
| On the server-side, one choice is to use the webhook from: |
There was a problem hiding this comment.
IIRC, from v1.10, this will be the only choice, right?
So we won't have other choices for now. This should be addressed well here. WDYT?
| Documentation for the webhook is at | ||
| https://github.com/dims/openstack-cloud-controller-manager/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md | ||
|
|
||
| This webhook from folks in the OpenStack community is just one option. Other webhooks may be available with alternative user mappings in the future. |
There was a problem hiding this comment.
Still not available for now. Shall we remove this line?
There was a problem hiding this comment.
Recommend dropping the line about "other webhooks may be available..." - better to focus on what is now and how to utilize it vs. what could come.
| ``` | ||
| kubectl config set-credentials openstackuser --auth-provider=openstack | ||
| ``` | ||
| Note that you will also need to use `kubectl config set-context` and `kubectl config use-context` to activate the context. Please make sure you have `OS_DOMAIN_NAME` to use Keystone V3 API. |
There was a problem hiding this comment.
Adds an auth config file example to illustrate #60200?
There was a problem hiding this comment.
Good information, but its unclear on how someone would actually use these commands and in what order to authenticate to the cluster. I'd recommend showing all three commands in sequence, explaining what they do to provide the authentication, and prefixing the whole thing by asserting that the administrator specifically needs to have OS_DOMAIN_NAME set. There's an implication of other OS_* environment variables that may need to be set - I'm not sure what those may be, but if any are critical, please include them in a "to use this, you need..." sort of requirements note above the sequence of commands.
| @@ -486,6 +486,21 @@ An unsuccessful request would return: | |||
|
|
|||
| HTTP status codes can be used to supply additional error context. | |||
|
|
|||
| #### Using OpenStack Keystone authentication Webhook | |||
|
|
|||
| There are two parts to authentication with OpenStack Keystone. On the client-side, you can use `--auth-provider=openstack` option to reuse the `OS_*` environment variables: | |||
There was a problem hiding this comment.
I suspect there's a word missing that would make this better than changing authentication to authenticate, which also reads oddly, perhaps better phrasing:
There are two parts to support authentication with OpenStack Keystone.
| ``` | ||
| kubectl config set-credentials openstackuser --auth-provider=openstack | ||
| ``` | ||
| Note that you will also need to use `kubectl config set-context` and `kubectl config use-context` to activate the context. Please make sure you have `OS_DOMAIN_NAME` to use Keystone V3 API. |
There was a problem hiding this comment.
Good information, but its unclear on how someone would actually use these commands and in what order to authenticate to the cluster. I'd recommend showing all three commands in sequence, explaining what they do to provide the authentication, and prefixing the whole thing by asserting that the administrator specifically needs to have OS_DOMAIN_NAME set. There's an implication of other OS_* environment variables that may need to be set - I'm not sure what those may be, but if any are critical, please include them in a "to use this, you need..." sort of requirements note above the sequence of commands.
| kubectl config set-credentials openstackuser --auth-provider=openstack | ||
| ``` | ||
| Note that you will also need to use `kubectl config set-context` and `kubectl config use-context` to activate the context. Please make sure you have `OS_DOMAIN_NAME` to use Keystone V3 API. | ||
|
|
There was a problem hiding this comment.
I wasn't entirely clear - are both of these (server side and client side) needed to authenticate, or is it one or the other if you want to use Keystone to Auth?
| Note that you will also need to use `kubectl config set-context` and `kubectl config use-context` to activate the context. Please make sure you have `OS_DOMAIN_NAME` to use Keystone V3 API. | ||
|
|
||
| On the server-side, one choice is to use the webhook from: | ||
| https://github.com/dims/openstack-cloud-controller-manager/blob/master/cmd/k8s-keystone-auth/main.go |
There was a problem hiding this comment.
I don't know that referencing the Go code will help an administrator know how to use this, but if you want to reference it, I recommend something like:
The OpenStack Cloud Controller includes an webhook authenticator.
| On the server-side, one choice is to use the webhook from: | ||
| https://github.com/dims/openstack-cloud-controller-manager/blob/master/cmd/k8s-keystone-auth/main.go | ||
|
|
||
| Documentation for the webhook is at |
There was a problem hiding this comment.
Suggestion:
Documentation for how to install and configure the OpenStack authentication webhook can be found at https://github.com/dims/openstack-cloud-controller-manager/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md.
to make that an active link
| Documentation for the webhook is at | ||
| https://github.com/dims/openstack-cloud-controller-manager/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md | ||
|
|
||
| This webhook from folks in the OpenStack community is just one option. Other webhooks may be available with alternative user mappings in the future. |
There was a problem hiding this comment.
Recommend dropping the line about "other webhooks may be available..." - better to focus on what is now and how to utilize it vs. what could come.
|
will revisit this in a bit. we are adding a bunch more in the new git repo (cloud-provider-openstack) |
This change is