client-keystone-auth fails with valid domain-scoped novarc or with valid project-scoped novarc with different domains for the project or user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Charmed Kubernetes Bundles |
Triaged
|
Medium
|
Unassigned |
Bug Description
Hi,
I've deployed K8s 1.20 on top of OpenStack and I needed to enable keystone LDAP integration as described in [1]. The problematic tool is client-
1) "K8s domain", which contained the project I used to deploy Charmed K8s;
2) "LDAP domain", which contained the LDAP users that must be granted the access to the K8s cluster, by means of adding a role assignments of these users to the K8s project in the K8s domain. This domain doesn't have any projects that the LDAP users have access to.
Keystone supports: a) domain scoped tokens and b) project scoped tokens [4]. It seemed logical to use domain scoped tokens for K8s LDAP authentication, so we started with option a). If we prepare a valid domain-scoped novarc that can be used openstack CLI, client-
The workaround is to use 'openstack credentials create <cred_name>' based on the valid project scoped novarc, as client-
OS_APPLICATION_
OS_APPLICATION_
OS_APPLICATION_
Since the charm provides the .kube/config that uses the snapped tool to generate keystone token, it is not clear from [1] how to deal with the token scoping.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
Targeting this against CK bundles for now, until we have a proper place to file issues for the client- keystone- auth snap.