[openstack-dev] [TripleO] os-cloud-config ssh access to cloud

Jiří Stránský jistr at redhat.com
Wed Mar 26 11:54:18 UTC 2014


(Removing [Heat] from the subject.)

So here are the steps i think are necessary to get the PKI setup done 
and safely passed through Jenkins. If anyone thinks something is 
redundant or missing, please shout:

1. Patch to os-cloud-config:

   * Generation of keys and certs for cases user doesn't want to
     specify their own - mainly PoC deployments. (Generation happens
     in-memory, which is better for Tuskar than having to write
     keys/certs to disk - we might have different sets for different
     overclouds.)

   * Implement also a function that will write the keys/certs to a
     specified location on disk (in-memory generation is not well
     suited for use within Devtest).

2. Patch to T-I-E:

   * os-cloud-config image element.

3. Patch to tripleo-incubator (dependent on patches 1 and 2):

   * Generate keys using os-cloud-config and pass them into heat-create
     if the T-H-T supports that (this is to make sure the next T-H-T
     patch passes). Keep doing the current init-keystone anyway.

4. Patch to T-H-T (dependent on patch 3):

   * Accept 3 new parameters for controller nodes: KeystoneCACert,
     KeystoneSigningKey, KeystoneSigningCert. Default them to empty
     string so that they are not required (otherwise we'd have to
     implement "logic forking" also for Tuskar, because it's
     chicken-and-egg there too).

5. Patch to tuskar (dependent on patch 4):

   * Use os-cloud-config to generate keys and certs if user didn't
     specify their own, pass new parameters to T-H-T.

6. Patch to T-I-E (dependent on patch 5):

   * Add the certs and signing key to keystone's os-apply-config
     templates. Change key location to /etc instead of
     /mnt/state/etc. Devtest should keep working because calling
     `keystone-manage pki_setup` on already initialized system does not
     have significant effect. It will keep generating a useless CA key,
     but that will stop with patch 7.

7. Cleanup patch to tripleo-incubator (dependent on patch 6):

   * Remove conditional on passing the 3 new parameters only if
     supported, pass them always.

   * Remove call to pki_setup.


Regarding the cloud initialization as a whole, on monday i sent a patch 
for creating users, roles etc. [1]. The parts still missing are endpoint 
registration [2,3] and neutron setup [4].

If anyone is willing to spare some cycles on endpoint registration or 
neturon setup or make the image element for os-cloud-config (patch no. 2 
in above list), it would be great, as we'd like to have this finished as 
soon as possible.


Thanks

Jirka

[1] https://review.openstack.org/#/c/78148/
[2] 
https://github.com/openstack/tripleo-incubator/blob/4e2e8de41ba91a5699ea4eb9091f6ef4c95cf0ce/scripts/init-keystone#L111-L114
[3] 
https://github.com/openstack/tripleo-incubator/blob/4e2e8de41ba91a5699ea4eb9091f6ef4c95cf0ce/scripts/setup-endpoints
[4] 
https://github.com/openstack/tripleo-incubator/blob/4e2e8de41ba91a5699ea4eb9091f6ef4c95cf0ce/scripts/setup-neutron



More information about the OpenStack-dev mailing list