[openstack-dev] [puppet][operators] How to specify Keystone v3 credentials?

Mike Dorman mdorman at godaddy.com
Wed May 6 23:26:14 UTC 2015


We also run all masterless/puppet apply.  And we just populate a bare 
bones keystone.conf on any box that does not have keystone installed, but 
Puppet needs to be able to create keystone resources.

Also agreed on avoiding puppetdb, for the same reasons.

(Something to note for those of us doing masterless today: there are plans 
from Puppet to move more of the manifest compiling functionality to run 
only in the puppet master process.  So at some point, it’s likely that 
masterless setups may not be possible.)

Mike



>>>>>
>>>>> If you do not wish to explicitly define Keystone resources for
>>>>> Glance on Keystone nodes but instead let Glance nodes manage
>>>>> their own resources, you could always use exported resources.
>>>>>
>>>>> You let Glance nodes export their keystone resources and then
>>>>> you ask Keystone nodes to realize them where admin credentials
>>>>> are available. (I know some people don't really like exported
>>>>> resources for various reasons)
>>>>
>>>> I'm not familiar with exported resources.  Is this a viable
>>>> option that has less impact than just requiring Keystone
>>>> resources to be realized on the Keystone node?
>> 
>>> I'm not in favor of having exported resources because it requires 
>>> PuppetDB, and a lot of people try to avoid that. For now, we've
>>> been able to setup all OpenStack without PuppetDB in TripleO and in
>>> some other installers, we might want to keep this benefit.
>> 
>> +100
>> 
>> We're looking at using these puppet modules in a bit, but we're also a
>> few steps away from getting rid of our puppetmaster and moving to a
>> completely puppet apply based workflow. I would be double-plus
>> sad-panda if we were not able to use the openstack puppet modules to
>> do openstack because they'd been done in such as way as to require a
>> puppetmaster or puppetdb.
>
>100% agree.
>
>Even if you had a puppetmaster and puppetdb, you would still end up in
>this "eventual consistency" dance of puppet runs.


More information about the OpenStack-dev mailing list