Set up admin access to a cloud¶
Introduction¶
In order to configure a newly deployed OpenStack cloud for production use one must first gain native administrative control of it. Although this refers to OpenStack-level admin user access, this article will show how to obtain it via queries made with the Juju client.
Note
As an alternative to the instructions presented in this article, if the Horizon dashboard is available, access can be obtained by downloading a credentials file.
Procedure¶
Install the client software¶
The OpenStack clients will be needed in order to manage the cloud from the command line. Install them on the same machine that hosts the Juju client. This example uses the snap install method:
sudo snap install openstackclients --classic
Set cloud-specific authentication variables¶
In terms of authentication, three cloud-specific pieces of information are needed:
the Keystone administrator password
the Keystone service endpoint
the root CA certificate (if the cloud is TLS-enabled)
Keystone administrator password¶
Set environmental variable OS_PASSWORD
to the Keystone administrator
password:
export OS_PASSWORD=$(juju run --unit keystone/leader 'leader-get admin_passwd')
Keystone service endpoint¶
Determine the IP address of the keystone unit and set environmental variable
OS_AUTH_URL
to the Keystone service endpoint:
IP_ADDRESS=$(juju run --unit keystone/leader -- 'network-get --bind-address public')
export OS_AUTH_URL=https://${IP_ADDRESS}:5000/v3
Important
If the Keystone endpoint is not using TLS you will need to modify the URL to use HTTP.
Root CA certificate¶
Place the CA certificate in a file that your OpenStack client software can
access and set environmental variable OS_CACERT
to that file’s path. A
commonly used path that works for the openstackclients
snap, for user
‘ubuntu’, is /home/ubuntu/snap/openstackclients/common/root-ca.crt
:
export OS_CACERT=/home/ubuntu/snap/openstackclients/common/root-ca.crt
juju run --unit vault/leader 'leader-get root-ca' > $OS_CACERT
Set other authentication variables¶
Charmed OpenStack uses standard values for other authentication variables:
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=admin_domain
export OS_USER_DOMAIN_NAME=admin_domain
Verify administrative control¶
The admin user environment should now be complete.
First inspect all the variables:
env | grep OS_
A good initial verification test is to query the cloud’s endpoints (Keystone service catalog):
openstack endpoint list
A second recommended verification to make is a login to the Horizon dashboard (if present), where the following should be used:
OS_USERNAME (User Name)
OS_PASSWORD (Password)
OS_PROJECT_DOMAIN_NAME (Domain)
You should now have the permissions to configure and manage the cloud.
Consider a helper script¶
Variables can be conveniently set through the use of a shell script that you can write yourself. However, the OpenStack Charms project maintains such files (one script calls another) and they can be found in the openstack-bundles repository.
Simply download the repository and source the openrc
file:
git clone https://github.com/openstack-charmers/openstack-bundles ~/openstack-bundles
source ~/openstack-bundles/stable/openstack-base/openrc
This sets a suite of variables. Here is an example:
OS_REGION_NAME=RegionOne
OS_AUTH_VERSION=3
OS_CACERT=/home/ubuntu/snap/openstackclients/common/root-ca.crt
OS_AUTH_URL=https://10.0.0.162:5000/v3
OS_PROJECT_DOMAIN_NAME=admin_domain
OS_AUTH_PROTOCOL=https
OS_USERNAME=admin
OS_AUTH_TYPE=password
OS_USER_DOMAIN_NAME=admin_domain
OS_PROJECT_NAME=admin
OS_PASSWORD=aegoaquoo1veZae6
OS_IDENTITY_API_VERSION=3
Some of the above variables were not covered in the manual method but can be
required in certain situations. For instance, Swift needs OS_AUTH_VERSION
,
Gnocchi looks for OS_AUTH_TYPE
, and when backing Juju with OpenStack one
needs to know the values of multiple variables.
Note
The helper files will set the Keystone endpoint variable OS_AUTH_URL
to
use HTTPS if Vault is detected as containing a root CA certificate. This
will always be the case due to the OVN requirement for TLS via Vault. If
Keystone is not TLS-enabled (for some reason) you will need to manually
reset the above variable to use HTTP.