Note : All services typically involve passwords associated with them for accessing. In view of keeping the learning time/curve short/simple had preferred to use a single password for all.
Create database and grant privileges : From MySQL prompt
CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'commonpass'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'commonpass'; FLUSH PRIVILEGES; exit;
Install package
apt -y install keystone
Update configurations in /etc/keystone/keystone.conf – respective sections as show below
[database] connection = mysql+pymysql://keystone:commonpass@controller/keystone [token] provider = fernet
Populate the Identity service database
su -s /bin/sh -c "keystone-manage db_sync" keystone
Initialize Fernet key repositories. (associate the user/group for running of keystone)
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Bootstrap the Identity service
keystone-manage bootstrap --bootstrap-password commonpass --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
Edit the /etc/apache2/apache2.conf and add the following configuration and restart apache
ServerName controller service apache2 restart
Set environment variables for administrative account
export OS_USERNAME=admin export OS_PASSWORD=commonpass export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3
Domains, projects, users and roles
“default” domain already exists from the keystone-manage bootstrap step – so skipping creating a domain.
Create a project named “service” (to be in line with the step by step guide being referred)
openstack project create --domain default --description "Service Project" service
Create a project with user account for under previleged or non admin users
openstack project create --domain default --description "Kubernetes Project" kproject openstack user create --domain default --password-prompt kuser openstack role create krole openstack role add --project kproject --user kuser krole
Verify token issue for admin and non-admin user
unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue Password: Password: +------------+----------------------------------------+ | Field | Value | +------------+----------------------------------------+ | expires | 2020-10-07T05:01:31+0000 | | id | gAAAAABffT2bKOhUzX3VC8MoyaEY3aI8r…0I | | project_id | fff0b7a4d94448498d8703c8aa1a5d8b | | user_id | 5326b26027b143aaae10d7bf0f1fee6b | +------------+----------------------------------------+
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name kproject --os-username kuser token issue Password: Password: +------------+----------------------------------------+ | Field | Value | +------------+----------------------------------------+ | expires | 2020-10-07T05:02:24+0000 | | id | gAAAAABffT3QXC4HjiE5viiu-ZLlXqYRy…IM | | project_id | 4948fbd742b74910a0620ef93b92f91e | | user_id | 36a722e921d242f9944b4754015ec734 | +------------+----------------------------------------+
The openstack client makes user of environment variables if set or expect the inputs as part of command line arugments. Create two client environment scripts which can be ‘sourced‘ as and when required.
Create admin-openrc with following contents
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=commonpass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
Create user-openrc with following contents
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=kproject
export OS_USERNAME=kuser
export OS_PASSWORD=commonpass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
Using the scripts
. admin-openrc openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2020-10-07T05:17:29+0000 | | id | gAAAAABffUFZlSRmx2bYNFec1…DpWw | | project_id | fff0b7a4d94448498d8703c8aa1a5d8b | | user_id | 5326b26027b143aaae10d7bf0f1fee6b | +------------+----------------------------------+ . user-openrc openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2020-10-07T05:17:38+0000 | | id | gAAAAABffUFio8WX5cpHERZD…hS3GE | | project_id | 4948fbd742b74910a0620ef93b92f91e | | user_id | 36a722e921d242f9944b4754015ec734 | +------------+----------------------------------+