On 03/14/2014 06:33 AM, Jiří Stránský wrote: > On 12.3.2014 17:03, Jiří Stránský wrote: >> >> Thanks for all the replies everyone :) >> >> I'm leaning towards going the way Robert suggested on the review [1] - >> upload pre-created signing cert, signing key and CA cert to controller >> nodes using Heat. This seems like a much cleaner approach to >> initializing overcloud than having to SSH into it, and it will solve >> both problems i outlined in the initial e-mail. >> >> It creates another problem though - for simple (think PoC) deployments >> without external CA we'll need to create the keys/certs >> somehow/somewhere anyway :) It shouldn't be hard because it's already >> implemented in keystone-manage pki_setup but we should figure out a way >> to avoid copy-pasting the world. Maybe Tuskar calling pki_setup locally >> and passing a parameter to pki_setup to override default location where >> new keys/certs will be generated? >> >> >> Thanks >> >> Jirka >> >> [1] https://review.openstack.org/#/c/78148/ >> > > I'm adding [Heat] to the subject. After some discussion on IRC it > seems that what we need to do with Heat is not totally straightforward. > > Here's an attempt at a brief summary: > > In TripleO we deploy OpenStack using Heat, the cloud is described in a > Heat template [1]. We want to externally generate and then upload 3 > small binary files to the controller nodes (Keystone PKI key and > certificates [2]). We don't want to generate them in place or scp them > into the controller nodes, because that would require having ssh > access to the deployed controller nodes, which comes with drawbacks [3]. > > It would be good if we could have the 3 binary files put into the > controller nodes as part of the Heat stack creation. Can we include > them in the template somehow? Or is there an alternative feasible > approach? > Jirka, You can inject files via the heat-cfntools agents. Check out: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html#aws-resource-init-files You could also use raw cloudinit data to inject a files section. There may be a final option with software config, but I'm not certain if software config has grown a feature to inject files yet. Regards -steve > > Thank you > > Jirka > > [1] > https://github.com/openstack/tripleo-heat-templates/blob/0490dd665899d3265a72965aeaf3a342275f4328/overcloud-source.yaml > [2] > http://docs.openstack.org/developer/keystone/configuration.html#install-external-signing-certificate > [3] > http://lists.openstack.org/pipermail/openstack-dev/2014-March/029327.html > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev