Use the secret and id attributes of the application credential resource to create a string representing a clouds.yaml file for authentication to API by CitC
Interpolate the clouds.yaml string into a heredoc in bootstrap_custom.sh.tpl and have this written to the right location on the deployed mgmt instance on execution of the user_data script
The clouds.yaml might look something like this:
clouds:
openstack:
auth:
auth_url: <URL for identity service API>
application_credential_id: <ID of application credential>
application_credential_secret: <application credential secret>
auth_type: v3applicationcredential
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
application_credential_id and application_credential_secret should come from the created openstack_identity_application_credential_v3 resource. The user will need to provide auth_url, also possibly region_name and interface (though I suspect that these will not change in most cases).
This avoids the need for the Terraform user to pre-generate an application credential. It also means they do not need to manage the credential separate to the CitC instance. It should be destroyed at the same time as the cluster.
Creating the application credential in Terraform gives greater control over the amount of access granted to CitC, which in the longer term could be used to improve security, e.g. by applying access rules that restrict access via the application credential to only the API endpoints needed by CitC.
PR #79 lays some of the groundwork for this, by separating the application credential/clouds.yaml used by the CitC instance to communicate with the OpenStack API from the OpenStack API authentication details used by Terraform.
Proposal for avoiding the hack for injecting
clouds.yamlvialocal-execprovisionerhttps://github.com/clusterinthecloud/terraform/blob/90b1327f32111b19dda0ff700a8b33e1a69c6798/openstack/compute.tf#L84
clouds.yamlfile for authentication to API by CitCclouds.yamlstring into a heredoc inbootstrap_custom.sh.tpland have this written to the right location on the deployed mgmt instance on execution of theuser_datascriptThe
clouds.yamlmight look something like this:application_credential_idandapplication_credential_secretshould come from the createdopenstack_identity_application_credential_v3resource. The user will need to provideauth_url, also possiblyregion_nameandinterface(though I suspect that these will not change in most cases).This avoids the need for the Terraform user to pre-generate an application credential. It also means they do not need to manage the credential separate to the CitC instance. It should be destroyed at the same time as the cluster.
Creating the application credential in Terraform gives greater control over the amount of access granted to CitC, which in the longer term could be used to improve security, e.g. by applying access rules that restrict access via the application credential to only the API endpoints needed by CitC.
PR #79 lays some of the groundwork for this, by separating the application credential/
clouds.yamlused by the CitC instance to communicate with the OpenStack API from the OpenStack API authentication details used by Terraform.