fix: re-add keystone rxt auth to the default deployment

The keystone image we're using wasn't pointed at the rackerlabs image
which broke our auth plugin. This change updates the image reference
to our new 2024.1 image type and uncomments the auth section.

Adds documentation on getting started with the CLI.

Depends-On: rackerlabs/keystone-rxt#6
Signed-off-by: Kevin Carter <[email protected]>

Author: cloudnull

docs/openstack-deploy-cli.md

@@ -2,49 +2,66 @@
 
 Before we can get started we need to install a few things.
 
-#### Installing Python
+## Installing Python
 
-Installed by default on Mac OS X.
+While most operating systems have some form of Python already installed, you will need to ensure you have python available on your system to use the standard command line utilities. If you need to install python, consult your operating system documentation or the upstream python [documentation](https://www.python.org/downloads) to get started.
 
-Many Linux distributions provide packages to make setuptools easy to install. Search your package manager for setuptools to find an installation package. If you cannot find one, download the setuptools package directly from https://pip.pypa.io/en/stable/installation.
+### Installing `pip`
 
-The recommended way to install setuptools on Microsoft Windows is to follow the documentation provided on the setuptools website (https://pypi.python.org/pypi/setuptools).
+Pip is the python package manager and can make installing libraries very simple; however, some build tools may be required. For more information on installing `pip`, consult the [upstream documentation](https://pip.pypa.io/en/stable/installation).
 
-#### Installing pip
-
-MacOS
-
-!!! note
-
-    Users may want to use a Virtual Environment so that they do not have any risk of hurting their default Python environment. For more information on seting up a venv please visit (https://docs.python.org/3/library/venv.html).
+#### MacOS
 
 ``` shell
-easy_install pip
+python -m ensurepip --upgrade
 ```
 
-Microsoft Windows
+#### Microsoft Windows
 
 Ensure that the C:\Python27\Scripts directory is defined in the PATH environment variable, and use the easy_install command from the setuptools package:
 
 ``` shell
-C:\>easy_install pip
+C:> py -m ensurepip --upgrade
 ```
 
-Ubuntu or Debian
+#### Linux
 
 ``` shell
-apt-get install python-dev python-pip
+python -m ensurepip --upgrade
 ```
 
-#### Installing the Openstack Client Using Pip
+### Installing the Openstack Client Using `pip`
+
+Assuming you have `pip` installed, it can be used to install the openstack client utilities.
+
+!!! tip
+
+    Users may want to use a Virtual Environment so that they do not have any risk of hurting their default Python environment. For more information on seting up a venv please visit the python [documentation](https://packaging.python.org/en/latest/tutorials/installing-packages/#creating-and-using-virtual-environments) on working with virtual environments.
 
 ``` shell
 pip install python-openstackclient
 ```
 
-!!! note
+For further information on Openstack Command Line and Authentication please visit the [upstream docs](https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html).
 
-    You may want to set the PATH to you opesntack to more easily use the commands.
+### Installing the OpenStack Client with packages
 
+Package based client install is a great way to simplify the installation process, however, it does come with a greater possibility to lag behind a given release and may not be as featurefull.
 
-For further information on Openstack Command Line and Authentication please visit the [upstream docs](https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html).
+#### MacOS
+
+``` shell
+brew install openstackclient
+```
+
+#### Ubuntu or Debian
+
+``` shell
+apt install python3-openstackclient
+```
+
+#### Enterprise Linux
+
+``` shell
+dnf install python3-openstackclient
+```

