[occm] Support keystone token for openstack auth

[archerwu9425]

What this PR does / why we need it:
Support keystone token for openstack auth in occm

Which issue this PR fixes(if applicable):
fixes #

Special notes for reviewers:

Keystone token is supported in openstack as option for atuh, should also support this in occm

1. Support provide keystone token in cloud-config for openstack auth

[Global]
token = xxxx
auth-url = xxx
region = RegionOne
tenant-name = xxx
tenant-domain-name = xxx

2. Support provide keystone token in clouds.yaml for openstack auth
   cloud-config:

[Global]
use-clouds = true
clouds-file = xxxxx/clouds.yaml

clouds.yaml

clouds:
  openstack:
    auth_type: token
    auth:
      auth_url: xxxx
      project_name: xxx
      project_domain_name: xxx
      token: xxxx

Release note:

[openstack-cloud-controller-manager] Support keystone token for openstack auth

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dulek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @archerwu9425. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kayrus]

@archerwu9425 Thanks for the PR. What is the use case for supporting token-based authentication? Since tokens are short-lived, they are not intended for use in long-running services like OCCM.

[archerwu9425]

@archerwu9425 Thanks for the PR. What is the use case for supporting token-based authentication? Since tokens are short-lived, they are not intended for use in long-running services like OCCM.

@kayrus keystone token not have to be short-lived, the life time can be configured. In our case, we have configured keystone token as the only way for openstack auth, make its lifetime to medium like 15 days to avoid using long-live credential like application credential.

Also I'm wonder if we should find a way to support using short-lived token for OCCM and support dynamic load config, so we can rotate the config without restart the OCCM pod. Short-lived token is used more and more in production env for security consideration, and for cloud provider like aws, we can use instance profile to avoid setting any credential in cluster. Wondering if we have plans for running occm with short-lived token.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale