OSASINFRA-3111: Warn if user/pass auth used in clouds.yaml (openshift#6911)

Application credentials [1] have a number of advantage over
username/password combinations, not least the ease of rotation. However,
the 'clouds.yaml' files generated by various OpenStack tools like
Horizon default to username/password combinations and users tend to pass
these through unmodified. We don't want to outright reject these - at
least, not yet - but we can indicate an explicit preference for
application credentials. We do this by inspecting the 'clouds.yaml' file
that the user has provided before we store it as a secret for use in the
deployment. If the user has provided password-based credentials, we will
emit a log encouraging them to migrate and warning about the potential
removal of support for password-based auth in a future release.

[1] https://docs.openstack.org/keystone/latest/user/application_credentials.html

Signed-off-by: Stephen Finucane <[email protected]>

Author: stephenfin

pkg/asset/manifests/openshift.go

@@ -10,6 +10,8 @@ import (
 
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/yaml"
 
 	"github.com/openshift/installer/pkg/asset"
@@ -159,6 +161,16 @@ func (o *Openshift) Generate(dependencies asset.Parents) error {
 			cloud.CACertFile = "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem"
 		}
 
+		// Application credentials are easily rotated in the event of a leak and should be preferred. Encourage their use.
+		authTypes := sets.New(clientconfig.AuthPassword, clientconfig.AuthV2Password, clientconfig.AuthV3Password)
+		if cloud.AuthInfo != nil && authTypes.Has(cloud.AuthType) {
+			logrus.Warnf(
+				"clouds.yaml file is using %q type auth. Consider using the %q auth type instead to rotate credentials more easily.",
+				cloud.AuthType,
+				clientconfig.AuthV3ApplicationCredential,
+			)
+		}
+
 		clouds := make(map[string]map[string]*clientconfig.Cloud)
 		clouds["clouds"] = map[string]*clientconfig.Cloud{
 			osmachine.CloudName: cloud,