docs/openstack-getting-started-cli.md

@@ -0,0 +1,76 @@
+# OpenStack Getting Started with CLI
+
+After you have installed the OpenStack command-line tools, you can proceed with initializing your account. This guide will show you how to run a command with an unscoped and scoped token to set up your account.
+
+!!! note
+
+    This document makes the assumption that your account has the `OPENSTACK_FLEX` role assigned to it. If you do not have the `OPENSTACK_FLEX` role, you may not be permitted access to the environment.
+
+## Prerequisites
+
+1. Ensure you have the OpenStack command-line tools installed. If not, follow the instructions in the [Openstack Deploying the Command Line Tools](openstack-deploy-cli.md) documentation.
+2. Obtain your OpenStack credentials: **username**, **password**, and **domain**.
+3. Obtain the authentication URL.
+
+## Authenticating with OpenStack
+
+Before you can run OpenStack commands, you need to authenticate using your OpenStack credentials. This involves obtaining an unscoped token and then using it to get a scoped token.
+
+### Step 1: Obtain your projects
+
+To obtain a list of our available projects, we'll need to run a command with an unscoped token. Unscoped tokens are used to identify a user but does not define an association with a project.
+
+!!! note
+
+    This step authenticates you with the OpenStack Identity service (Keystone) and is required for first time access to the environment.
+
+Run the following command, replacing the placeholders with your actual OpenStack credentials:
+
+``` shell
+openstack project list --os-auth-url ${AUTH_URL} \
+                       --os-username ${USERNAME} \
+                       --os-password ${PASSWORD} \
+                       --os-user-domain-name ${DOMAIN_NAME}
+```
+
+> Replace the placeholders with your actual credentials and project name.
+
+This command returns a list of your available projects, the returned information will be used to in later commands
+
+### Step 2: Obtain a Scoped Token
+
+A scoped token is associated with a specific project and is used to perform actions within that project.
+
+Run the following command to obtain a scoped token:
+
+``` shell
+openstack token issue --os-auth-url ${AUTH_URL} \
+                      --os-username ${USERNAME} \
+                      --os-password ${PASSWORD} \
+                      --os-user-domain-name ${DOMAIN_NAME} \
+                      --os-project-domain-name ${DOMAIN_NAME} \
+                      --os-project-name ${PROJECT_NAME}
+```
+
+This command returns a scoped token that you will use for subsequent OpenStack commands.
+
+## Running an OpenStack Command
+
+With your scoped token, you can now run OpenStack commands. For example, to list the available flavors, use:
+
+``` shell
+openstack flavor list --os-auth-url ${AUTH_URL} \
+                      --os-username ${USERNAME} \
+                      --os-password ${PASSWORD} \
+                      --os-user-domain-name ${DOMAIN_NAME} \
+                      --os-project-domain-name ${DOMAIN_NAME} \
+                      --os-project-name ${PROJECT_NAME}
+```
+
+This command lists all flavors available to your project.
+
+## Further Reading
+
+For more detailed information on OpenStack command-line interface and authentication, refer to the [our documentation](openstack-clouds.md) for creating your `clouds.yaml`.
+
+By following these steps, you should be able to initialize your account and start using the OpenStack CLI.

docs/openstack-keystone-federation.md

@@ -27,11 +27,21 @@ You're also welcome to generate your own mapping to suit your needs; however, if
 Now register the mapping within Keystone.
 
 ``` shell
-openstack --os-cloud default mapping create --rules /tmp/mapping.json rackspace_mapping
+openstack --os-cloud default mapping create --rules /tmp/mapping.json --schema-version 2.0 rackspace_mapping
 ```
 
 ## Create the federation protocol
 
 ``` shell
 openstack --os-cloud default federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace
 ```
+
+## Rackspace Configuration Options
+
+The `[rackspace]` section can also be used in your `keystone.conf` to allow you to configure how to anchor on
+roles.
+
+| key | value | default |
+| --- | ----- | ------- |
+| `role_attribute` | A string option used as an anchor to discover roles attributed to a given user | **os_flex** |
+| `role_attribute_enforcement` | When set `true` will limit a users project to only the discovered GUID for the defined `role_attribute` | **false** |

etc/keystone/mapping.json

@@ -4,13 +4,19 @@
             {
                 "user": {
                     "name": "{0}",
-                    "email": "{1}"
+                    "email": "{1}",
+                    "domain": {
+                        "name": "rackspace_cloud_domain"
+                    }
                 }
             },
             {
                 "projects": [
                     {
-                        "name": "{2}_Flex",
+                        "name": "{2}",
+                        "domain": {
+                            "name": "rackspace_cloud_domain"
+                        },
                         "roles": [
                             {
                                 "name": "member"

helm-configs.example/aio-example-openstack-overrides.yaml

@@ -37,14 +37,14 @@ images:
     cinder_storage_init: "docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_18.2.0-1-20231013"
     cinder_backup: "docker.io/openstackhelm/cinder:2023.1-ubuntu_jammy"
     cinder_backup_storage_init: "docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_18.2.0-1-20231013"
-    keystone_api: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
+    keystone_api: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
     keystone_bootstrap: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy"
-    keystone_credential_rotate: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_credential_setup: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_db_sync: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_domain_manage: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_fernet_rotate: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_fernet_setup: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
+    keystone_credential_rotate: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_credential_setup: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_db_sync: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_domain_manage: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_fernet_rotate: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_fernet_setup: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
     keystone_credential_cleanup: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy"
     libvirt: docker.io/openstackhelm/libvirt:2023.2-ubuntu_jammy  # We want to use jammy. 2023.2 is the latest version that supports jammy.
     libvirt_exporter: vexxhost/libvirtd-exporter:latest

