Pluggable credential storage
Right now Ironic is being responsable for storing the credentials of the IPMI and SSH drivers (and potentially other drivers in the future), this task should be delegated to Keystone (and/or Barbican in the future) since that's the OpenStack service responsable for this sort of things.
This blueprint is proposing is to teach Ironic about how to store the credentials in another services like Keystone's v3/credentials API and Barbican.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Lucas Alvares Gomes
- Direction:
- Needs approval
- Assignee:
- Lucas Alvares Gomes
- Definition:
- New
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
Whiteboard
With this approach Nodes will only store a reference to the credential in Keystones, and in the case where someone needs to update a credential that is shared across many nodes it only needs to be updated once in one place.
Also, using Keystone to store the credentials will also affect the blueprint: https:/
Lucas
Have you considered using Barbican for key storage instead?
https:/
-Doug Mendizabal
I think Barbican is good for this task.
Some points:
1) Ironic creates "generic" type container and stores ref in DB for a node.
2) Container creation and content looks like [1]
3) Container should contain uuid of the node for prevent refs manipulating in Ironic DB.
4) Top level of container should contains list of refs.
[1] EŃ…ample:
POST v1/containers
Header: content-
{
"type": "generic",
"node": "<uuid_of_node>"
"secret_refs": [
{
"name": "driver_
},
{
"name": "some_key",
},
{
"name": "passphrase",
}
]
}
TODO: make it pluggable?
Gerrit topic: https:/
Addressed by: https:/
Add pluggable credentials storage
Addressed by: https:/
Add pluggable credentials storage
Addressed by: https:/
Add credentials migration script.
Work Items
Dependency tree
![](deptree.png)
* Blueprints in grey have been implemented.