devstack/openrc
Dean Troyer c83a7e125f Add TLS support for keystone via proxy
* Adds lib/tls to create test CA/certs
* Start proxy if 'tls-proxy' is enabled
* Configure keystone service catalog for TLS
* Tear down proxy in unstack.sh
* Set auth protocol and ca-cert chain in openrc
* Add DATA_DIR to stackrc

This is the first in a series of patches to enable TLS support
for the service API endpoints.

Change-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6
2012-12-11 17:08:54 -06:00

82 lines
2.9 KiB
Bash

#!/usr/bin/env bash
#
# source openrc [username] [tenantname]
#
# Configure a set of credentials for $TENANT/$USERNAME:
# Set OS_TENANT_NAME to override the default tenant 'demo'
# Set OS_USERNAME to override the default user name 'demo'
# Set ADMIN_PASSWORD to set the password for 'admin' and 'demo'
# NOTE: support for the old NOVA_* novaclient environment variables has
# been removed.
if [[ -n "$1" ]]; then
OS_USERNAME=$1
fi
if [[ -n "$2" ]]; then
OS_TENANT_NAME=$2
fi
# Find the other rc files
RC_DIR=$(cd $(dirname "$BASH_SOURCE") && pwd)
# Import common functions
source $RC_DIR/functions
# Load local configuration
source $RC_DIR/stackrc
# Get some necessary configuration
source $RC_DIR/lib/tls
# The introduction of Keystone to the OpenStack ecosystem has standardized the
# term **tenant** as the entity that owns resources. In some places references
# still exist to the original Nova term **project** for this use. Also,
# **tenant_name** is prefered to **tenant_id**.
export OS_TENANT_NAME=${OS_TENANT_NAME:-demo}
# In addition to the owning entity (tenant), nova stores the entity performing
# the action as the **user**.
export OS_USERNAME=${OS_USERNAME:-demo}
# With Keystone you pass the keystone password instead of an api key.
# Recent versions of novaclient use OS_PASSWORD instead of NOVA_API_KEYs
# or NOVA_PASSWORD.
export OS_PASSWORD=${ADMIN_PASSWORD:-secrete}
# Don't put the key into a keyring by default. Testing for development is much
# easier with this off.
export OS_NO_CACHE=${OS_NO_CACHE:-1}
# Set api HOST_IP endpoint. SERVICE_HOST may also be used to specify the endpoint,
# which is convenient for some localrc configurations.
HOST_IP=${HOST_IP:-127.0.0.1}
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
# Some exercises call glance directly. On a single-node installation, Glance
# should be listening on HOST_IP. If its running elsewhere, it can be set here
GLANCE_HOST=${GLANCE_HOST:-$HOST_IP}
# Authenticating against an Openstack cloud using Keystone returns a **Token**
# and **Service Catalog**. The catalog contains the endpoints for all services
# the user/tenant has access to - including nova, glance, keystone, swift, ...
# We currently recommend using the 2.0 *identity api*.
#
# *NOTE*: Using the 2.0 *identity api* does not mean that compute api is 2.0. We
# will use the 1.1 *compute api*
export OS_AUTH_URL=$SERVICE_PROTOCOL://$SERVICE_HOST:5000/v2.0
# Set the pointer to our CA certificate chain. Harmless if TLS is not used.
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
# Currently novaclient needs you to specify the *compute api* version. This
# needs to match the config of your catalog returned by Keystone.
export NOVA_VERSION=${NOVA_VERSION:-1.1}
# In the future this will change names:
export COMPUTE_API_VERSION=${COMPUTE_API_VERSION:-$NOVA_VERSION}
# set log level to DEBUG (helps debug issues)
# export KEYSTONECLIENT_DEBUG=1
# export NOVACLIENT_DEBUG=1