Access your OpenStack environment¶
This section explains how to access your OpenStack environment as the Admin user.
Before you proceed, verify that you can access the Kubernetes API and have
privileges to read secrets from the openstack
namespace in Kubernetes or
you are able to exec to the pods in this namespace.
Access OpenStack using the Kubernetes built-in admin CLI¶
You can use the built-in admin CLI client and execute the openstack
CLI commands from a dedicated pod deployed in the openstack
namespace:
kubectl -n openstack exec \
$(kubectl -n openstack get pod -l application=keystone,component=client -ojsonpath='{.items[*].metadata.name}') \
-ti -- bash
This pod has python-openstackclient
and all required plugins already
installed. Also, this pod has cloud admin credentials stored as appropriate
shell environment variables for the openstack CLI command to
consume.
Access an OpenStack environment through Horizon¶
Configure the external DNS resolution for OpenStack services as described in Configure DNS to access OpenStack.
Obtain the password of the Admin user:
kubectl -n openstack get secret keystone-keystone-admin -ojsonpath='{.data.OS_PASSWORD}' | base64 -d
Access Horizon through your browser using its public service. For example,
https://horizon.it.just.works
.To log in, specify the
admin
user name anddefault
domain. If the OpenStack Identity service has been deployed with the OpenID Connect integration:From the Authenticate using drop-down menu, select OpenID Connect.
Click Connect. You will be redirected to your identity provider to proceed with the authentication.
Note
If OpenStack has been deployed with self-signed TLS certificates for public endpoints, you may get a warning about an untrusted certificate. To proceed, allow the connection.
Access OpenStack through CLI from your local machine¶
To be able to access your OpenStack environment using CLI, you need to set the required environment variables that are stored in an OpenStack RC environment file. You can either download a project-specific file from Horizon, which is the easiest way, or create an environment file.
To access OpenStack through CLI, select from the following options:
Download and source the OpenStack RC file:
Log in to Horizon as described in Access an OpenStack environment through Horizon.
Download the
openstackrc
orclouds.yaml
file from the Web interface.On any shell from which you want to run OpenStack commands, source the environment file for the respective project.
Create and source the OpenStack RC file:
Configure the external DNS resolution for OpenStack services as described in Configure DNS to access OpenStack.
Create a stub of the OpenStack RC file:
cat << EOF > openstackrc export OS_PASSWORD=$(kubectl -n openstack get secret keystone-keystone-admin -ojsonpath='{.data.OS_PASSWORD}' | base64 -d) export OS_USERNAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_PROJECT_DOMAIN_NAME=Default export OS_REGION_NAME=RegionOne export OS_INTERFACE=public export OS_IDENTITY_API_VERSION="3" EOF
Add the Keystone public endpoint to this file as the
OS_AUTH_URL
variable. For example, for the domain name used throughout this guide:echo export OS_AUTH_URL=https://keystone.it.just.works >> openstackrc
Source the obtained data into the shell:
source <openstackrc>
Now, you can use the openstack CLI as usual. For example:
openstack user list +----------------------------------+-----------------+ | ID | Name | +----------------------------------+-----------------+ | dc23d2d5ee3a4b8fae322e1299f7b3e6 | internal_cinder | | 8d11133d6ef54349bd014681e2b56c7b | admin | +----------------------------------+-----------------+
Note
If OpenStack was deployed with self-signed TLS certificates for public endpoints, you may need to use the openstack CLI client with certificate validation disabled. For example:
openstack --insecure user list