From f6a508bbe236ec47832be09f9f7992eab5c72ac0 Mon Sep 17 00:00:00 2001 From: jessica Date: Fri, 7 Nov 2025 17:04:24 -0500 Subject: [PATCH 1/3] translations for opcp guide --- .../guide.en-gb.md | 199 ++++++++++++++++++ .../guide.fr-fr.md | 7 +- 2 files changed, 202 insertions(+), 4 deletions(-) create mode 100644 pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md diff --git a/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md new file mode 100644 index 00000000000..abb20fdc3ba --- /dev/null +++ b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md @@ -0,0 +1,199 @@ +--- +title: "OPCP - How to use the APIs and obtain the credentials" +excerpt: "Discover the steps required to configure Keycloak and the OpenStack CLI to allow authentication via Keycloak" +updated: 2025-11-07 +--- + +## Objective + +**OPCP** integrates a centralized authentication with **Keycloak**. It is therefore necessary to configure the **OpenStack CLI** so that it uses Keycloak as the identity provider (Identity Provider). + +**This guide describes the steps required to configure Keycloak and the OpenStack CLI to allow authentication via Keycloak.** + +## Requirements + +- Be an administrator of the [OPCP](/links/hosted-private-cloud/onprem-cloud-platform) infrastructure and have access to the administration interface (admin.dashboard). +- Have access to the Keyloack admin interface. +- Have a user with sufficient rights to log in to [Horizon](https://horizon.cloud.ovh.net/auth/login/) on the OPCP offer. + +## Instructions + +### Creating a Keycloak client for the OpenStack CLI + +A **dedicated Keycloak client** is required to allow the OpenStack CLI to securely communicate with the Keycloak server. + +#### Steps + +1\. **Log in to the Keycloak administration interface** + +- Log in to your Keycloak instance and select the *realm* in which the OpenStack users are defined. + +2\. **Create a new client** + +- Go to the `Clients` section and click on `Create a client`{.action}. +- Enter a **Client ID**, for example: + +```console +openstack-cli +``` + +- Click on `Next`{.action}. + +3\. **Enable client authentication** + +- Enable **Client Authentication** (set to **ON**). +- Click on `Next`{.action}, then on `Save`{.action}. + +4\. **Configure scopes (Client Scopes)** + +- Open the `Client Scopes` tab. +- Select the scope named: + +```console +[your-client-id]-dedicated +``` + +- Click on `Configure a new mapper`{.action}. + +5\. **Add a user group attribute mapper** + +- Choose the mapper type **aggregated-user-group-attribute-mapper**. +- Configure the following fields: + + | Field | Value | + |--------|--------| + | **Name** | `projects` | + | **User Attribute** | `project` | + | **Token Claim Name** | `projects` | + +- Click on `Save`{.action}. + +6\. **Retrieve the client credentials** + +- Go to the `Credentials` tab of the client you just created. +- Copy and securely store the **Client Secret** — it will be needed when configuring the OpenStack CLI. + +### Configuration of the OpenStack CLI + +Once the Keycloak client is created, the OpenStack CLI must be configured to use this client as the OIDC (OpenID Connect) identity provider. + +#### Steps + +1\. **Install the OpenStack CLI tools** + +If not already done: + +```bash +sudo pip install python-openstackclient +``` + +2\. **Set environment variables for Keycloak authentication** + +Example: + +```bash +export OS_INTERFACE=public +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_URL="https://keystone.domain.ovh" +export OS_AUTH_TYPE="v3oidcpassword" +export OS_PROTOCOL="openid" +export OS_IDENTITY_PROVIDER="keycloak-admin" +export OS_CLIENT_ID="keycloak-client-id" +export OS_CLIENT_SECRET="keycloak-client-credentials" +export OS_DISCOVERY_ENDPOINT="https://admin.keycloak.domain.ovh/realms/master/.well-known/openid-configuration" +export OS_USERNAME="keycloak-user-username" +export OS_PASSWORD="keycloak-user-password" +export OS_PROJECT_ID="project-id" +``` + +> **Tip** +> You can use the following script to easily generate the openrc.sh configuration file: + +```bash + #!