Hi. We have an issue on the way Magnum uses keystone trusts.
Magnum clusters are created in a given project using HEAT, and require a trust token to communicate back with OpenStack services - there is also integration with Kubernetes via a cloud provider. This trust belongs to a given user, not the project, so whenever we disable the user's account - for example when a user leaves the organization - the cluster becomes unhealthy as the trust is no longer valid. Given the token is available in the cluster nodes, accessible by users, a trust linked to a service account is also not a viable solution. Is there an existing alternative for this kind of use case? I guess what we might need is a trust that is linked to the project. I believe the same issue would be there using application credentials, as the ownership is similar. Cheers, Ricardo __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
