Skip to content

Commit 55ea934

Browse files
jichenjcjichenjc
committed
Add application cred usage
1 parent 2a91b39 commit 55ea934

File tree

3 files changed

+50
-4
lines changed

3 files changed

+50
-4
lines changed

docs/configuration.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
- [Floating IP](#floating-ip)
99
- [SSH authorized key](#ssh-authorized-key)
1010
- [OpenStack credential](#openstack-credential)
11+
- [Generate credentials](#generate-credentials)
1112
- [Availability zone](#availability-zone)
1213
- [DNS server](#dns-server)
1314
- [Optional Configuration](#optional-configuration)
@@ -79,6 +80,7 @@ spec:
7980
8081
## OpenStack credential
8182
83+
### Generate credentials
8284
The [env.rc](./env.rc) script sets the environment variables related to credentials.
8385
8486
```bash
@@ -94,6 +96,8 @@ The following variables are set.
9496
| OPENSTACK_CLOUD_PROVIDER_CONF_B64 | The content of [cloud.conf](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#cloud-conf) which is used by OpenStack cloud provider |
9597
| OPENSTACK_CLOUD_CACERT_B64 | (Optional) The content of your custom CA file which can be specified in your clouds.yaml by `ca-file` |
9698

99+
Note: Only the [external cloud provider](./external-cloud-provider.md) supports [Application Credentials](https://docs.openstack.org/keystone/latest/user/application_credentials.html).
100+
97101
## Availability zone
98102

99103
The availability zone names must be exposed as an environment variable `OPENSTACK_FAILURE_DOMAIN`.

templates/create_cloud_conf.sh

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,9 @@ CAPO_REGION=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_C
6969
CAPO_PROJECT_ID=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.project_id)
7070
CAPO_PROJECT_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.project_name)
7171
CAPO_DOMAIN_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.user_domain_name)
72+
CAPO_APPLICATION_CREDENTIAL_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.application_credential_name)
73+
CAPO_APPLICATION_CREDENTIAL_ID=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.application_credential_id)
74+
CAPO_APPLICATION_CREDENTIAL_SECRET=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.application_credential_secret)
7275
if [[ "$CAPO_DOMAIN_NAME" = "null" ]]; then
7376
CAPO_DOMAIN_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.domain_name)
7477
fi
@@ -83,10 +86,16 @@ CAPO_CLOUD_PROVIDER_CONF_TMP=$(mktemp /tmp/cloud.confXXX)
8386
cat >> ${CAPO_CLOUD_PROVIDER_CONF_TMP} << EOF
8487
[Global]
8588
auth-url=${CAPO_AUTH_URL}
86-
username="${CAPO_USERNAME}"
87-
password="${CAPO_PASSWORD}"
8889
EOF
8990

91+
if [[ "$CAPO_USERNAME" != "" && "$CAPO_USERNAME" != "null" ]]; then
92+
echo "username=\"${CAPO_USERNAME}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
93+
fi
94+
95+
if [[ "$CAPO_PASSWORD" != "" && "$CAPO_PASSWORD" != "null" ]]; then
96+
echo "password=\"${CAPO_PASSWORD}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
97+
fi
98+
9099
if [[ "$CAPO_PROJECT_ID" != "" && "$CAPO_PROJECT_ID" != "null" ]]; then
91100
echo "tenant-id=\"${CAPO_PROJECT_ID}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
92101
fi
@@ -107,4 +116,17 @@ if [[ "$CAPO_REGION" != "" && "$CAPO_REGION" != "null" ]]; then
107116
echo "region=\"${CAPO_REGION}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
108117
fi
109118

119+
if [[ "$CAPO_APPLICATION_CREDENTIAL_NAME" != "" && "$CAPO_APPLICATION_CREDENTIAL_NAME" != "null" ]]; then
120+
