Files

defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements

- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements

2025-12-12 18:01:35 -08:00

5.5 KiB

Raw Blame History

Proxmox API Token Management Guide

Overview

This guide covers best practices for managing Proxmox API tokens used by the Crossplane provider.

Token Creation

Via Proxmox Web UI

Navigate to API Tokens:
- Log into Proxmox Web UI
- Go to Datacenter → Permissions → API Tokens
- Click "Add"
Configure Token:
- Token ID: crossplane-<site-name> (e.g., crossplane-us-east-1)
- User: root@pam or dedicated service account
- Expiration: Set appropriate expiration (recommended: 1 year or less)
- Privilege Separation: Enable if using dedicated user
Set Permissions:
- Administrator: Full access (for development)
- VM-specific: Limited to VM operations (for production)
- Storage-specific: Limited to storage operations (if needed)
Generate Token:
- Click "Generate"
- IMPORTANT: Copy the token immediately (format: user@realm!token-name=token-secret)
- Store securely (will not be shown again)

Via Proxmox API

# Create token via API (requires existing authentication)
curl -k -X POST \
  -H "Authorization: PVEAuthCookie=YOUR_TICKET" \
  -H "CSRFPreventionToken: YOUR_CSRF_TOKEN" \
  -d "tokenid=crossplane-us-east-1&userid=root@pam&expire=31536000" \
  https://your-proxmox:8006/api2/json/access/users/root@pam/token

Token Format

Proxmox API tokens use the format:

user@realm!token-name=token-secret

Example:

root@pam!crossplane-us-east-1=abc123def456ghi789

Token Storage

Kubernetes Secret

Store tokens in Kubernetes secrets:

kubectl create secret generic proxmox-credentials \
  --from-literal=credentials.json='{"username":"root@pam","token":"root@pam!crossplane-token=abc123..."}' \
  -n crossplane-system

ProviderConfig Reference

The ProviderConfig references the secret:

spec:
  credentials:
    source: Secret
    secretRef:
      name: proxmox-credentials
      namespace: crossplane-system
      key: credentials.json

Token Permissions

Recommended Permissions

For production use, create tokens with minimal required permissions:

VM Operations:
- VM.Allocate
- VM.Clone
- VM.Config
- VM.Monitor
- VM.PowerMgmt
Storage Operations (if needed):
- Datastore.Allocate
- Datastore.Audit
Network Operations (if needed):
- SDN.Use

Development Permissions

For development/testing, Administrator role is acceptable but not recommended for production.

Token Rotation

Rotation Schedule

Production: Rotate every 90 days
Development: Rotate every 180 days
Emergency: Rotate immediately if compromised

Rotation Procedure

Create New Token:
- Create new token with same permissions
- Test new token

Update Kubernetes Secret:

kubectl delete secret proxmox-credentials -n crossplane-system
kubectl create secret generic proxmox-credentials \
  --from-literal=credentials.json='{"username":"root@pam","token":"NEW_TOKEN"}' \
  -n crossplane-system

Restart Provider:

kubectl delete pod -n crossplane-system -l app=crossplane-provider-proxmox

Verify:

kubectl logs -n crossplane-system -l app=crossplane-provider-proxmox --tail=50

Revoke Old Token:
- Log into Proxmox Web UI
- Go to API Tokens
- Delete old token

Token Security

Best Practices

Never Commit Tokens:
- Never commit tokens to git
- Use secrets management
- Rotate if accidentally exposed
Use Separate Tokens:
- Use different tokens per site/environment
- Use different tokens per application
- Track token usage
Monitor Token Usage:
- Review Proxmox audit logs
- Monitor for unusual activity
- Set up alerts for failures
Limit Token Scope:
- Use principle of least privilege
- Grant only required permissions
- Review permissions regularly
Set Expiration:
- Always set token expiration
- Rotate before expiration
- Document expiration dates

Token Troubleshooting

Authentication Failures

Check Token Format:
- Verify format: user@realm!token-name=token-secret
- Check for typos
- Verify special characters are escaped
Verify Token Validity:
- Check token expiration
- Verify token not revoked
- Check user account status

Test Token:

curl -k -H "Authorization: PVEAuthCookie=TOKEN" \
  https://your-proxmox:8006/api2/json/version

Permission Errors

Check Permissions:
- Review token permissions in Proxmox
- Verify required permissions are granted
- Check user roles
Test Operations:
- Try operation via Proxmox API
- Check error messages
- Review Proxmox logs

Token Audit

Regular Audits

Monthly Review:
- List all active tokens
- Review token usage
- Check for unused tokens
Quarterly Review:
- Review token permissions
- Verify token expiration dates
- Update documentation
Annual Review:
- Complete token audit
- Rotate all tokens
- Review security practices

Audit Commands

# List tokens (via Proxmox API)
curl -k -H "Authorization: PVEAuthCookie=TOKEN" \
  https://your-proxmox:8006/api2/json/access/users/root@pam/token

5.5 KiB Raw Blame History