Charm managed basic_auth.csv needs non-juju/ssh management method
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
Triaged
|
Undecided
|
Unassigned |
Bug Description
The management of basic_auth.csv for access to CDK dashboards/metrics via "juju ssh kubernetes-
I see that there is the ability to relate to a Keystone infrastructure for external user management, but that is a bit heavy handed if not using an openstack environment as you must now have a database and rabbitmq environment stood up for keystone to be supported.
We need to solve managing the basic_auth.csv file without requiring ssh/root access to the underlying juju units.
Also, we need ways to ensure that the management of this file allows for undercloud users that should not be managable via the overcloud admins. For instance, we create a cloudadmin account for overcloud Customers, but retain the admin account for Bootstack usage. cloudadmin account should not be able to manage the admin account's entry in basic_auth.csv, as this is tied into juju access to kubernetes.
Changed in charm-kubernetes-master: | |
status: | New → Triaged |
As a note, I had considered using juju actions for this, but that still doesn't honor the undercloud/ overcloud privilege separation we use in our managed service offerings, however, an action would make it a much easier process for undercloud operators.