Allow to read OpenStack config from the secret

Currently OpenStack cloud provider reads user credentials from config file, where data is stored in clear text. This approach is not recommended, as it is a serious security issue. This commit add an ability to read the config from secrets, if necessary. To do so, two new parameters are added to the config: SecretNamespace and SecretName. If they are specified, the provider will try to read config from the secret.
2026-01-13 19:36:22 +00:00 · 2019-03-05 18:20:27 +01:00
parent baf4eb67ac
commit cf8c193b87
3 changed files with 100 additions and 23 deletions
--- a/pkg/volume/cinder/cinder_test.go
+++ b/pkg/volume/cinder/cinder_test.go
@@ -304,17 +304,19 @@ func getOpenstackCloudProvider() (*openstack.OpenStack, error) {
 func getOpenstackConfig() openstack.Config {
 	cfg := openstack.Config{
 		Global: struct {
-			AuthURL    string `gcfg:"auth-url"`
-			Username   string
-			UserID     string `gcfg:"user-id"`
-			Password   string
-			TenantID   string `gcfg:"tenant-id"`
-			TenantName string `gcfg:"tenant-name"`
-			TrustID    string `gcfg:"trust-id"`
-			DomainID   string `gcfg:"domain-id"`
-			DomainName string `gcfg:"domain-name"`
-			Region     string
-			CAFile     string `gcfg:"ca-file"`
+			AuthURL         string `gcfg:"auth-url"`
+			Username        string
+			UserID          string `gcfg:"user-id"`
+			Password        string
+			TenantID        string `gcfg:"tenant-id"`
+			TenantName      string `gcfg:"tenant-name"`
+			TrustID         string `gcfg:"trust-id"`
+			DomainID        string `gcfg:"domain-id"`
+			DomainName      string `gcfg:"domain-name"`
+			Region          string
+			CAFile          string `gcfg:"ca-file"`
+			SecretName      string `gcfg:"secret-name"`
+			SecretNamespace string `gcfg:"secret-namespace"`
 		}{
 			Username:   "user",
 			Password:   "pass",