Bug 1328130

Summary: [RFE][nova]: Get and inject credentials needed to provision an instance
Product: Red Hat OpenStack Reporter: Stephen Gordon <sgordon>
Component: openstack-novaAssignee: Eoghan Glynn <eglynn>
Status: CLOSED NEXTRELEASE QA Contact: Prasanth Anbalagan <panbalag>
Severity: medium Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: ayoung, berrange, dasmith, eglynn, jschluet, kchamart, sbauza, sclewis, sferdjao, sgordon, srevivo, vromanso
Target Milestone: gaKeywords: FutureFeature, Reopened, Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/nova/+spec/vendordata-reboot
Whiteboard: upstream_milestone_newton-3 upstream_definition_approved upstream_status_implemented
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-29 14:20:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stephen Gordon 2016-04-18 14:22:22 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/get-provision-credentials.

Description:

Credentials are needed to enroll a machine into an Identity Management
service. The process of generating these credentials needs to be done
synchronously before the instance is created so the generated credentials
are available to both the instance and the provisioning system. This needs
to be done before the instance is booted so enrollment can be done in the
cloud-init first boot so the process can be automated.

Specification URL (additional information):

https://review.openstack.org/305455

Comment 2 Stephen Gordon 2016-04-20 19:37:35 UTC
Discussing with the Nova team it seemed unlikely that something like this would be accepted into Nova itself. In parallel Adam Young and others have been discussing an alternative approach upstream:

http://lists.openstack.org/pipermail/openstack-dev/2016-April/091614.html

It seems like while being outside of Nova this approach does have implications for Nova deployment and configuration that would need to be reflected in TripleO. Adam does that seem like a fair characterization to you?

Comment 3 Adam Young 2016-04-21 02:16:58 UTC
Yes, Rob Crittendon is leading this effort. The goal is to have an Identity Provider interface and driver, with a simple Keystone one as the baseline.  MOre info after the summit.