OpenStack Exporter
- Canonical BootStack Charmers
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 31 | 05 Sep 2024 | |
latest/candidate | 31 | 05 Sep 2024 | |
latest/edge | 36 | 30 Sep 2024 |
juju deploy openstack-exporter
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Security
The charm integrates with Keystone over the keystone-admin interface, which provides admin credentials for the OpenStack deployment. These admin credentials are written to disk on the charm unit at /var/snap/charmed-openstack-exporter/common/clouds.yaml
(file is owned by root, writable by root only, readable by everyone).
By default, the connection between openstack-exporter and the openstack APIs is not encrypted. To configure encryption, this must be done from the keystone side; see Charmhub | Deploy Keystone using Charmhub - The Open Operator Collection (TLS section). The user may need to manually set the ssl_ca option on this openstack-exporter charm if a custom CA is used.
Openstack-exporter provides a HTTP web service for prometheus to scrape. This service listens on all interfaces at a port configurable by the port charm option (defaults to 9180). The exporter itself has experimental support for TLS encryption and authentication; however, this feature is not yet supported by the charm.
Risks
- Openstack-exporter operates with admin permissions on the cloud. The exporter is not designed to make changes to the cloud, but it technically has permission to do anything.
- The exporter exposes metrics on an unsecured http server about the openstack deployment that may be sensitive. Care should be taken to restrict network access to the machine.
Information security
Openstack-exporter metrics include metadata of OpenStack resources, such as loadbalancers, vms, and subnets.