Kubernetes Control Plane Charm

kube-keystone.sh script only supports user/pass authentication

Bug #2004195 reported by John-Paul Robinson on 2023-01-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Kubernetes Control Plane Charm	Triaged	Medium	Unassigned

Bug Description

The kube-keystone.sh script only supports username and password based authentication to get a token for kubectl login. This does not work when keystone is configured with an external authentication source. That is, when keystone doesn't store usernames and passwords.

kube-keystone.sh should either be responsive to the deployed keystone config or offer an alternative function or function arg to support application credential as opposed to user/pass login.

Relevant documentation for this scenario similar to that for LDAP (https://ubuntu.com/kubernetes/docs/ldap) is needed.

A working get_keystone_token() function for app credentials follows:

get_keystone_token ()
{
    data='{
    "auth": {
        "identity": {
            "methods": [
                "application_credential"
            ],
            "application_credential": {
                "id": "'"${OS_APPLICATION_CREDENTIAL_ID}"'",
                "secret": "'"${OS_APPLICATION_CREDENTIAL_SECRET}"'"
            }
        }
    }
}';
    token=$(curl -s -i -H "Content-Type: application/json" -d "${data}" "${OS_AUTH_URL}/auth/tokens" |grep 'X-Subject-Token');
    if [ -z "$token" ]; then
        echo "Invalid authentication information";
    else
        echo $(echo ${token} | awk -F ': ' '{print $2}' | sed -e 's/[[:space:]]*$//');
    fi
}

George Kraft (cynerva) on 2023-02-01

Changed in charm-kubernetes-master:
importance:	Undecided → Medium
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.