helm-configs.example/keystone/keystone-helm-overrides.yaml

@@ -21,14 +21,14 @@ images:
     bootstrap: "docker.io/openstackhelm/heat:2024.1-ubuntu_jammy"
     db_init: "docker.io/openstackhelm/heat:2024.1-ubuntu_jammy"
     db_drop: "docker.io/openstackhelm/heat:2024.1-ubuntu_jammy"
-    keystone_api: "docker.io/aedan/keystone:2024.1-ubuntu_jammy"
+    keystone_api: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
     keystone_bootstrap: "docker.io/openstackhelm/heat:2024.1-ubuntu_jammy"
-    keystone_credential_rotate: "docker.io/aedan/keystone:2024.1-ubuntu_jammy"
-    keystone_credential_setup: "docker.io/aedan/keystone:2024.1-ubuntu_jammy"
-    keystone_db_sync: "docker.io/aedan/keystone:2024.1-ubuntu_jammy"
-    keystone_domain_manage: "docker.io/aedan/keystone:2024.1-ubuntu_jammy"
-    keystone_fernet_rotate: "docker.io/aedan/keystone:2024.1-ubuntu_jammy"
-    keystone_fernet_setup: "docker.io/aedan/keystone:2024.1-ubuntu_jammy"
+    keystone_credential_rotate: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_credential_setup: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_db_sync: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_domain_manage: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_fernet_rotate: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_fernet_setup: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
     ks_user: "docker.io/openstackhelm/heat:2024.1-ubuntu_jammy"
     test: docker.io/xrally/xrally-openstack:2.0.0
     rabbit_init: docker.io/rabbitmq:3.7-management
@@ -550,10 +550,13 @@ conf:
       # NOTE(vdrok): The following two options have effect only for SQL backend
       lockout_failure_attempts: 5
       lockout_duration: 1800
-#    auth:
-#      methods: password,token,application_credential,rxt
-#      password: rxt
-#      totp: rxt
+    auth:
+      methods: password,token,application_credential,totp
+      password: rxt
+      totp: rxt
+    rackspace:
+      role_attribute: os_flex
+      role_attribute_enforcement: False  # This should be set to true in production environments.
 
   # NOTE(lamt) We can leverage multiple domains with different
   # configurations as outlined in

helm-configs.example/prod-example-openstack-overrides.yaml

@@ -36,14 +36,14 @@ images:
     cinder_storage_init: "docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_18.2.0-1-20231013"
     cinder_backup: "docker.io/openstackhelm/cinder:2023.1-ubuntu_jammy"
     cinder_backup_storage_init: "docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_18.2.0-1-20231013"
-    keystone_api: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
+    keystone_api: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
     keystone_bootstrap: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy"
-    keystone_credential_rotate: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_credential_setup: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_db_sync: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_domain_manage: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_fernet_rotate: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
-    keystone_fernet_setup: "ghcr.io/rackerlabs/genestack/keystone-rxt:2023.1-ubuntu_jammy"
+    keystone_credential_rotate: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_credential_setup: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_db_sync: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_domain_manage: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_fernet_rotate: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
+    keystone_fernet_setup: "ghcr.io/rackerlabs/keystone-rxt:2024.1-ubuntu_jammy-1720466623"
     keystone_credential_cleanup: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy"
     libvirt: docker.io/openstackhelm/libvirt:2023.2-ubuntu_jammy  # We want to use jammy. 2023.2 is the latest version that supports jammy.
     libvirt_exporter: vexxhost/libvirtd-exporter:latest

mkdocs.yml

@@ -214,23 +214,29 @@ nav:
           - OVN traffic flow introduction: ovn-traffic-flow-intro.md
           - OVN Database Backup: infrastructure-ovn-db-backup.md
           - MariaDB Operations: infrastructure-mariadb-ops.md
-      - OpenStack:
-          - Generating Clouds YAML: openstack-clouds.md
-          - Keystone Federation to Rackspace: openstack-keystone-federation.md
-          - Keystone Readonly Users: openstack-keystone-readonly.md
-          - Nova Flavor Creation: openstack-flavors.md
-          - Nova CPU Allocation Ratio: openstack-cpu-allocation-ratio.md
-          - Nova PCI Passthrough: openstack-pci-passthrough.md
-          - Service Overrides: openstack-service-overrides.md
-          - Creating Networks: openstack-neutron-networks.md
-          - Glance Images Creation: openstack-glance-images.md
-      - Building Local Images: build-local-images.md
-      - Working Locallly With Docs: mkdocs-howto.md
+          - Building Local Images: build-local-images.md
       - Third Party Tools:
           - OSIE: extra-osie.md
+      - OpenStack:
+          - CLI Access:
+              - Generating Clouds YAML: openstack-clouds.md
+          - Compute:
+              - Nova Flavor Creation: openstack-flavors.md
+              - Nova CPU Allocation Ratio: openstack-cpu-allocation-ratio.md
+              - Nova PCI Passthrough: openstack-pci-passthrough.md
+          - Images:
+              - Glance Images Creation: openstack-glance-images.md
+          - Identity:
+              - Keystone Federation to Rackspace: openstack-keystone-federation.md
+              - Keystone Readonly Users: openstack-keystone-readonly.md
+          - Networking:
+              - Creating Networks: openstack-neutron-networks.md
+          - Service Overrides: openstack-service-overrides.md
+      - Working locally With Docs: mkdocs-howto.md
   - Cloud Onboarding:
       - Cloud Onboarding Welcome: cloud-onboarding-welcome.md
-      - Openstack Deploying CLI Tools: openstack-deploy-cli.md
+      - Openstack Installing CLI Tools: openstack-deploy-cli.md
+      - OpenStack Getting Started: openstack-getting-started-cli.md
       - Openstack Security Groups: openstack-security-groups.md
       - Openstack Floating Ips: openstack-floating-ips.md
       - Openstack Keypairs: openstack-keypairs.md