Remove experimental keystone authenticator #59492
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
k8s-ci-robot
added
release-note
|
/sig openstack |
k8s-ci-robot
added
the
area/provider/openstack
|
/assign @FengyunPan |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
dims
force-pushed
the
remove-old-keystone-authenticator
branch
from
09adfee
to
49784d2
Compare
k8s-github-robot
removed
the
lgtm
experimental-keystone-url and experimental-keystone-ca-file were always experimental. So we don't need a deprecation period. KeystoneAuthenticator was on the server side and needed userid/password to be passed in and used that to authenticate with Keystone. We now have authentication and authorization web hooks that can be used. There is a external repo with a webook for keystone which works fine along with the kubectl auth provider that was added in: a0cebcb So we don't need this older style / hard coded / experimental code anymore.
dims
force-pushed
the
remove-old-keystone-authenticator
branch
from
49784d2
to
1859037
Compare
|
/test pull-kubernetes-unit |
|
/assign @tallclair @liggitt @ericchiang |
|
cc @kubernetes/sig-auth-pr-reviews |
k8s-ci-robot
added
the
sig/auth
|
I'm in favor of removing this and pointing people to the openstack kubectl auth provider and webhook authenticators. That said, it looks like #39587 was not documented properly. @dims, can you open a documentation pull request against https://kubernetes.io/docs/admin/authentication/ removing the keystone password section, and adding a subsection under "Webhook Token Authentication" that details configuration of kubectl with the openstack auth provider? |
liggitt
added
release-note-action-required
|
@liggitt i opened a WIP PR so i remember to do this - kubernetes/website#7304 |
|
@liggitt i'll be moving the personal repo into a git repo in the OpenStack foundation, so there's a pre-req before i wrap up the documentation PR. so it has the right info |
the kubectl side should be documented now. your webhook authenticator is one possible option for turning keystone tokens into userinfo, and could be referenced as an example, without being positioned as the one true keystone webhook token authenticator (even once it is in the openstack foundation, alternative user mappings could be achieved through alternate webhooks) |
|
@liggitt got it! |
|
Is this targeted for 1.10? |
|
cc @kubernetes/sig-openstack-pr-reviews |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anguslees, dims, hogepodge, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these OWNERS Files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/test pull-kubernetes-bazel-test |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb
So we don't need this older style / hard coded / experimental code
anymore.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: