-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove experimental keystone authenticator #59492
Remove experimental keystone authenticator #59492
Conversation
/sig openstack |
/assign @FengyunPan |
/lgtm |
09adfee
to
49784d2
Compare
experimental-keystone-url and experimental-keystone-ca-file were always experimental. So we don't need a deprecation period. KeystoneAuthenticator was on the server side and needed userid/password to be passed in and used that to authenticate with Keystone. We now have authentication and authorization web hooks that can be used. There is a external repo with a webook for keystone which works fine along with the kubectl auth provider that was added in: a0cebcb So we don't need this older style / hard coded / experimental code anymore.
49784d2
to
1859037
Compare
/test pull-kubernetes-unit |
/assign @tallclair @liggitt @ericchiang |
cc @kubernetes/sig-auth-pr-reviews |
I'm in favor of removing this and pointing people to the openstack kubectl auth provider and webhook authenticators. That said, it looks like #39587 was not documented properly. @dims, can you open a documentation pull request against https://kubernetes.io/docs/admin/authentication/ removing the keystone password section, and adding a subsection under "Webhook Token Authentication" that details configuration of kubectl with the openstack auth provider? |
@liggitt i opened a WIP PR so i remember to do this - kubernetes/website#7304 |
@liggitt i'll be moving the personal repo into a git repo in the OpenStack foundation, so there's a pre-req before i wrap up the documentation PR. so it has the right info |
the kubectl side should be documented now. your webhook authenticator is one possible option for turning keystone tokens into userinfo, and could be referenced as an example, without being positioned as the one true keystone webhook token authenticator (even once it is in the openstack foundation, alternative user mappings could be achieved through alternate webhooks) |
@liggitt got it! |
Is this targeted for 1.10? |
cc @kubernetes/sig-openstack-pr-reviews |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Good to see this gone...
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anguslees, dims, hogepodge, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these OWNERS Files:
Approvers can indicate their approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
/test pull-kubernetes-bazel-test |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb
So we don't need this older style / hard coded / experimental code
anymore.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: