OpenStack Magnum Users

Warning

Deprecated

Magnum is deprecated and will be replaced in the future with Cluster API.

When a cluster is created, Magnum creates unique credentials for each cluster. This allows the cluster to make changes to its structure (e.g. create load balancers for specific services, create and attach cinder volumes, update the stack, etc.) without exposing the user’s cloud credentials.

How to find the Magnum User Credentials

We can obtain the cluster credentials directly from the VM which the master node is on. First, SSH into the master node’s VM and then:

[fedora@cluster-master-0 ~]$ cd /etc
[fedora@cluster-master-0 /etc]$ cd kubernetes/
[fedora@cluster-master-0 kubernetes]$ ls
#This will return the list of items similar to:

apiserver      cloud-config       controller-manager            kube_openstack_config  manifests              scheduler
ca-bundle.crt  cloud-config-occm  get_require_kubeconfig.sh     kubelet                proxy
certs          config             keystone_webhook_config.yaml  kubelet-config.yaml    proxy-kubeconfig.yaml

#The cluster's credentials can be found in the file 'cloud-config'
#Print the config to the terminal
[fedora@cluster-master-0 kubernetes]$ cat cloud-config

This will return the cloud-config file containing the cluster’s credentials similar to:

[Global]
auth-url=https://AUTH-URL
user-id=CLUSTER_USER_ID
password=PASSWORD
trust-id=TRUST-ID
ca-file=/etc/kubernetes/ca-bundle.crt
region=RegionOne
[LoadBalancer] #with the octavia ingress controller enabled
use-octavia=True
subnet-id=SUBNET_ID
floating-network-id=FLOATING_NETWORK_ID
create-monitor=yes
monitor-delay=1m
monitor-timeout=30s
monitor-max-retries=3
[BlockStorage]
bs-version=v2

These global variables should be used when setting up configmaps such as magnum-auto-healer configmap. Never use your own cloud credentials in Kubernetes configmaps. These would be visible to anyone who has access to the master node in the cluster.