Use the secret and id attributes of the application credential resource to create a string representing a clouds.yaml file for authentication to API by CitC
Interpolate the clouds.yaml string into a heredoc in bootstrap_custom.sh.tpl and have this written to the right location on the deployed mgmt instance on execution of the user_data script
The clouds.yaml might look something like this:
clouds:
openstack:
auth:
auth_url: <URL for identity service API>
application_credential_id: <ID of application credential>
application_credential_secret: <application credential secret>
auth_type: v3applicationcredential
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
application_credential_id and application_credential_secret should come from the created openstack_identity_application_credential_v3 resource. The user will need to provide auth_url, also possibly region_name and interface (though I suspect that these will not change in most cases).
This avoids the need for the Terraform user to pre-generate an application credential. It also means they do not need to manage the credential separate to the CitC instance. It should be destroyed at the same time as the cluster.
Creating the application credential in Terraform gives greater control over the amount of access granted to CitC, which in the longer term could be used to improve security, e.g. by applying access rules that restrict access via the application credential to only the API endpoints needed by CitC.
PR #79 lays some of the groundwork for this, by separating the application credential/clouds.yaml used by the CitC instance to communicate with the OpenStack API from the OpenStack API authentication details used by Terraform.
Proposal for avoiding the hack for injecting
clouds.yaml
vialocal-exec
provisionerhttps://github.com/clusterinthecloud/terraform/blob/90b1327f32111b19dda0ff700a8b33e1a69c6798/openstack/compute.tf#L84
clouds.yaml
file for authentication to API by CitCclouds.yaml
string into a heredoc inbootstrap_custom.sh.tpl
and have this written to the right location on the deployed mgmt instance on execution of theuser_data
scriptThe
clouds.yaml
might look something like this:application_credential_id
andapplication_credential_secret
should come from the createdopenstack_identity_application_credential_v3
resource. The user will need to provideauth_url
, also possiblyregion_name
andinterface
(though I suspect that these will not change in most cases).This avoids the need for the Terraform user to pre-generate an application credential. It also means they do not need to manage the credential separate to the CitC instance. It should be destroyed at the same time as the cluster.
Creating the application credential in Terraform gives greater control over the amount of access granted to CitC, which in the longer term could be used to improve security, e.g. by applying access rules that restrict access via the application credential to only the API endpoints needed by CitC.
PR #79 lays some of the groundwork for this, by separating the application credential/
clouds.yaml
used by the CitC instance to communicate with the OpenStack API from the OpenStack API authentication details used by Terraform.