Kubernetes Control Plane Charm

No way to provide Keystone credentials via config to kubernetes-master for k8s-keystone-auth

Bug #1834164 reported by Dmitrii Shcherbakov on 2019-06-25

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Kubernetes Control Plane Charm	Fix Released	Wishlist	Cory Johns	Kubernetes Control Plane Charm 1.19+ck1

Bug Description

There is currently a requirement to have a relation between charm-keystone and charm-kubernetes-master.
https://ubuntu.com/kubernetes/docs/ldap
https://github.com/charmed-kubernetes/charm-kubernetes-master/blob/master/reactive/kubernetes_master.py#L969-L979

This assumes that Keystone is deployed in the same model with K8s. Alternatively, if Kubernetes is deployed on top of OpenStack, the need for a relation imposes network connectivity requirements between a Kubernetes Juju controller and an underlying OpenStack Juju controller - in some environments this cannot be done for various reasons (e.g. customer policy).

With charm-openstack-integrator there is a way to use Keystone credentials either from config or via Juju trust. However, those credentials cannot be exposed in a manner usable by kubernetes-master:keystone-credentials endpoint.

It would make sense to have a way to use credentials obtained from openstack-integrator to also configure k8s-keystone-auth which would allow a Kubernetes deployment to avoid using a CMR relation to a controller of the underlying cloud.

Tags:

Revision history for this message

Tim Van Steenburgh (tvansteenburgh) wrote on 2020-04-29:

https://github.com/charmed-kubernetes/charm-kubernetes-master/pull/91

tags:	added: review-needed
Changed in charm-kubernetes-master:
status:	New → In Progress

Revision history for this message

Cory Johns (johnsca) wrote on 2020-05-01:

Dmitrii, I'd just like clarification on the network restriction issue. Is it the case that the policy disallows the two Juju controllers to talk to each other, thus preventing CMR, but does allow both the openstack-integrator and kubernetes-worker units to talk directly to Keystone?

Revision history for this message

Dmitrii Shcherbakov (dmitriis) wrote on 2020-05-01:

Cory, yes, that's correct. Keystone typically has a public API accessible from instances which is not the same for the underlying Juju controller.

Revision history for this message

Cory Johns (johnsca) wrote on 2020-09-25:

Previous PR superseded by:

https://github.com/juju-solutions/charm-openstack-integrator/pull/38

https://github.com/charmed-kubernetes/charm-kubernetes-master/pull/127

Tim Van Steenburgh (tvansteenburgh) on 2020-09-28

Changed in charm-kubernetes-master:
milestone:	none → 1.19+ck1
assignee:	nobody → Cory Johns (johnsca)
importance:	Undecided → Wishlist

Revision history for this message

Cory Johns (johnsca) wrote on 2020-09-30:

The keystone-credentials interface layer will also need to be backported for this change: https://review.opendev.org/#/c/747970/

Changed in charm-kubernetes-master:
status:	In Progress → Fix Committed
tags:	removed: review-needed

Tim Van Steenburgh (tvansteenburgh) on 2020-11-11

tags:

added: backport-needed

Chris Sanders (chris.sanders) on 2020-11-11

tags:

removed: backport-needed

Tim Van Steenburgh (tvansteenburgh) on 2020-11-20

Changed in charm-kubernetes-master:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.