Skip to content

[occm] Support keystone token for openstack auth #2964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[occm] Support keystone token for openstack auth #2964

wants to merge 1 commit into from
+5 −0

Conversation

archerwu9425
Copy link
Contributor

@archerwu9425 archerwu9425 commented Aug 4, 2025
edited
Loading

What this PR does / why we need it:
Support keystone token for openstack auth in occm

Which issue this PR fixes(if applicable):
fixes #

Special notes for reviewers:

Keystone token is supported in openstack as option for atuh, should also support this in occm

  1. Support provide keystone token in cloud-config for openstack auth
[Global]
token = xxxx
auth-url = xxx
region = RegionOne
tenant-name = xxx
tenant-domain-name = xxx
  1. Support provide keystone token in clouds.yaml for openstack auth
    cloud-config:
[Global]
use-clouds = true
clouds-file = xxxxx/clouds.yaml

clouds.yaml

clouds:
  openstack:
    auth_type: token
    auth:
      auth_url: xxxx
      project_name: xxx
      project_domain_name: xxx
      token: xxxx

Release note:

[openstack-cloud-controller-manager] Support keystone token for openstack auth

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 4, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dulek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from kayrus and zetaab August 4, 2025 10:20
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 4, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @archerwu9425. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Aug 4, 2025
@kayrus
Copy link
Contributor

kayrus commented Aug 4, 2025

@archerwu9425 Thanks for the PR. What is the use case for supporting token-based authentication? Since tokens are short-lived, they are not intended for use in long-running services like OCCM.

@archerwu9425
Copy link
Contributor Author

@archerwu9425 Thanks for the PR. What is the use case for supporting token-based authentication? Since tokens are short-lived, they are not intended for use in long-running services like OCCM.

@kayrus keystone token not have to be short-lived, the life time can be configured. In our case, we have configured keystone token as the only way for openstack auth, make its lifetime to medium like 15 days to avoid using long-live credential like application credential.

Also I'm wonder if we should find a way to support using short-lived token for OCCM and support dynamic load config, so we can rotate the config without restart the OCCM pod. Short-lived token is used more and more in production env for security consideration, and for cloud provider like aws, we can use instance profile to avoid setting any credential in cluster. Wondering if we have plans for running occm with short-lived token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kayrus kayrus Awaiting requested review from kayrus

@zetaab zetaab Awaiting requested review from zetaab

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@archerwu9425 @k8s-ci-robot @kayrus