Now that I can run the TripleO version of Keystone via podman, I want to try running it in OpenShift.
Here is my first hack at a deployment yaml. Note that it looks really similar to the keystone-db-init I got to run the other day.
<b apiVersion: v1 kind: Pod metadata: name: keystone-api labels: app: myapp spec: containers: - image: docker.io/tripleomaster/centos-binary-keystone:current-tripleo imagePullPolicy: Always name: keystone volumeMounts: - name: keystone-conf mountPath: "/etc/keystone/" volumes: - name: keystone-conf secret: secretName: keystone-conf items: - key: keystone.conf path: keystone.conf mode: 511 |
If I run it with:
oc create -f keystone-pod.yaml |
I get a CrashLoopBackoff error, with the following from the logs:
$ oc logs pod/keystone-api sudo -E kolla_set_configs sudo: unable to send audit message: Operation not permitted INFO:main:Loading config file at /var/lib/kolla/config_files/config.json ERROR:main:Unexpected error: Traceback (most recent call last): File "/usr/local/bin/kolla_set_configs", line 412, in main config = load_config() File "/usr/local/bin/kolla_set_configs", line 294, in load_config config = load_from_file() File "/usr/local/bin/kolla_set_configs", line 282, in load_from_file with open(config_file) as f: IOError: [Errno 2] No such file or directory: '/var/lib/kolla/config_files/config.json' |
I modified the config.json to remove steps that were messing me up. I think I can now remove evn that last config file, but I left it for now.
{
"command": "/usr/sbin/httpd",
"config_files": [
{
"source": "/var/lib/kolla/config_files/src/*",
"dest": "/",
"merge": true,
"preserve_properties": true
}
],
"permissions": [
{
"path": "/var/log/kolla/keystone",
"owner": "keystone:keystone",
"recurse": true
}
]
} |
I need to add the additional files to a config map and mount those inside the container. For example, I can create a config map with the config.json file, a secret for the Fernet key, and a config map for the apache files.
oc create configmap keystone-files --from-file=config.json=./config.json kubectl create secret generic keystone-fernet-key --from-file=../kolla/src/etc/keystone/fernet-keys/0 oc create configmap keystone-httpd-files --from-file=wsgi-keystone.conf=../kolla/src/etc/httpd/conf.d/wsgi-keystone.conf |
Here is my final pod definition
apiVersion: v1 kind: Pod metadata: name: keystone-api labels: app: myapp spec: containers: - image: docker.io/tripleomaster/centos-binary-keystone:current-tripleo imagePullPolicy: Always name: keystone env: - name: KOLLA_CONFIG_FILE value: "/var/lib/kolla/config_files/src/config.json" - name: KOLLA_CONFIG_STRATEGY value: "COPY_ONCE" volumeMounts: - name: keystone-conf mountPath: "/etc/keystone/" - name: httpd-config mountPath: "/etc/httpd/conf.d" - name: config-json mountPath: "/var/lib/kolla/config_files/src" - name: keystone-fernet-key mountPath: "/etc/keystone/fernet-keys/0" volumes: - name: keystone-conf secret: secretName: keystone-conf items: - key: keystone.conf path: keystone.conf mode: 511 - name: keystone-fernet-key secret: secretName: keystone-fernet-key items: - key: "0" path: "0" mode: 511 - name: config-json configMap: name: keystone-files - name: httpd-config configMap: name: keystone-httpd-files |
And show that it works for basic stuff:
$ oc rsh keystone-api sh-4.2# curl 10.131.1.98:5000 {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.131.1.98:5000/v3/", "rel": "self"}]}]}}curl (HTTP://10.131.1.98:5000/): response: 300, time: 3.314, size: 266 |
Next steps: expose a route, make sure we can get a token.