第 5 章 在 RHOSO 上配置 LDAP

流程

1. 创建 OpenStack 域：

   $ openstack domain create <name>

   • 将 <name > 替换为 OpenStack 域的名称。

2. 创建名为 keystone-domains.yaml 的 keystone-domains secret。此 secret 挂载到 /etc/keystone/domains 配置目录中：

   apiVersion: v1
   kind: Secret
   metadata:
     name: keystone-domains
     namespace: openstack
   type: Opaque
   stringData:
       keystone.<domain_name>.conf: |
           [identity]
           driver = ldap
           [ldap]
           url = ldaps://localhost
           user = =openstack,ou=Users,dc=director,dc=example,dc=com
           password = RedactedComplexPassword
           suffix = dc=domain,dc=example,dc=com
           user_tree_dn = ou=Users,dc=domain,dc=example,dc=com
           user_objectclass = person
           group_tree_dn = ou=Groups,dc=example,dc=org
           group_objectclass = groupOfNames
           use_tls = True

3. 创建 secret：

   $ oc apply -f keystone-domain-name.yaml

4. 打开 OpenStackCustomResource 自定义资源(CR)文件，并使用 extraMounts 字段添加 secret：

   apiVersion: core.openstack.org/v1beta1
   kind: OpenStackControlPlane
   metadata:
     name: openstack
   spec:
     keystone:
       template:
         customServiceConfig: |
           [identity]
           domain_specific_drivers_enabled = True
         extraMounts:
         - name: v1
           region: r1
             extraVol:
               - propagation:
                 - Keystone
                 extraVolType: Conf
                 volumes:
                 - name: keystone-domains
                   secret:
                     secretName: keystone-domains
                 mounts:
                 - name: keystone-domains
                   mountPath: "/etc/keystone/domains"
                   readOnly: true

5. 将更改应用到 OpenStack control plane CR：

   $ oc apply -f openstackcontrolplane