Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for application credentials #300

Merged
merged 2 commits into from
Jul 8, 2021
Merged

add support for application credentials #300

merged 2 commits into from
Jul 8, 2021

Conversation

MartinWeindel
Copy link
Member

How to categorize this PR?

/area control-plane
/area security
/kind enhancement
/platform openstack

What this PR does / why we need it:
The provider secret for Openstack can contain the keys applicationCredentialID and applicationCredentialSecret as alternative to authentication with username/password

Which issue(s) this PR fixes:
Fixes #4

Special notes for your reviewer:
This PR is depending on a new release of the machine-controller-manager-provider-openstack which includes PR gardener/machine-controller-manager-provider-openstack#26

Release note:

add support for application credentials

@MartinWeindel MartinWeindel requested review from a team as code owners June 25, 2021 12:54
@gardener-robot gardener-robot added area/control-plane Control plane related area/security Security related kind/enhancement Enhancement, improvement, extension platform/openstack OpenStack platform/infrastructure needs/review Needs review size/l Size of pull request is large (see gardener-robot robot/bots/size.py) needs/second-opinion Needs second review by someone else labels Jun 25, 2021
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 25, 2021
@gardener-robot-ci-3 gardener-robot-ci-3 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jun 25, 2021
@MartinWeindel MartinWeindel mentioned this pull request Jun 25, 2021
Closed
kayrus
kayrus suggested changes Jun 28, 2021
View reviewed changes
Copy link
Contributor

@kayrus kayrus left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: When you're specifying application credentials, especially by id and a password, there is no need to request domain/project/username. application credentials are project scoped by default. You need only the keystone auth URL, credentials ID and credentials password.

charts/internal/cloud-provider-config/templates/_cloud-provider-config-global.tpl Outdated
username="{{ .Values.username }}"
password="{{ .Values.password }}"
{{- end }}
{{- if .Values.applicationCredentialID }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you omit the applicationCredentialName by purpose to avoid end user confusion?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to keep it simple. Especially if we want to support adding secrets in the Gardener dashboard, this can become quite cumbersome. It also produces additional test effort.
Is there any good reason to use applicationCredentialName (together with userName or a user id) instead of applicationCredentialID?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any good reason to use...

applicationCredentialName may contain a hint for its purpose, but it adds additional complexity for providing a proper username and domain name, or just a userid.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

applicationCredentialName is supported now, too.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MartinWeindel I'd revert the applicationCredentialName support for now, because this may add extra confusion on the user end. See the detailed explanation of 3 auth cases: gophercloud/gophercloud#1365 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P.S. I'm not against the applicationCredentialName, but in order to speed-up the appCreds implementation I'd focus on appID only. The appName support can be added later.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As new releases are needed for both the Openstack provider and the machine-controller-provider-openstack, I don't think it will be faster to remove the appName support now as it has already been tested.
@dkistner WDYT?

@gardener-robot gardener-robot added the needs/changes Needs (more) changes label Jun 28, 2021
dkistner
dkistner reviewed Jun 30, 2021
View reviewed changes
pkg/apis/openstack/validation/secrets.go Show resolved Hide resolved
pkg/internal/terraform.go Outdated Show resolved Hide resolved
pkg/internal/terraform.go Outdated Show resolved Hide resolved
@MartinWeindel MartinWeindel force-pushed the application-credentials branch from e5b315f to 9adf589 Compare June 30, 2021 15:39
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 30, 2021
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 30, 2021
@gardener-robot
Copy link

@MartinWeindel You have pull request review with status CHANGES_REQUESTED, please check

dkistner
dkistner reviewed Jul 1, 2021
View reviewed changes
Copy link
Member

@dkistner dkistner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me.

/hold
Until we have a mcm openstack provider with gardener/machine-controller-manager-provider-openstack#26

@gardener-robot gardener-robot added the reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies label Jul 1, 2021
@MartinWeindel MartinWeindel requested a review from dkistner July 1, 2021 09:56
@MartinWeindel MartinWeindel mentioned this pull request Jul 1, 2021
Merged
@gardener-robot gardener-robot added the size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py) label Jul 1, 2021
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 1, 2021
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 1, 2021
@gardener-robot gardener-robot removed the size/l Size of pull request is large (see gardener-robot robot/bots/size.py) label Jul 1, 2021
@MartinWeindel MartinWeindel force-pushed the application-credentials branch from 4a52a3a to d14b8f7 Compare July 1, 2021 11:08
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 1, 2021
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 1, 2021
@MartinWeindel MartinWeindel force-pushed the application-credentials branch from d14b8f7 to 8bcec89 Compare July 1, 2021 12:13
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jul 1, 2021
@gardener-robot gardener-robot added size/l Size of pull request is large (see gardener-robot robot/bots/size.py) and removed size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py) labels Jul 1, 2021
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 1, 2021
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 1, 2021
@MartinWeindel MartinWeindel force-pushed the application-credentials branch from e5d8ee4 to 8bcec89 Compare July 1, 2021 14:49
@gardener-robot gardener-robot added size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py) and removed size/l Size of pull request is large (see gardener-robot robot/bots/size.py) labels Jul 1, 2021
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 1, 2021
kon-angelo
kon-angelo approved these changes Jul 2, 2021
View reviewed changes
Copy link
Contributor

@kon-angelo kon-angelo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/changes Needs (more) changes needs/review Needs review needs/second-opinion Needs second review by someone else labels Jul 2, 2021
@kon-angelo kon-angelo merged commit 5e20dfb into master Jul 8, 2021
@kon-angelo kon-angelo mentioned this pull request Jul 16, 2021
Merged
@rfranzke rfranzke deleted the application-credentials branch February 9, 2022 07:48
@grolu grolu mentioned this pull request Jun 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kayrus kayrus kayrus requested changes

@kon-angelo kon-angelo kon-angelo approved these changes

@dkistner dkistner Awaiting requested review from dkistner

Assignees
No one assigned
Labels
area/control-plane Control plane related area/security Security related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/openstack OpenStack platform/infrastructure reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Openstack: application credential support
8 participants
@MartinWeindel @gardener-robot @kayrus @dkistner @kon-angelo @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3