kube-keystone.sh script only supports user/pass authentication

Bug #2004195 reported by John-Paul Robinson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Kubernetes Control Plane Charm
Triaged
Medium
Unassigned

Bug Description

The kube-keystone.sh script only supports username and password based authentication to get a token for kubectl login. This does not work when keystone is configured with an external authentication source. That is, when keystone doesn't store usernames and passwords.

kube-keystone.sh should either be responsive to the deployed keystone config or offer an alternative function or function arg to support application credential as opposed to user/pass login.

Relevant documentation for this scenario similar to that for LDAP (https://ubuntu.com/kubernetes/docs/ldap) is needed.

A working get_keystone_token() function for app credentials follows:

get_keystone_token ()
{
    data='{
    "auth": {
        "identity": {
            "methods": [
                "application_credential"
            ],
            "application_credential": {
                "id": "'"${OS_APPLICATION_CREDENTIAL_ID}"'",
                "secret": "'"${OS_APPLICATION_CREDENTIAL_SECRET}"'"
            }
        }
    }
}';
    token=$(curl -s -i -H "Content-Type: application/json" -d "${data}" "${OS_AUTH_URL}/auth/tokens" |grep 'X-Subject-Token');
    if [ -z "$token" ]; then
        echo "Invalid authentication information";
    else
        echo $(echo ${token} | awk -F ': ' '{print $2}' | sed -e 's/[[:space:]]*$//');
    fi
}

George Kraft (cynerva)
Changed in charm-kubernetes-master:
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.