OpenStackCredential

This section describes the OpenStackCredential custom resource (CR) used in Mirantis Container Cloud API. It contains all required details to connect to a provider backend.

Warning

The kubectl apply command automatically saves the applied data as plain text into the kubectl.kubernetes.io/last-applied-configuration annotation of the corresponding object. This may result in revealing sensitive data in this annotation when creating or modifying the object.

Therefore, do not use kubectl apply on this object. Use kubectl create, kubectl patch, or kubectl edit instead.

If you used kubectl apply on this object, you can remove the kubectl.kubernetes.io/last-applied-configuration annotation from the object using kubectl edit.

For demonstration purposes, the Container Cloud OpenStackCredential custom resource (CR) can be split into the following sections:

metadata

The Container Cloud OpenStackCredential custom resource (CR) contains the following fields:

  • apiVersion

    Object API version that is kaas.mirantis.com/v1alpha1.

  • kind

    Object type that is OpenStackCredential.

The metadata object field of the OpenStackCredential resource contains the following fields:

  • name

    Name of the OpenStackCredential object

  • namespace

    Namespace in which the OpenStackCredential object has been created

  • labels

    • kaas.mirantis.com/provider

      Provider type that matches the provider type in the Cluster object and must be openstack

    • kaas.mirantis.com/regional-credential

      Must be true to use OpenStackCredential for the management cluster objects

      Note

      The kaas.mirantis.com/regional-credential label is removed from in 2.26.0 (Cluster releases 17.1.0 and 16.1.0). Therefore, do not add the label starting these releases. On existing clusters updated to these releases, or if manually added, this label will be ignored by Container Cloud.

    • kaas.mirantis.com/region

      Region name

      Note

      The kaas.mirantis.com/region label is removed from all Container Cloud objects in 2.26.0 (Cluster releases 17.1.0 and 16.1.0). Therefore, do not add the label starting these releases. On existing clusters updated to these releases, or if manually added, this label will be ignored by Container Cloud.

    Warning

    Labels and annotations that are not documented in this API Reference are generated automatically by Container Cloud. Do not modify them using the Container Cloud API.

Configuration example:

apiVersion: kaas.mirantis.com/v1alpha1
kind: OpenStackCredential
metadata:
  name: demo
  namespace: test
  labels:
    kaas.mirantis.com/regional-credential: "true"

OpenStackCredential configuration

The spec object field of the OpenStackCredential resource contains a cloud configuration to use for OpenStack authentication. It contains the following fields:

  • auth
    • authURL

      Identity endpoint URL.

    • password
      • value

        Value of the password. This field is available only when the user creates or changes password. Once the controller detects this field, it updates the password in the secret and removes the value field from the OpenStackCredential object.

      • secret

        Reference to the Secret object that contains the password:

        • key

          Secret key name

        • name

          Secret name

    • projectID

      Unique ID of a project.

    • userDomainName

      Name of a domain where the user resides.

    • userName

      User name

  • regionName

    Name of an OpenStack region.

  • CACert

    Base64 encoded CA certificate bundle for verification of SSL API requests.

Configuration example:

...
spec:
  auth:
    authURL: https://container-cloud.ssl.example.com/v3
    password:
      secret:
        key: value
        name: cloud-config
    projectDomainName: k8s-team
    projectID: d67a2680ded144af8bcc91314e560616
    projectName: k8s-team
    userDomainName: default
    userName: k8s-team
  regionName: RegionOne