In order to run the various Keystone containers as the Keystone user, we can use the modification specified here.
First, add a keystone service account and a security constraint to let it run as the keystone user. This is probably more power than we really want to give it, but it will force things to work. Update the deployment config to use this new service account.
$ oc create serviceaccount keystone serviceaccount/keystone created $ oc adm policy add-scc-to-user anyuid -z keystone --as system:admin securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:keystondev:keystone"] $ oc patch deploymentconfig.apps.openshift.io/keystone-db-init --patch '{"spec":{"template":{"spec":{"serviceAccountName": "keystone"}}}}'deploymentconfig.apps.openshift.io/keystone-db-init patched |
Now looking at the log:
$ oc logs pod/keystone-db-init-2-nwg8g Databasedb-sync+ echo -n Database + echo -n db-sync + keystone-manage db_sync [COMPLETE] bootstrap + echo ' [COMPLETE]' + echo -n 'bootstrap ' + keystone-manage bootstrap --bootstrap-password=FreeIPA4All /etc/keystone/fernet-keys/ does not exist [COMPLETE] + echo ' [COMPLETE]' |
We see that the application ran without throwing an error.