I think the biggest issue here is the fact that keystone doesn’t have a service account or something like that.

Application credentials are tied to a user unfortunately, trusts are the same. There's no way for a user to create a user for the cluster.

I guess in the CAPI world if we have admin access we can create a user for the cluster in the project but that probably has its own set of problems.

Get Outlook for iOS

From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com>
Sent: Thursday, December 19, 2024 7:40:31 PM
To: OpenStack Discuss <openstack-discuss@lists.openstack.org>
Subject: [openstack][magnum] user who created cluster was deleted from keystone

Hello.

I have a case:

What will we do if the user who created the cluster was deleted from the keystone? In this case, we cannot add or remove node groups or use autoscale and autoheal. I tried to create a new application credential and patch my cluster. Then I can add or remove node groups but new node groups cannot join the cluster(nodes not ready)

Thank you. Regards

Nguyen Huu Khoi