echo "application-credential-name=\"${CAPO_APPLICATION_CREDENTIAL_NAME}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
121+
fi
122+
123+
if [[ "$CAPO_APPLICATION_CREDENTIAL_ID" != "" && "$CAPO_APPLICATION_CREDENTIAL_ID" != "null" ]]; then
124+
echo "application-credential-id=\"${CAPO_APPLICATION_CREDENTIAL_ID}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
125+
fi
126+
127+
if [[ "$CAPO_APPLICATION_CREDENTIAL_SECRET" != "" && "$CAPO_APPLICATION_CREDENTIAL_SECRET" != "null" ]]; then
128+
echo "application-credential-secret=\"${CAPO_APPLICATION_CREDENTIAL_SECRET}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
129+
fi
130+
131+
110132
cat ${CAPO_CLOUD_PROVIDER_CONF_TMP}

templates/env.rc

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,9 @@ CAPO_REGION=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_C
6969
CAPO_PROJECT_ID=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.project_id)
7070
CAPO_PROJECT_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.project_name)
7171
CAPO_DOMAIN_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.user_domain_name)
72+
CAPO_APPLICATION_CREDENTIAL_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.application_credential_name)
73+
CAPO_APPLICATION_CREDENTIAL_ID=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.application_credential_id)
74+
CAPO_APPLICATION_CREDENTIAL_SECRET=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.application_credential_secret)
7275
if [[ "$CAPO_DOMAIN_NAME" = "null" ]]; then
7376
CAPO_DOMAIN_NAME=$(echo "$CAPO_OPENSTACK_CLOUD_YAML_CONTENT" | yq r - clouds.${CAPO_CLOUD}.auth.domain_name)
7477
fi
@@ -90,10 +93,16 @@ CAPO_CLOUD_PROVIDER_CONF_TMP=$(mktemp /tmp/cloud.confXXX)
9093
cat >> ${CAPO_CLOUD_PROVIDER_CONF_TMP} << EOF
9194
[Global]
9295
auth-url=${CAPO_AUTH_URL}
93-
username="${CAPO_USERNAME}"
94-
password="${CAPO_PASSWORD}"
9596
EOF
9697

98+
if [[ "$CAPO_USERNAME" != "" && "$CAPO_USERNAME" != "null" ]]; then
99+
echo "username=\"${CAPO_USERNAME}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
100+
fi
101+
102+
if [[ "$CAPO_PASSWORD" != "" && "$CAPO_PASSWORD" != "null" ]]; then
103+
echo "password=\"${CAPO_PASSWORD}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
104+
fi
105+
97106
if [[ "$CAPO_PROJECT_ID" != "" && "$CAPO_PROJECT_ID" != "null" ]]; then
98107
echo "tenant-id=\"${CAPO_PROJECT_ID}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
99108
fi
@@ -113,6 +122,17 @@ fi
113122
if [[ "$CAPO_REGION" != "" && "$CAPO_REGION" != "null" ]]; then
114123
echo "region=\"${CAPO_REGION}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
115124
fi
125+
if [[ "$CAPO_APPLICATION_CREDENTIAL_NAME" != "" && "$CAPO_APPLICATION_CREDENTIAL_NAME" != "null" ]]; then
126+
echo "application-credential-name=\"${CAPO_APPLICATION_CREDENTIAL_NAME}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
127+
fi
128+
129+
if [[ "$CAPO_APPLICATION_CREDENTIAL_ID" != "" && "$CAPO_APPLICATION_CREDENTIAL_ID" != "null" ]]; then
130+
echo "application-credential-id=\"${CAPO_APPLICATION_CREDENTIAL_ID}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
131+
fi
132+
133+
if [[ "$CAPO_APPLICATION_CREDENTIAL_SECRET" != "" && "$CAPO_APPLICATION_CREDENTIAL_SECRET" != "null" ]]; then
134+
echo "application-credential-secret=\"${CAPO_APPLICATION_CREDENTIAL_SECRET}\"" >> ${CAPO_CLOUD_PROVIDER_CONF_TMP}
135+
fi
116136
export OPENSTACK_CLOUD_PROVIDER_CONF_B64="$(cat ${CAPO_CLOUD_PROVIDER_CONF_TMP} | base64 --wrap=0)"
117137

118138
# Build OPENSTACK_CLOUD_CACERT_B64

0 commit comments

Comments
 (0)