Skip to main content

Forklift new OpenStack authentication methods

·3 mins

Forklift provides a simple way for large scale migration of virtual machines (VMs) at scale to Kubernetes from traditional hypervisors like VMware (vSphere) and Red Hat Virtualization (oVirt) to KubeVirt.

The new version (v2.5.0) will support two additional authentication methods apart from the usual username and password:

  • Token authentication
  • Application credential authentication

For completeness we will describe how to configure all the authentication types available.

Prerequisites #

Most of the information required for the configuration can be retrieved from the openstack dashboard by clicking on your username in the top right corner and by downloading the Openstack RC File.

You should get a file with something like the following:

export OS_AUTH_URL=http://192.168.100.181:5000
export OS_PROJECT_ID=dbed38bf449b495295868afa61a565dc
export OS_PROJECT_NAME="forklift"
export OS_USER_DOMAIN_NAME="Default"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="default"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
unset OS_TENANT_ID
unset OS_TENANT_NAME
export OS_USERNAME="forklift"
echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
export OS_REGION_NAME="RegionOne"
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3

Username/Password authentication #

Required fields:

authType=password
username=forklift
password=redhat
regionName=RegionOne
projectName=forklift
domainName=Default

Create the secret from the command-line

kubectl -n konveyor-forklift create secret generic openstack-password-authentication --from-env-file=openstack-password-authentication

Provider definition:

apiVersion: forklift.konveyor.io/v1beta1
kind: Provider
metadata:
  name: provider-with-password-authentication
  namespace: konveyor-forklift 
spec:
  secret:
    name: openstack-password-authentication
    namespace: konveyor-forklift 
  type: openstack
  url: http://192.168.100.181:5000

Create the provider from the command-line:

kubectl apply -f provider-with-password-authentication.yaml

Token authentication #

Generate the token on OpenStack side:

openstack --os-cloud=forklift token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2023-05-11T11:14:11+0000                                                                                                                                                                |
| id         | gAAAAABkXL_zpOrVRMG-_LVlaVzdablXr9JrMo_-mbJqG_inu-aK848irCL9yZXoiQ4Olq4l_vkwNOZWfoFKxgYPtzJJsIYFx3GwrzOLD3vavNR8ENXR7ynrKllEAj9Tsy_AgjQIR43gg91IcUSBcOtm4cGbpjWRH-9JNJuCYefxDMNW0kDNkJ4 |
| project_id | dbed38bf449b495295868afa61a565dc                                                                                                                                                        |
| user_id    | abd6e32701a944d1b52727ff58e0fb3e                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Now we can use the returned token, project_id and user_id fields for the authentication:

authType=token
token=gAAAAABkXL_zpOrVRMG-_LVlaVzdablXr9JrMo_-mbJqG_inu-aK848irCL9yZXoiQ4Olq4l_vkwNOZWfoFKxgYPtzJJsIYFx3GwrzOLD3vavNR8ENXR7ynrKllEAj9Tsy_AgjQIR43gg91IcUSBcOtm4cGbpjWRH-9JNJuCYefxDMNW0kDNkJ4
userID=abd6e32701a944d1b52727ff58e0fb3e 
projectID=dbed38bf449b495295868afa61a565dc

It’s also possible to use the username and project name instead. However, using the project name also requires to specify the domainName variable:

authType=token
token=gAAAAABkXL_zpOrVRMG-_LVlaVzdablXr9JrMo_-mbJqG_inu-aK848irCL9yZXoiQ4Olq4l_vkwNOZWfoFKxgYPtzJJsIYFx3GwrzOLD3vavNR8ENXR7ynrKllEAj9Tsy_AgjQIR43gg91IcUSBcOtm4cGbpjWRH-9JNJuCYefxDMNW0kDNkJ4
username=forklift
projectName=forklift
domainName=Default

Create the secret from the command-line:

kubectl -n konveyor-forklift create secret generic openstack-token-authentication --from-env-file=openstack-token-authentication

Provider definition:

apiVersion: forklift.konveyor.io/v1beta1
kind: Provider
metadata:
  name: provider-with-token-authentication
  namespace: konveyor-forklift 
spec:
  secret:
    name: openstack-token-authentication
    namespace: konveyor-forklift 
  type: openstack
  url: http://192.168.100.181:5000

Create the provider from the command-line:

kubectl apply -f provider-with-token-authentication.yaml

Application credentials authentication #

The application credentials must have a role assigned that permits to read the required information (VMs, Flavors, Images, Volumes, Snapshots, Networks…) and to stop and start VMs, (reader and member are the typical ones). The authentication credentials might be generated with the following command:

openstack --os-cloud=forklift application credential create \
          --role member --role reader --secret redhat forklift
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| description  | None                             |
| expires_at   | None                             |
| id           | 9fc3a641041640e1a153e1fd93ef8055 |
| name         | forklift                         |
| project_id   | dbed38bf449b495295868afa61a565dc |
| roles        | member reader                    |
| secret       | redhat                           |
| system       | None                             |
| unrestricted | False                            |
| user_id      | abd6e32701a944d1b52727ff58e0fb3e |
+--------------+----------------------------------+

Now we can use the application id and the chosen secret for the authentication:

authType=applicationcredential
applicationCredentialID=9fc3a641041640e1a153e1fd93ef8055
applicationCredentialSecret=redhat

It’s also possible to use the application credential name instead but requires to specify the username and the domainName:

# openstack-secret-applicationcredential-auth.env file
authType=applicationcredential
applicationCredentialName=forklift
applicationCredentialSecret=redhat
username=forklift
domainName=Default

Create the secret from the command-line

kubectl -n konveyor-forklift create secret generic openstack-secret-applicationcredential-auth --from-env-file=openstack-secret-applicationcredential-auth.env

Provider definition:

# openstack-provider-applicationcredential-auth.yaml file
apiVersion: forklift.konveyor.io/v1beta1
kind: Provider
metadata:
  name: openstack-provider-applicationcredential-auth
  namespace: konveyor-forklift 
spec:
  secret:
    name: openstack-secret-applicationcredential-auth
    namespace: konveyor-forklift 
  type: openstack
  url: http://192.168.100.181:5000

Create the provider from the command-line:

kubectl apply -f openstack-provider-applicationcredential-auth.yaml