Access your OpenStack environment

This section explains how to access your OpenStack environment as admin user.

Before you proceed, make sure that you can access the Kubernetes API and have privileges to read secrets from the openstack-external namespace in Kubernetes or you are able to exec to the pods in the openstack namespace.

Access OpenStack using the Kubernetes built-in admin CLI

You can use the built-in admin CLI client and execute the openstack commands from a dedicated pod deployed in the openstack namespace:

kubectl -n openstack exec \
  $(kubectl -n openstack get pod -l application=keystone,component=client -ojsonpath='{.items[*].metadata.name}') \
  -ti -- bash

This pod has python-openstackclient and all required plugins already installed. The python-openstackclient command-line client is configured to use the admin user credentials. You can view the detailed configuration for the openstack command in /etc/openstack/clouds.yaml file in the pod.

Access an OpenStack environment through Horizon

  1. Configure the external DNS resolution for OpenStack services as described in Configure DNS to access OpenStack.

  2. Obtain the admin user credentials from the openstack-identity-credentials secret in the openstack-external namespace:

    kubectl -n openstack-external get secrets openstack-identity-credentials -o jsonpath='{.data.clouds\.yaml}' | base64 -d
    

    Example of a system response:

    clouds:
      admin:
        auth:
          auth_url: https://keystone.it.just.works/
          password: <ADMIN_PWD>
          project_domain_name: <ADMIN_PROJECT_DOMAIN>
          project_name: <ADMIN_PROJECT>
          user_domain_name: <ADMIN_USER_DOMAIN>
          username: <ADMIN_USER_NAME>
        endpoint_type: public
        identity_api_version: 3
        interface: public
        region_name: CustomRegion
      admin-system:
        auth:
          auth_url: https://keystone.it.just.works/
          password: <ADMIN_PWD>
          system_scope: all
          user_domain_name: <ADMIN_USER_DOMAIN>
          username: <ADMIN_USER_NAME>
        endpoint_type: public
        identity_api_version: 3
        interface: public
        region_name: CustomRegion
    
  3. Access Horizon through your browser using its public service. For example, https://horizon.it.just.works.

    To log in, specify the user name and domain name obtained in previous step from the <ADMIN_USER_NAME> and <ADMIN_USER_DOMAIN> values.

    If the OpenStack Identity service has been deployed with the OpenID Connect integration:

    1. From the Authenticate using drop-down menu, select OpenID Connect.

    2. Click Connect. You will be redirected to your identity provider to proceed with the authentication.

    Note

    If OpenStack has been deployed with self-signed TLS certificates for public endpoints, you may get a warning about an untrusted certificate. To proceed, allow the connection.

Access OpenStack through CLI from your local machine

To be able to access your OpenStack environment through the CLI, you need to configure the openstack client environment using either an openstackrc environment file or clouds.yaml file.

  1. Log in to Horizon as described in Access an OpenStack environment through Horizon.

  2. Download the openstackrc file from the web UI.

  3. On any shell from which you want to run OpenStack commands, source the environment file for the respective project.

  1. Obtain clouds.yaml:

    mkdir -p ~/.config/openstack
    kubectl -n openstack-external get secrets openstack-identity-credentials -o jsonpath='{.data.clouds\.yaml}' | base64 -d > ~/.config/openstack/clouds.yaml
    

    The OpenStack client looks for clouds.yaml in the following locations: current directory, ~/.config/openstack, and /etc/openstack.

  2. Export the OS_CLOUD environment variable:

    export OS_CLOUD=admin
    

Now, you can use the openstack CLI as usual. For example:

openstack user list

Example of an expected system response:

+----------------------------------+-----------------+
| ID                               | Name            |
+----------------------------------+-----------------+
| dc23d2d5ee3a4b8fae322e1299f7b3e6 | internal_cinder |
| 8d11133d6ef54349bd014681e2b56c7b | admin           |
+----------------------------------+-----------------+

Note

If OpenStack was deployed with self-signed TLS certificates for public endpoints, you may need to use the openstack command-line client with certificate validation disabled. For example:

openstack --insecure user list