Access your OpenStack environment¶
This section explains how to access your OpenStack environment as admin user.
Before you proceed, make sure that you can access the Kubernetes API and have
privileges to read secrets from the openstack-external
namespace in
Kubernetes or you are able to exec to the pods in the openstack
namespace.
Access OpenStack using the Kubernetes built-in admin CLI¶
You can use the built-in admin CLI client and execute the openstack
commands from a dedicated pod deployed in the openstack
namespace:
kubectl -n openstack exec \
$(kubectl -n openstack get pod -l application=keystone,component=client -ojsonpath='{.items[*].metadata.name}') \
-ti -- bash
This pod has python-openstackclient
and all required plugins already
installed. The python-openstackclient
command-line client is configured
to use the admin user credentials. You can view the detailed configuration
for the openstack command in /etc/openstack/clouds.yaml
file in
the pod.
Access an OpenStack environment through Horizon¶
Configure the external DNS resolution for OpenStack services as described in Configure DNS to access OpenStack.
Obtain the admin user credentials from the
openstack-identity-credentials
secret in theopenstack-external
namespace:kubectl -n openstack-external get secrets openstack-identity-credentials -o jsonpath='{.data.clouds\.yaml}' | base64 -d
Example of a system response:
clouds: admin: auth: auth_url: https://keystone.it.just.works/ password: <ADMIN_PWD> project_domain_name: <ADMIN_PROJECT_DOMAIN> project_name: <ADMIN_PROJECT> user_domain_name: <ADMIN_USER_DOMAIN> username: <ADMIN_USER_NAME> endpoint_type: public identity_api_version: 3 interface: public region_name: CustomRegion admin-system: auth: auth_url: https://keystone.it.just.works/ password: <ADMIN_PWD> system_scope: all user_domain_name: <ADMIN_USER_DOMAIN> username: <ADMIN_USER_NAME> endpoint_type: public identity_api_version: 3 interface: public region_name: CustomRegion
Access Horizon through your browser using its public service. For example,
https://horizon.it.just.works
.To log in, specify the user name and domain name obtained in previous step from the
<ADMIN_USER_NAME>
and<ADMIN_USER_DOMAIN>
values.If the OpenStack Identity service has been deployed with the OpenID Connect integration:
From the Authenticate using drop-down menu, select OpenID Connect.
Click Connect. You will be redirected to your identity provider to proceed with the authentication.
Note
If OpenStack has been deployed with self-signed TLS certificates for public endpoints, you may get a warning about an untrusted certificate. To proceed, allow the connection.
Access OpenStack through CLI from your local machine¶
To be able to access your OpenStack environment through the CLI,
you need to configure the openstack client environment
using either an openstackrc
environment file or clouds.yaml
file.
Log in to Horizon as described in Access an OpenStack environment through Horizon.
Download the
openstackrc
file from the web UI.On any shell from which you want to run OpenStack commands, source the environment file for the respective project.
Obtain
clouds.yaml
:mkdir -p ~/.config/openstack kubectl -n openstack-external get secrets openstack-identity-credentials -o jsonpath='{.data.clouds\.yaml}' | base64 -d > ~/.config/openstack/clouds.yaml
The OpenStack client looks for
clouds.yaml
in the following locations: current directory,~/.config/openstack
, and/etc/openstack
.Export the
OS_CLOUD
environment variable:export OS_CLOUD=admin
Now, you can use the openstack CLI as usual. For example:
openstack user list
Example of an expected system response:
+----------------------------------+-----------------+
| ID | Name |
+----------------------------------+-----------------+
| dc23d2d5ee3a4b8fae322e1299f7b3e6 | internal_cinder |
| 8d11133d6ef54349bd014681e2b56c7b | admin |
+----------------------------------+-----------------+
Note
If OpenStack was deployed with self-signed TLS certificates for public endpoints, you may need to use the openstack command-line client with certificate validation disabled. For example:
openstack --insecure user list