Integration
OpenStack is an open source cloud platform that many enterprises use as a basis for a private IaaS cloud. meshStack supports project creation, configuration, access control, quota management and billing for OpenStack.
Integration Overview
To enable integration with OpenStack, platform engineers configure one or multiple Platforms of PlatformType OpenStack in the Platform Administration in meshPanel.
Prerequisites
OpenStack comes in many different distributions and flavors. Similar to our approach for supporting Kubernetes, we try and maintain our OpenStack integration distribution-independent and purely based on "vanilla" OpenStack APIs.
The latest OpenStack release officially validated with meshStack is OpenStack 2023.2 "Bobcat". However, any later OpenStack releases that continues to maintain API compatibility with the API versions specified below is supported.
As OpenStack is typically deployed "behind the firewall" in a private cloud settings, you may consider using an on-prem deployment of meshStack Enterprise. This enables meshStack to safely connect to your OpenStack APIs on your private network.
Supported OpenStack Versions
Your OpenStack cloud must provide the KeystoneV3 API with a minimum version of 3.0.
This an essential pre-requesite for using meshStack's OpenStack integration.
meshStack also supports the following OpenStack APIs for advanced features
| Service and minimum Version | Resource Metering |
|---|---|
| Nova 2.0 | Servers |
| Cinder 3.0 | Volumes & Volume Snapshots |
| Neutron v2 | Floating IPs & Routers & LBaasV2 |
| Glance v2 | Images |
| Heat v1 | |
| Designate v2 | |
| Swift/radowsgw-swift v1 |
Note: OpenStack integration with meshPanel as an UI for various OpenStack services is no longer available to new meshStack customers.
Keystone Federated Users
meshStack will identify and assign users to roles in OpenStack based on their euid (external user id) as described in Identity Federation.
meshStack expects that your OpenStack uses Federated Identity.
You should set up OpenStack Keystone so that your identity provider stores the euid value in the User.name field of the Keystone User object.
Integration Configuration
meshStack Admin Accounts
meshStack requires two admin user accounts for integration with OpenStack.
- the
replicatoradmin account must have permission to create projects, groups and assign roles. This typically requires anadminrole on the admin project, unless your OpenStack deployment has additional fine-grained policies available. - the
meteringaccount must havereaderrole access across all OpenStack projects. This user is used to collect metering data for all projects from OpenStack services.
Permission Replication
During replication, meshStack will make sure that users have access to the OpenStack projects they are assigned to in meshStack. If meshStack finds that a user does not exist in OpenStack yet, meshStack will log a replication remark and skip assigning that user's permission. When the user is created in OpenStack at any later time, meshStack will pick up this user to assign him to the according groups in the next replication.
Users will be assigned to the according groups (per project in meshStack) that meshStack creates in OpenStack.
Because OpenStack does only provide the member project-level role out of the box, meshStack currently supports only one default mapping of meshStack project roles to OpenStack project roles for all meshStack project roles.
Keystone Domains
By default, meshStack will replicate tenants as OpenStack projects in the default Keystone domain of OpenStack. You can optionally enable meshStack to create dedicated Keystone domains per Workspace.