Open dkistner opened 3 years ago
Hi @dkistner we @stackitcloud would really appreciate this feature and would be willing to put effort into it. Is there any way we can help with the implementation for it?
Hi @brumhard, thank you very much! I'm already working on a PR for this feature, but I will first add another thing that is also relevant for this scenario. It is about creating an application credential for the provided technical user and using this application credential to interact with the openstack apis instead of using the technical user. This will be handy in regard to secret rotation of the technical user. Once this is done if will continue with my PR for this feature.
Hi @dkistner, sounds good. Let us know if we can support the issue.
Hey @dkistner, don't want to bother you too much, but we are really interested in this feature. Can you share some progress or can we support you in any way to speed it up in some form? Would be great, thanks a lot!
Hi @JuliusSte,
so this feature consists from our point of view out of two parts:
cloudprovider
secret on the Seed.The 1. is in development and already on its way, but for 2. we could indeed need some help. The implementation would look very similar to the cloudprovider webhook in the Azure extension ref.
Let me know if you wanna give it a try. If you want we can also have a chat on this before.
How to categorize this issue? /area security /kind enhancement /priority 3 /platform openstack
What would you like to be added: Similar like for Azure we can implement a central approach to manage technical users for Shoot clusters. The technical users would be provided centrally in the
Keystone
by yhe Gardener operators and users would need to grant the technical users (provided by the Gardener operator) access to their Openstack projects with proper permissions.Why is this needed: Same reasons as for Azure. Gardener operators could take care of the technical user and rotate their secrets on regular basis. Users are not obligated to provide an own technical user.
cc @donistz, @RaphaelVogel