[openstack-dev] [TripleO] os-cloud-config ssh access to cloud
jistr at redhat.com
Wed Mar 26 11:54:18 UTC 2014
(Removing [Heat] from the subject.)
So here are the steps i think are necessary to get the PKI setup done
and safely passed through Jenkins. If anyone thinks something is
redundant or missing, please shout:
1. Patch to os-cloud-config:
* Generation of keys and certs for cases user doesn't want to
specify their own - mainly PoC deployments. (Generation happens
in-memory, which is better for Tuskar than having to write
keys/certs to disk - we might have different sets for different
* Implement also a function that will write the keys/certs to a
specified location on disk (in-memory generation is not well
suited for use within Devtest).
2. Patch to T-I-E:
* os-cloud-config image element.
3. Patch to tripleo-incubator (dependent on patches 1 and 2):
* Generate keys using os-cloud-config and pass them into heat-create
if the T-H-T supports that (this is to make sure the next T-H-T
patch passes). Keep doing the current init-keystone anyway.
4. Patch to T-H-T (dependent on patch 3):
* Accept 3 new parameters for controller nodes: KeystoneCACert,
KeystoneSigningKey, KeystoneSigningCert. Default them to empty
string so that they are not required (otherwise we'd have to
implement "logic forking" also for Tuskar, because it's
chicken-and-egg there too).
5. Patch to tuskar (dependent on patch 4):
* Use os-cloud-config to generate keys and certs if user didn't
specify their own, pass new parameters to T-H-T.
6. Patch to T-I-E (dependent on patch 5):
* Add the certs and signing key to keystone's os-apply-config
templates. Change key location to /etc instead of
/mnt/state/etc. Devtest should keep working because calling
`keystone-manage pki_setup` on already initialized system does not
have significant effect. It will keep generating a useless CA key,
but that will stop with patch 7.
7. Cleanup patch to tripleo-incubator (dependent on patch 6):
* Remove conditional on passing the 3 new parameters only if
supported, pass them always.
* Remove call to pki_setup.
Regarding the cloud initialization as a whole, on monday i sent a patch
for creating users, roles etc. . The parts still missing are endpoint
registration [2,3] and neutron setup .
If anyone is willing to spare some cycles on endpoint registration or
neturon setup or make the image element for os-cloud-config (patch no. 2
in above list), it would be great, as we'd like to have this finished as
soon as possible.
More information about the OpenStack-dev