cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard
verified publisher icon kubernetes

[occm] Support keystone token for openstack auth

Open archerwu9425 opened this issue 5 months ago • 7 comments

What this PR does / why we need it: Support keystone token for openstack auth in occm

Which issue this PR fixes(if applicable): fixes #

Special notes for reviewers:

Keystone token is supported in openstack as option for atuh, should also support this in occm

  1. Support provide keystone token in cloud-config for openstack auth
[Global]
token = xxxx
auth-url = xxx
region = RegionOne
tenant-name = xxx
tenant-domain-name = xxx
  1. Support provide keystone token in clouds.yaml for openstack auth cloud-config:
[Global]
use-clouds = true
clouds-file = xxxxx/clouds.yaml

clouds.yaml

clouds:
  openstack:
    auth_type: token
    auth:
      auth_url: xxxx
      project_name: xxx
      project_domain_name: xxx
      token: xxxx

Release note:

[openstack-cloud-controller-manager] Support keystone token for openstack auth

archerwu9425 avatar Aug 04 '25 10:08 archerwu9425

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign dulek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Aug 04 '25 10:08 k8s-ci-robot

Hi @archerwu9425. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Aug 04 '25 10:08 k8s-ci-robot

@archerwu9425 Thanks for the PR. What is the use case for supporting token-based authentication? Since tokens are short-lived, they are not intended for use in long-running services like OCCM.

kayrus avatar Aug 04 '25 10:08 kayrus

@archerwu9425 Thanks for the PR. What is the use case for supporting token-based authentication? Since tokens are short-lived, they are not intended for use in long-running services like OCCM.

@kayrus keystone token not have to be short-lived, the life time can be configured. In our case, we have configured keystone token as the only way for openstack auth, make its lifetime to medium like 15 days to avoid using long-live credential like application credential.

Also I'm wonder if we should find a way to support using short-lived token for OCCM and support dynamic load config, so we can rotate the config without restart the OCCM pod. Short-lived token is used more and more in production env for security consideration, and for cloud provider like aws, we can use instance profile to avoid setting any credential in cluster. Wondering if we have plans for running occm with short-lived token.

archerwu9425 avatar Aug 05 '25 05:08 archerwu9425

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 03 '25 06:11 k8s-triage-robot

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Nov 13 '25 18:11 k8s-ci-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle rotten
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 13 '25 19:12 k8s-triage-robot

@kayrus we met the same issues about using short-lived token for openstack API auth. From security perspective, having a long-lived credential in kubernetes cluster is a bit risky. Should we make the openstack-cloud-controller-manager to support token-based authentication?

jiangfwa avatar Dec 25 '25 02:12 jiangfwa