-
Story
-
Resolution: Done
-
Normal
-
openshift-4.13
-
1
-
False
-
None
-
False
-
-
-
ShiftStack Sprint 233, ShiftStack Sprint 234
The installer expects a platform.openstack.cloud setting to exist in install-config.yaml when deploying on OpenStack platforms. This indicates the cloud to use from a clouds.yaml file. The installer will load the relevant cloud config from this file and use this to generate Secrets for multiple operators that need access to the cloud, such as the Cluster Cloud Controller Manager Operator (CCCMO) or OpenStack Cinder CSI Driver Operator.
Since the cloud configuration from the clouds.yaml is mirrored directly, if the cloud in the clouds.yaml file is using a username/password combination then this will be propagated through to the operators and underlying services. This can be problematic if these credentials ever need to be rotated. Unlike application credentials, it is not possible to have multiple passwords for one user. This means the secret needs to be updated and you need to wait while the operators restart or otherwise pick up the changes. This can result in some downtime as the old credentials will no longer be valid in the interim period.
We can avoid this by encouraging use of application credentials. This story tracks an effort to emit a warning in the installer, encouraging the user to migrate from a username/password combo to application credentials.