2 min read OpenStack

Manage multiple environments with OpenStack CLI clouds.yml

Manage multiple environments with OpenStack CLI clouds.yml
Photo by ullas us / Unsplash

If you want to use the OpenStack CLI with multiple configurations, you can use a yaml configuration file instead of the classic rc file.

From the official documentation: clouds.yaml is a configuration file that contains everything needed to connect to one or more clouds. It may contain private information and is generally considered private to a user.

Note that it is only working with the openstack CLI. For swift and other dedicated CLI, no choice than use the standard rc configuration file, or manually load the variables.

Install the CLI

I like using a virtual environment: if you want to do the same, just create and activate it: 

mkdir ~/openstack-cli
python3 -m venv ~/openstack-cli
source ~/openstack-cli/bin/activate

Then update pip and install the python-openstackclient package:

pip install -U pip
pip install python-openstackclient

If you don't want to use a virtual environment, simply skip the first step and run the 2 commands above.

Configuration file location

The configuration file is named clouds.yaml.

You can put it in different locations:

  • in the current directory or where you usually run the CLI
  • ~/.config/openstack
  • /etc/openstack

Configuration examples

Let's say we have 3 distinct deployments with 3 differents Keystone API endpoints:

  • prod with the Keystone endpoint https://auth.openstack.cloud
  • staging with the Keystone endpoint https://auth.openstack.staging
  • lab with the Keystone endpoint https://auth.openstack.lab

Here's how the configuration would look like: 

clouds:
  prod:
    auth:
      auth_url: https://auth.openstack.cloud/
      project_name: admin
      username: admin
      password:
    identity_api_version: 3
  staging:
    auth:
      auth_url: https://auth.openstack.staging/
      project_name: admin
      username: admin
      password:
    identity_api_version: 3
    verify: false
  lab:
    auth:
      auth_url: https://auth.openstack.lab/
      project_name: admin
      username: admin
      password: 
    identity_api_version: 3
    verify: False

The verify: False is useful if you have some deployments using self-signed SSL certificate.

The identity_api_version is most probably not needed. In my case, I still work with legacy environments running Keystone V2 alongside of Keystone V3, so I like to be sure I'm using Keystone V3.

You can also set the same API endpoint multiple times for interacting with different projects or even different users in the same project to test the permissions for example.

Let's say you have:

  • an admin user dedicated for administration tasks and you want to use the administrative tenant (admin_project_name in your Keystone configuration)
  • an user without privileges named user , that only have rights in a specific tenant named testing

The configuration file would look like that: 

(openstack) cat .config/openstack/clouds.yaml
clouds:
  admin:
    auth:
      auth_url: https://auth.openstack.cloud/
      project_name: admin
      username: admin
      password:
    identity_api_version: 3
  testing:
    auth:
      auth_url: https://auth.openstack.cloud/
      project_name: testing
      username: user
      password:
    identity_api_version: 3

Examples

Now you can use the CLI with multiples clouds, tenant or user, simply by appending --os-cloud XXXX to your openstack command.

List all the projects in the prod environment:

(openstack) openstack project list --os-cloud prod
+----------------------------------+------------+
| ID                               | Name       |
+----------------------------------+------------+
| a8ep4c9ikfwqssvtssrynnwxvhqs3w5b | admin      |
| a45gjjqhire7pmfaxdec4sj7wen2j5s6 | testing    |
| a6bb3c8cd39149dc988290a223032004 | production |
| a92eisc65wy7rnbpv4miegmgiaas26yf | staging    |
+----------------------------------+------------+

Show the details of project lab1 in the lab environment:

(openstack) openstack project show lab1 --os-cloud lab
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Lab tenant                       |
| domain_id   | default                          |
| enabled     | True                             |
| id          | a5hnVv58avzaYKHwNE6Wq8TtNS8rUvKw |
| is_domain   | False                            |
| name        | lab1                             |
| parent_id   | default                          |
+-------------+----------------------------------+

List the domains of staging environment: 

(openstack) openstack domain list --os-cloud prod
+---------+---------+---------+----------------+
| ID      | Name    | Enabled | Description    |
+---------+---------+---------+----------------+
| default | Default | True    | Default domain |
+---------+---------+---------+----------------+

Credits

Official documentation: https://docs.openstack.org/python-openstackclient/latest/configuration/index.html

Published by:

Antoine Bayard

You might also like...

Aug
11

Hashicorp Vault and Kolla Ansible, Part II: integration with GitLab CI

7 min read
Aug
10

Hashicorp Vault and Kolla Ansible, Part I: Integrate Vault secrets in your playbook

8 min read
Mar
04

CloudFlare Zero Trust, or how I ditched basic auth

4 min read
Feb
07

Vultr firewall: automatically update a rule with dynamic IP

3 min read
Oct
18

OpenStack Kolla-ansible: deploy Ceph with ceph-ansible

4 min read