Keystone K8s Authentication Operator

  • Canonical Kubernetes
Channel Revision Published Runs on
latest/stable 12 04 Sep 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 12 20 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
juju deploy keystone-k8s-auth
Show information

Platform:

Ubuntu
22.04 20.04

keystone-k8s-auth

null

Description

This charmed operator manages the Keystone K8s Auth component of the OpenStack Cloud Provider.

Usage

The charm requires keystone credentials and connection information, which can be provided via the keystone relation from the Keystone charm.

Deployment

The full process

juju deploy charmed-kubernetes
juju config kubernetes-control-plane allow-privileged=true
juju deploy keystone-k8s-auth
juju integrate keystone-k8s-auth:certificates easyrsa:client
juju integrate keystone-k8s-auth:kube-control kubernetes-control-plane:kube-control
juju integrate keystone-k8s-auth:keystone     keystone:identity-credentials
juju integrate keystone-k8s-auth:juju-info    kubernetes-control-plane:juju-info

You must also tell the cluster on which it is deployed that it will be acting as an authentication and authorization provider. For Charmed Kubernetes, you’ll need to configure the auth settings

Optional Configuration

release

This charm comes packed with support for multiple versions of the keystone-k8s-auth deployment. By default it will choose the latest if unspecified, but can be specifically tuned if desired to an existing known release at the time of the charm build.

One can list which release are available in the charm using the action:

juju run keystone-k8s-auth list-versions

keystone-ssl-ca

This charm by default will pick up the root ca from the certificates relation in order to contact keystone if it is using https. If keystone exists in another model, one may override the keystone CA certificate using this configuration.

juju config keystone-k8s-auth keystone-ssl-ca=$(cat /path/to/ca.cert)

replicas

This charm by default will install 2 replica pods in the deployment, but this be changed for less or more pods are required.

juju config keystone-k8s-auth replicas=1

Authentication or Authorization

# find the service ip in the cluster, apply as the authn webhook
service_url=$(juju run keystone-k8s-auth/leader get-service-url | yq '.service-url')
juju config kubernetes-control-plane authn-webhook-endpoint="${service_url}"

Authorization

For authorization, you’ll need to build a webhook_config file.

juju run keystone-k8s-auth/leader generate-webhook-config | yq '.webhook-config' > webhook
juju config kubernetes-control-plane authorization-webhook-config-file="$(cat webhook)"
juju config kubernetes-control-plane authorization-mode="Node,Webhook,RBAC"

Removing

Before removing, ensure the control-plane is ignoring the service

juju config kubernetes-control-plane \
    --reset authorization-webhook-config-file \
    --reset authorization-mode \
    --reset authn-webhook-endpoint
juju remove-application keystone-k8s-auth

Contributing

Please see the Juju SDK docs for guidelines on enhancements to this charm following best practice guidelines, and CONTRIBUTING.md for developer guidance.


Help improve this document in the forum (guidelines). Last updated 5 months ago.