Add cluster-user-trust config option
Clusters created with the option cloud_provider_enabled or
registry_enabled set to true, or volumer_driver set to 'cinder' need
this flag set to True as well to instruct Magnum to assign trust to the
cluster user.
This option defaults to False due to security concerns (see
https://bugs.launchpad.net/bugs/cve/2016-7404 )
[0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled
Closes-Bug: #1996237
Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
(cherry picked from commit 29260ddf8a
)
This commit is contained in:
parent
a917f36cee
commit
c6346bbc3d
|
@ -50,6 +50,16 @@ options:
|
|||
type: string
|
||||
default: magnum_domain_admin
|
||||
description: Domain admin for the trustee-domain
|
||||
cluster-user-trust:
|
||||
type: boolean
|
||||
default: False
|
||||
description: |
|
||||
Controls whether to assign a trust to the cluster user or not. You will
|
||||
need to set it to True for clusters with volume_driver=cinder or
|
||||
registry_enabled=true in the underlying cluster template to work. This is
|
||||
a potential security risk since the trust gives instances OpenStack API
|
||||
access to the cluster's project. Note that this setting does not affect
|
||||
per-cluster trusts assigned to the Magnum service user.
|
||||
cert-manager-type:
|
||||
type: string
|
||||
default: barbican
|
||||
|
|
|
@ -84,5 +84,6 @@ driver = messaging
|
|||
trustee_domain_name = {{ options.trustee_domain }}
|
||||
trustee_domain_admin_name = {{ options.trustee_admin }}
|
||||
trustee_domain_admin_password = {{ options.magnum_password }}
|
||||
cluster_user_trust = {{ options.cluster_user_trust }}
|
||||
|
||||
[x509]
|
||||
|
|
Loading…
Reference in New Issue