Magnum

Add framework for generating keystone trust

Registered by hongbin on 2015-08-26

Magnum needs framework to generate keystone trust, which will be injected into bay nodes (which are nova instances). Bay node will use keystone trusts to authenticate itself to an OpenStack service (Swift, Barbican, Neutron, etc.). The reason of using keystone trust (not username/password) is that the scope of trust can be limited in some extent (e.g. scope to a specific service, assign a specific role, etc.).

There are potential three use cases of keystone trust:
1. TLS support [1]: A kubernetes bay might need to store/retrieve secrets from barbican.
2. Docker registry v2 support [2]: A bay need to store docker image into swift.
3. External load balancer [3]: A kubernetes bay needs to talk to neutron for external load balancing.

[1] https://review.openstack.org/#/c/194905/
[2] https://blueprints.launchpad.net/magnum/+spec/registryv2-in-master
[3] https://blueprints.launchpad.net/magnum/+spec/external-lb

Blueprint information

Status:: Complete

Approver:: hongbin

Priority:: Undefined

Drafter:: hongbin

Direction:: Approved

Assignee:: Hua Wang

Definition:: New

Series goal:: Accepted for liberty

Implementation:: Implemented

Milestone target:: liberty-3

Started by: Hua Wang on 2015-11-30

Completed by: Hua Wang on 2015-11-30

Related branches

Related bugs

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/generate-keystone-trust,n,z

Addressed by: https://review.openstack.org/218699
[WIP] Generate keystone trust

Addressed by: https://review.openstack.org/222114
Add v3 domain in context

Addressed by: https://review.openstack.org/234035
Remove auth_url and is_public_api from context

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.