gardener / gardener-extension-provider-openstack

Gardener extension controller for the OpenStack cloud provider (https://openstack.org).
https://gardener.cloud
Apache License 2.0
28 stars 82 forks source link

Centrally managed technical user support #357

Open dkistner opened 3 years ago

dkistner commented 3 years ago

How to categorize this issue? /area security /kind enhancement /priority 3 /platform openstack

What would you like to be added: Similar like for Azure we can implement a central approach to manage technical users for Shoot clusters. The technical users would be provided centrally in the Keystone by yhe Gardener operators and users would need to grant the technical users (provided by the Gardener operator) access to their Openstack projects with proper permissions.

Why is this needed: Same reasons as for Azure. Gardener operators could take care of the technical user and rotate their secrets on regular basis. Users are not obligated to provide an own technical user.

cc @donistz, @RaphaelVogel

brumhard commented 2 years ago

Hi @dkistner we @stackitcloud would really appreciate this feature and would be willing to put effort into it. Is there any way we can help with the implementation for it?

dkistner commented 2 years ago

Hi @brumhard, thank you very much! I'm already working on a PR for this feature, but I will first add another thing that is also relevant for this scenario. It is about creating an application credential for the provided technical user and using this application credential to interact with the openstack apis instead of using the technical user. This will be handy in regard to secret rotation of the technical user. Once this is done if will continue with my PR for this feature.

dergeberl commented 2 years ago

Hi @dkistner, sounds good. Let us know if we can support the issue.

JuliusSte commented 2 years ago

Hey @dkistner, don't want to bother you too much, but we are really interested in this feature. Can you share some progress or can we support you in any way to speed it up in some form? Would be great, thanks a lot!

dkistner commented 2 years ago

Hi @JuliusSte,

so this feature consists from our point of view out of two parts:

  1. Support for application credentials which are owned by the Openstack user (or the unrestricted application credential) that a Shoot owner provides for the cluster. These app credentials are managed by the Openstack extension and used for all interactions with the Openstack API. This is required to avoid service disruptions while the credentials of the owning Openstack user are rotated.
  2. A webhook which injects a Gardener managed Openstack user into the cloudprovider secret on the Seed.

The 1. is in development and already on its way, but for 2. we could indeed need some help. The implementation would look very similar to the cloudprovider webhook in the Azure extension ref.

Let me know if you wanna give it a try. If you want we can also have a chat on this before.