OpenStack Exporter

  • Canonical BootStack Charmers
Channel Revision Published Runs on
latest/stable 31 05 Sep 2024
Ubuntu 22.04
latest/candidate 31 05 Sep 2024
Ubuntu 22.04
latest/edge 39 11 Dec 2024
Ubuntu 22.04
juju deploy openstack-exporter
Show information

Platform:

Ubuntu
22.04

Security

The charm integrates with Keystone over the keystone-admin interface, which provides admin credentials for the OpenStack deployment. These admin credentials are written to disk on the charm unit at /var/snap/charmed-openstack-exporter/common/clouds.yaml (file is owned by root, writable by root only, readable by everyone).

By default, the connection between openstack-exporter and the openstack APIs is not encrypted. To configure encryption, this must be done from the keystone side; see Charmhub | Deploy Keystone using Charmhub - The Open Operator Collection (TLS section). The user may need to manually set the ssl_ca option on this openstack-exporter charm if a custom CA is used.

Openstack-exporter provides a HTTP web service for prometheus to scrape. This service listens on all interfaces at a port configurable by the port charm option (defaults to 9180). The exporter itself has experimental support for TLS encryption and authentication; however, this feature is not yet supported by the charm.

Risks

  • Openstack-exporter operates with admin permissions on the cloud. The exporter is not designed to make changes to the cloud, but it technically has permission to do anything.
  • The exporter exposes metrics on an unsecured http server about the openstack deployment that may be sensitive. Care should be taken to restrict network access to the machine.

Information security

Openstack-exporter metrics include metadata of OpenStack resources, such as loadbalancers, vms, and subnets.