[openstack-dev] [TripleO] os-cloud-config ssh access to cloud

Jiří Stránský jistr at redhat.com
Wed Mar 26 11:54:18 UTC 2014

(Removing [Heat] from the subject.)

So here are the steps i think are necessary to get the PKI setup done 
and safely passed through Jenkins. If anyone thinks something is 
redundant or missing, please shout:

1. Patch to os-cloud-config:

   * Generation of keys and certs for cases user doesn't want to
     specify their own - mainly PoC deployments. (Generation happens
     in-memory, which is better for Tuskar than having to write
     keys/certs to disk - we might have different sets for different

   * Implement also a function that will write the keys/certs to a
     specified location on disk (in-memory generation is not well
     suited for use within Devtest).

2. Patch to T-I-E:

   * os-cloud-config image element.

3. Patch to tripleo-incubator (dependent on patches 1 and 2):

   * Generate keys using os-cloud-config and pass them into heat-create
     if the T-H-T supports that (this is to make sure the next T-H-T
     patch passes). Keep doing the current init-keystone anyway.

4. Patch to T-H-T (dependent on patch 3):

   * Accept 3 new parameters for controller nodes: KeystoneCACert,
     KeystoneSigningKey, KeystoneSigningCert. Default them to empty
     string so that they are not required (otherwise we'd have to
     implement "logic forking" also for Tuskar, because it's
     chicken-and-egg there too).

5. Patch to tuskar (dependent on patch 4):

   * Use os-cloud-config to generate keys and certs if user didn't
     specify their own, pass new parameters to T-H-T.

6. Patch to T-I-E (dependent on patch 5):

   * Add the certs and signing key to keystone's os-apply-config
     templates. Change key location to /etc instead of
     /mnt/state/etc. Devtest should keep working because calling
     `keystone-manage pki_setup` on already initialized system does not
     have significant effect. It will keep generating a useless CA key,
     but that will stop with patch 7.

7. Cleanup patch to tripleo-incubator (dependent on patch 6):

   * Remove conditional on passing the 3 new parameters only if
     supported, pass them always.

   * Remove call to pki_setup.

Regarding the cloud initialization as a whole, on monday i sent a patch 
for creating users, roles etc. [1]. The parts still missing are endpoint 
registration [2,3] and neutron setup [4].

If anyone is willing to spare some cycles on endpoint registration or 
neturon setup or make the image element for os-cloud-config (patch no. 2 
in above list), it would be great, as we'd like to have this finished as 
soon as possible.



[1] https://review.openstack.org/#/c/78148/

More information about the OpenStack-dev mailing list