When you work with multiple OpenStack clouds, you could be working across multiple projects, regions, and/or Keystone API versions within a given cloud. Additionally, you may have to maintain separate OpenStack RC files to store authentication credentials for each cloud.
This approach to manage multiple cloud environments in Platform9 Managed OpenStack has the following drawbacks.
- Multiple OpenStack RC files must be maintained.
- Plain-text passwords are stored in-line with non-sensitive authentication information.
- Automation can be difficult when utilizing credentials from multiple files.
The aforementioned problems can be resolved by leveraging the additional functionality available in the openstack CLI command which reads authentication credentials from configuration files to authenticate and manage clouds.
Effectively Managing Multiple Clouds
You can make effective use of the openstack CLI command to manage multiple clouds. The openstack CLI command internally uses the os-client-config library for centralized management and maintenance of authentication credentials for more than one clouds.
Security of authentication information is critical when it comes to storing access credentials. Although it is not possible to store encrypted passwords in OpenStack, you can work around this problem by placing passwords and other authentication information into separate files.
You can store your non-sensitive OpenStack configuration in ~/.config/openstack/clouds.yaml and your passwords in ~/.config/openstack/secure.yaml. The passwords would still be in plain-text, but you can protect secure.yaml with Unix file permissions, to enhance the security of sensitive password data.
Here’s an example of authentication credentials from clouds.yaml and secure.yaml.
Using os-client-config from the CLI
You can specify multiple clouds within the YAML files in order to centralize the storage of authentication credentials. The users can then simply switch between clouds by specifying the desired cloud when invoking the openstack CLI command (for example, openstack –os-cloud cloud1).
Using os-client-config from the API
Scripting or automation code can also leverage os-client-config in order to manage credentials in a uniform way across CLI and API.
Centralized storage of authentication information simplifies management of authentication information on multiple clouds. You can quickly switch clouds through the command-line, simplifying the process of managing multiple clouds or tenants within a cloud. In case of scripting, os-client-config offers separation of authentication information code while providing a simplified, unified method to access credentials.