[wishlist] Ability to disable charm management of keystone-policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
New
|
Undecided
|
Unassigned |
Bug Description
Given a scenario where a CDK cluster is utilizing a Keystone relation for Identity management, and the management of the juju undercloud is handled by a different team/organization (i.e. Bootstack), the administrator of the CDK and Keystone clusters may want the ability to manage the policy-map of roles/projects to verbs/resources without juju control over that resource within the live kubernetes cluster.
Can we document or enable a feature to set that to blank, or some "not-juju-managed" setinel value to allow juju to assume that a default or better policy-map object has been manually, or previously installed into the cluster?
This would allow for the keystone and cluster admin to be able to add/remove role definitions on the fly with those APIs without having access to juju.