This charmed operator manages the Keystone K8s Auth component of the OpenStack Cloud Provider.
The charm requires keystone credentials and connection information, which
can be provided via the keystone relation from the Keystone charm.
juju deploy charmed-kubernetes
juju config kubernetes-control-plane allow-privileged=true
juju deploy keystone-k8s-auth
juju integrate keystone-k8s-auth:certificates easyrsa:client
juju integrate keystone-k8s-auth:kube-control kubernetes-control-plane:kube-control
juju integrate keystone-k8s-auth:keystone keystone:identity-credentials
juju integrate keystone-k8s-auth:juju-info kubernetes-control-plane:juju-infoYou must also tell the cluster on which it is deployed that it will be acting as an authentication and authorization provider. For Charmed Kubernetes, you'll need to configure the auth settings
release This charm comes packed with support for multiple versions of the keystone-k8s-auth deployment. By default it will choose the latest if unspecified, but can be specifically tuned if desired to an existing known release at the time of the charm build.
One can list which release are available in the charm using the action:
juju run keystone-k8s-auth list-versionskeystone-ssl-ca
This charm by default will pick up the root ca from the certificates relation in order to
contact keystone if it is using https. If keystone exists in another model, one may override
the keystone CA certificate using this configuration.
juju config keystone-k8s-auth keystone-ssl-ca=$(cat /path/to/ca.cert)replicas This charm by default will install 2 replica pods in the deployment, but this be changed for less or more pods are required.
juju config keystone-k8s-auth replicas=1# find the service ip in the cluster, apply as the authn webhook
service_url=$(juju run keystone-k8s-auth/leader get-service-url | yq '.service-url')
juju config kubernetes-control-plane authn-webhook-endpoint="${service_url}"For authorization, you'll need to build a webhook_config file.
juju run keystone-k8s-auth/leader generate-webhook-config | yq '.webhook-config' > webhook
juju config kubernetes-control-plane authorization-webhook-config-file="$(cat webhook)"
juju config kubernetes-control-plane authorization-mode="Node,Webhook,RBAC"Before removing, ensure the control-plane is ignoring the service
juju config kubernetes-control-plane \
--reset authorization-webhook-config-file \
--reset authorization-mode \
--reset authn-webhook-endpoint
juju remove-application keystone-k8s-authPlease see the Juju SDK docs for guidelines on enhancements to this charm following best practice guidelines, and CONTRIBUTING.md for developer guidance.