[nova-api] Inject public key without create key pair in nova ?

smooney at redhat.com smooney at redhat.com
Mon Aug 21 13:05:16 UTC 2023 

On Mon, 2023-08-21 at 12:41 +0000, Pureewat Kaewpoi wrote:
> Hi
> 
> I forgot to give crucial information. I want to use with Windows instance that needs to use cloudbase-init.
> 
> As I read this code
> https://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/metadata/services/baseopenstackservice.py#L76
> It looks like cloudbase-init does not support to use public key via user-data.
> It only read it from 'public-keys' key in meta-data.json
> 
> Maybe I have to patch something to make this work?
oh well for windows instances when you import a key you can import a non ssh key by settign the keytype.
https://docs.openstack.org/api-ref/compute/?expanded=import-or-create-keypair-detail#import-or-create-keypair
simple set the type to x509
i.e. instead of 
{
    "keypair": {
        "name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78",
        "type": "ssh",
        "public_key": "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn
nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova",
        "user_id": "fake"
    }
}

{
    "keypair": {
        "name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78",
        "type": "x509",
        "public_key": "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn
nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova",
        "user_id": "fake"
    }
}

x509 certs are what windows uses for winrm or powershell remote exec (i think winrm is using that under the hood).
That shoudl enable cloudbase-init to find the keypair and import it

when we said use user_data we were actully suggesting embdedin the key in the userdata and writing a script
(in  bash/powershell) in the the user data to install the key where it is requried. this woudl not require cloudbase-
init to support it since you are just using cloudbase-init to execute the script.


> 
> Thank you,
> Pureewat
> 
> ________________________________
> From: Jeremy Stanley <fungi at yuggoth.org>
> Sent: Monday, August 21, 2023 7:19 PM
> To: openstack-discuss at lists.openstack.org <openstack-discuss at lists.openstack.org>
> Subject: Re: [nova-api] Inject public key without create key pair in nova ?
> 
> Caution:This email send from outside the company. DO NOT click links, open attachments or forward unless you recognize
> the sender and know the content is safe.

More information about the openstack-discuss mailing list