[openstack-dev] [TripleO] [Heat] os-cloud-config ssh access to cloud

Jiří Stránský jistr at redhat.com
Fri Mar 14 13:33:14 UTC 2014

On 12.3.2014 17:03, Jiří Stránský wrote:
> Thanks for all the replies everyone :)
> I'm leaning towards going the way Robert suggested on the review [1] -
> upload pre-created signing cert, signing key and CA cert to controller
> nodes using Heat. This seems like a much cleaner approach to
> initializing overcloud than having to SSH into it, and it will solve
> both problems i outlined in the initial e-mail.
> It creates another problem though - for simple (think PoC) deployments
> without external CA we'll need to create the keys/certs
> somehow/somewhere anyway :) It shouldn't be hard because it's already
> implemented in keystone-manage pki_setup but we should figure out a way
> to avoid copy-pasting the world. Maybe Tuskar calling pki_setup locally
> and passing a parameter to pki_setup to override default location where
> new keys/certs will be generated?
> Thanks
> Jirka
> [1] https://review.openstack.org/#/c/78148/

I'm adding [Heat] to the subject. After some discussion on IRC it seems 
that what we need to do with Heat is not totally straightforward.

Here's an attempt at a brief summary:

In TripleO we deploy OpenStack using Heat, the cloud is described in a 
Heat template [1]. We want to externally generate and then upload 3 
small binary files to the controller nodes (Keystone PKI key and 
certificates [2]). We don't want to generate them in place or scp them 
into the controller nodes, because that would require having ssh access 
to the deployed controller nodes, which comes with drawbacks [3].

It would be good if we could have the 3 binary files put into the 
controller nodes as part of the Heat stack creation. Can we include them 
in the template somehow? Or is there an alternative feasible approach?

Thank you



More information about the OpenStack-dev mailing list