Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenStack: Create application credential in Terraform and inject clouds.yaml via user_data script #80

Open
jcwomack opened this issue Apr 12, 2024 · 0 comments
Open

OpenStack: Create application credential in Terraform and inject clouds.yaml via user_data script #80

jcwomack opened this issue Apr 12, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@jcwomack
Copy link

jcwomack commented Apr 12, 2024
edited
Loading

Proposal for avoiding the hack for injecting clouds.yaml via local-exec provisioner

terraform/openstack/compute.tf

Line 84 in 90b1327

command = "for i in {1..60}; do echo Attempt $i; scp -A -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null clouds.yaml cloud-user@${openstack_compute_floatingip_v2.mgmt.address}:. && break || sleep 1; done"

  • Generate an application credential in Terraform using openstack_identity_application_credential_v3
  • Use the secret and id attributes of the application credential resource to create a string representing a clouds.yaml file for authentication to API by CitC
  • Interpolate the clouds.yaml string into a heredoc in bootstrap_custom.sh.tpl and have this written to the right location on the deployed mgmt instance on execution of the user_data script

The clouds.yaml might look something like this:

clouds:
  openstack:
    auth:
      auth_url: <URL for identity service API>
      application_credential_id: <ID of application credential>
      application_credential_secret: <application credential secret>
    auth_type: v3applicationcredential
    region_name: "RegionOne"
    interface: "public"
    identity_api_version: 3

application_credential_id and application_credential_secret should come from the created openstack_identity_application_credential_v3 resource. The user will need to provide auth_url, also possibly region_name and interface (though I suspect that these will not change in most cases).

This avoids the need for the Terraform user to pre-generate an application credential. It also means they do not need to manage the credential separate to the CitC instance. It should be destroyed at the same time as the cluster.

Creating the application credential in Terraform gives greater control over the amount of access granted to CitC, which in the longer term could be used to improve security, e.g. by applying access rules that restrict access via the application credential to only the API endpoints needed by CitC.

PR #79 lays some of the groundwork for this, by separating the application credential/clouds.yaml used by the CitC instance to communicate with the OpenStack API from the OpenStack API authentication details used by Terraform.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jcwomack