Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-22380

ZDPR Support for IronicAPI Controller

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • ironic-operator
    • None
    • Important

      Implement Zero Downtime Password Rotation (ZDPR) support for IronicAPI using Keystone Application Credentials

      Description:

      Implement Application Credential authentication support for the IronicAPI service to enable Zero Downtime Password Rotation (ZDPR).

      Acceptance Criteria:
      • IronicAPI controller watches the AppCred Secret (ac-ironic-secret)
      • Configuration templates render auth_type=v3applicationcredential with AC_ID and AC_SECRET when AppCred Secret is available
      • All auth sections in IronicAPI config support AppCred:
        • [keystone_authtoken]
        • [service_catalog]
        • [ironic]
        • [glance]
        • [neutron]
        • [nova]
      • IronicAPI deployment triggers a rolling update when the AppCred Secret changes
      • Falls back cleanly to password authentication (auth_type=password) when AppCred Secret is missing or incomplete
      • All configuration changes are backwards compatible with password-based auth
      • Redeployment with new credentials during the grace period works without service disruption
      Technical Context:
      • Controller: controllers/ironicapi_controller.go
      • Config template: templates/ironicapi/config/01-api.conf
      • Current auth method: password-based in multiple config sections

       

              Unassigned Unassigned
              rhn-gps-hjensas Harald Jensas
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: