Authorize nova created ipa account to access Vault

Not sure what you have in mind here. The nova interaction with IPA via novajoin is to manage IPA host entries when nova instances are created or destroyed.

What would you have nova do with the vault?

Hello Rob,

Here's some context:
I'm coding a script that will allow to get a let's encrypt certificate and share it between the controllers for CloudDomain domain.

Thus, it would be good if the overcloud nodes could access Vault service using the keytab they get when registered in IPA using the novajoin on the undercloud.

That way, my script will be able to:
- securely access the secret storage containing private key, certificate and chain
- ensure accesses are authenticated (with the keytab)
- ensure the authenticated principal is allowed to access the vault

Plus, doing so would prevent the need to get a standalone custodia running somewhere.

Does it make sense?

Cheers,

C.

I guess it depends on what operations you want the novajoin user to be able to perform.

In the broadest case you could create a new role in IPA and add the privilege 'Vault Administrators' and assign the nova service principal. I think this should do it:

$ ipa role-add 'Vault Access'
$ ipa role-add-privilege 'Vault Access' --privilege 'Vault Administrators'
$ ipa role-add-member 'Vault Access' --service nova/undercloud.example.com

This would allow the nova keytab to manage vaults.

If you wanted to limit the operations you'd need to create a more targeted privilege and add th at to some role.

Hmm yep. That's for the undercloud rights - for the overcloud, I think it would be a bit less "admin": undercloud might create a sharedVault and add the roles it creates for the hosts to that shared vault. That would be the smartest.

Could that feature be added to novajoin?

Cheers,

C.

Hi Cédric,

I don't know if you have heard about Castellan: https://wiki.openstack.org/wiki/Castellan, but we are developing two new drivers for it: the first one for Vault: https://review.openstack.org/#/c/483080/ and we are planning to develop another one for Custodia, that will be very similar to that one.

So I just didn't understand so much how that interaction between Vault and Custodia works for your use case, but can you confirm that drivers will cover what you want or do you need any extra feature for that?

Cheers,

Hello Raildo,

Oh, nope, I wasn't aware of that Castellan, though I know a bit about Barbican.

Just so that you know: Custodia is the internal backend of IPA Vault service - my intend is "just" to be able to access IPA Vault using the novajoin generated principals on the openstack Controllers.

Please note that I'm mainly speaking about TripleO deployment, meaning the "secret storage" service (whatever it is) must be either external to the tripleO env (like an already running FreeIPA), or existing on the undercloud (like a local Custodia running on the undercloud server - my first iteration).
Hence, Castellan should be available from the overcloud-full image and so on.

Thanks for the pointer to that possibility, I'll keep an eye on the project :).

Cheers,

C.

oh and I'm speaking about IPA Vault, not the Hashicorp Vault thinggy. Of course, projects having the same name are a trend ;).

Cheers,

C.