Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Centrally managed technical user support #357

Open
dkistner opened this issue Nov 22, 2021 · 5 comments
Open

Centrally managed technical user support #357

dkistner opened this issue Nov 22, 2021 · 5 comments
Assignees
@dkistner
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension kind/roadmap Roadmap BLI lifecycle/rotten Nobody worked on this for 12 months (final aging stage) platform/openstack OpenStack platform/infrastructure priority/3 Priority (lower number equals higher priority)

Comments

@dkistner
Copy link
Member

dkistner commented Nov 22, 2021
edited
Loading

How to categorize this issue?
/area security
/kind enhancement
/priority 3
/platform openstack

What would you like to be added:
Similar like for Azure we can implement a central approach to manage technical users for Shoot clusters. The technical users would be provided centrally in the Keystone by yhe Gardener operators and users would need to grant the technical users (provided by the Gardener operator) access to their Openstack projects with proper permissions.

Why is this needed:
Same reasons as for Azure. Gardener operators could take care of the technical user and rotate their secrets on regular basis. Users are not obligated to provide an own technical user.

cc @donistz, @RaphaelVogel
@dkistner dkistner added the kind/enhancement Enhancement, improvement, extension label Nov 22, 2021
@gardener-robot gardener-robot added area/security Security related platform/openstack OpenStack platform/infrastructure priority/3 Priority (lower number equals higher priority) labels Nov 22, 2021
@dkistner dkistner self-assigned this Nov 22, 2021
@dkistner dkistner added this to the 2022-Q1 milestone Nov 30, 2021
@brumhard
Copy link

brumhard commented Jan 7, 2022

Hi @dkistner we @stackitcloud would really appreciate this feature and would be willing to put effort into it. Is there any way we can help with the implementation for it?

@dkistner
Copy link
Member Author

Hi @brumhard,
thank you very much! I'm already working on a PR for this feature, but I will first add another thing that is also relevant for this scenario.
It is about creating an application credential for the provided technical user and using this application credential to interact with the openstack apis instead of using the technical user. This will be handy in regard to secret rotation of the technical user. Once this is done if will continue with my PR for this feature.

@dergeberl
Copy link
Contributor

Hi @dkistner,
sounds good. Let us know if we can support the issue.

@donistz donistz mentioned this issue Jan 18, 2022
Closed
@JuliusSte
Copy link

Hey @dkistner,
don't want to bother you too much, but we are really interested in this feature. Can you share some progress or can we support you in any way to speed it up in some form? Would be great, thanks a lot!

@dkistner
Copy link
Member Author

dkistner commented Feb 4, 2022

Hi @JuliusSte,

so this feature consists from our point of view out of two parts:

  1. Support for application credentials which are owned by the Openstack user (or the unrestricted application credential) that a Shoot owner provides for the cluster. These app credentials are managed by the Openstack extension and used for all interactions with the Openstack API. This is required to avoid service disruptions while the credentials of the owning Openstack user are rotated.
  2. A webhook which injects a Gardener managed Openstack user into the cloudprovider secret on the Seed.

The 1. is in development and already on its way, but for 2. we could indeed need some help. The implementation would look very similar to the cloudprovider webhook in the Azure extension ref.

Let me know if you wanna give it a try. If you want we can also have a chat on this before.

@dkistner dkistner removed this from the 2022-Q1 milestone Apr 1, 2022
@gardener-robot gardener-robot added the lifecycle/stale Nobody worked on this for 6 months (will further age) label Sep 29, 2022
@gardener-robot gardener-robot added kind/roadmap Roadmap BLI and removed roadmap/cloud labels Mar 23, 2023
@gardener-robot gardener-robot added lifecycle/rotten Nobody worked on this for 12 months (final aging stage) and removed lifecycle/stale Nobody worked on this for 6 months (will further age) labels Dec 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dkistner dkistner

Labels
area/security Security related kind/enhancement Enhancement, improvement, extension kind/roadmap Roadmap BLI lifecycle/rotten Nobody worked on this for 12 months (final aging stage) platform/openstack OpenStack platform/infrastructure priority/3 Priority (lower number equals higher priority)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dkistner @JuliusSte @brumhard @dergeberl @gardener-robot