OpenStack provider authentication
Hi, I am trying to create a template, that creates OpenStack VM to user's own project/account. What's the best way to authenticate users to the OpenStack provider? Current solution was to pass the OpenStack app credentials as parameters to the template, but this is not suitable for production envionment.
I found this , but I am not sure how to use it. Can anyone help please?
12 Replies
<#1348645684760547348>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hey, have you been able to sort this out?
@Phorcys nope, I think this is similiar issue to this issue
is there any chance of getting some sort of pre-script that would be able to set up credentials and that would be passed to the workspace parameters?
sorry, I think I had misunderstood your issue
are you trying to let users use OpenStack commands inside their template with their own token? or do you want the VM for the workspaces to be provisioned via the user's token?
I guess the later. They are trying to provision the workspaces by using the user's token.
yes. that was the idea
but the issue with the token is that it expires. so the idea was to use the token to create credentials and then provision the workspace
I don't think it's possible
provider blocks are loaded before coder_parameters or any other resources
or at least, that's what I figured out from trying something similar and that's also what the Terraform docs suggest
meaning you can't pass a value from a resource to a provider, so you have no way of setting it dynamically other than via Terraform's built-in functions, or the provider itself needs to support iti am aware of this, but i was wondering if there is any possibility of having some sort of an init script, that would be able to do this. the scenario would be
i am not familiar with coder codebase, so i have no idea if this is possible. rn, we create the credentials on our side and we pass them to coder, but we felt haivng it in the coder would be ideal
well, not really, because the provisioning is handled within terraform
so you'd need to defer the provisioning part to your script, but then you lose all the other capabilities
you could authenticate the
oc cli and then use that to create the workspace, but imo that'd be a bit overengineered
what is the motive behind wanting to use the user's token to provision the workspaces?You could potentially use OIDC on OpenStack + External Auth to ask the user to link their openstack account, then pass that token to the provider:
- https://docs.mirantis.com/mosk/latest/user/federation-curl.html
- https://coder.com/docs/admin/external-auth
External Auth for Git Providers | Coder Docs
Learn about external authentication options in Coder. Configure and manage external provider connections for your development environment.
It would require some pretty fancy template magic. Plus, when you push the template you'd have to have some fallback "default" user since no user is specified then
Also, can definitely import parameters and other data sources into the provider block as far as I can tell
seems like it is possible after all, my bad!
i had some really weird issues trying to do stuff like this in past experiences so I just assumed you couldn't