/usr/bin/env bash + +read -p "Your environment's base FQDN (e.g. example.bmp.ovhgoldorack.ovh): " FQDN_ENV + +read -p 'master or pod realm ? (master/pod): ' REALM +if [ "$REALM" != "master" ] && [ "$REALM" != "pod" ]; then + echo "Invalid input. Please enter either 'master' or 'pod'." + exit 1 +fi + +read -p 'Keycloak client ID: ' KC_CLIENT_ID +read -srp 'Keycloak client secret: ' KC_CLIENT_SECRET && echo + +read -p 'Keycloak username: ' KC_USERNAME_INPUT +read -srp 'Keycloak password: ' KC_PASSWORD_INPUT && echo + +read -p 'Openstack Project ID (not the name): ' PROJECT_ID + +printf "\n\nHere is your configuration, paste it to your shell or use the generate openrc.sh file\n\n" +cat << EOM +export OS_INTERFACE=public +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_URL="https://keystone.${FQDN_ENV}" +export OS_AUTH_TYPE="v3oidcpassword" +export OS_PROTOCOL="openid" +export OS_IDENTITY_PROVIDER=$([ "$REALM" = "master" ] && echo "keycloak-admin" || echo "keycloak") +export OS_CLIENT_ID="$KC_CLIENT_ID" +export OS_CLIENT_SECRET="$KC_CLIENT_SECRET" +export OS_DISCOVERY_ENDPOINT="https://$([ "$REALM" = "master" ] && echo "admin.keycloak" || echo "keycloak").${FQDN_ENV}/realms/$REALM/.well-known/openid-configuration" +export OS_USERNAME="$KC_USERNAME_INPUT" +export OS_PASSWORD="$KC_PASSWORD_INPUT" +export OS_PROJECT_ID="$PROJECT_ID" +EOM + +echo "#!/usr/bin/env bash + +export OS_INTERFACE=public +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_URL="https://keystone.${FQDN_ENV}" +export OS_AUTH_TYPE="v3oidcpassword" +export OS_PROTOCOL="openid" +export OS_IDENTITY_PROVIDER=$([ "$REALM" = "master" ] && echo "keycloak-admin" || echo "keycloak") +export OS_CLIENT_ID="$KC_CLIENT_ID" +export OS_CLIENT_SECRET="$KC_CLIENT_SECRET" +export OS_DISCOVERY_ENDPOINT="https://$([ "$REALM" = "master" ] && echo "admin.keycloak" || echo "keycloak").${FQDN_ENV}/realms/$REALM/.well-known/openid-configuration" +export OS_USERNAME="$KC_USERNAME_INPUT" +export OS_PASSWORD="$KC_PASSWORD_INPUT" +export OS_PROJECT_ID="$PROJECT_ID > $PROJECT_ID."-openrc.sh" +``` + +> **Tip: Proxy configuration** +> If you are using a proxy to access your service, you must configure your environment variables to take this proxy into account. + +To do this, add the following commands lines: + +```bash +export https_proxy=http://your-adress-ip:port/ +export http_proxy=http://your-adress-ip:port/ +``` + +### Configuration verification + +You can test your configuration using a few simple commands: + +```bash +openstack token issue +openstack project list +openstack server list +``` + +If these commands return results, the **Keycloak ↔ OpenStack** integration is correctly configured. + + +### Troubleshooting + +| Problem | Possible cause | Solution | +|-----------|----------------|-----------| +| `Invalid client credentials` | Wrong or missing `Client Secret` | Check the secret in the **Credentials** tab of the Keycloak client | +| `Unauthorized` | The user is not associated with the correct group or project | Check the `project` attributes of the user in Keycloak | +| `OIDC discovery failed` | Wrong URL in `DISCOVERY_ENDPOINT` | Make sure it points to the correct Keycloak *realm* | + + +### References + +- [Keycloak Documentation – OpenID Connect](https://www.keycloak.org/docs/latest/server_admin/#_oidc) +- [OpenStack Keystone Documentation](https://docs.openstack.org/keystone/latest/) +- [OVHcloud OPCP Documentation](https://docs.opcp.ovh) \ No newline at end of file diff --git a/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md index b3989a61471..ffd8e193fbe 100644 --- a/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md +++ b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md @@ -72,7 +72,6 @@ Un client **Keycloak dédié** est nécessaire pour permettre à la CLI OpenStac - Allez dans l’onglet `Credentials` du client que vous venez de créer. - Copiez et conservez de manière sécurisée la **Client Secret** — il sera nécessaire lors de la configuration du CLI OpenStack. - ### Configuration de la CLI OpenStack @@ -107,7 +106,7 @@ export OS_PASSWORD="keycloak-user-password" export OS_PROJECT_ID="project-id" ``` -> **Tips 1** +> **Conseil** > Vous pouvez utiliser le script suivant afin de générer le fichier de configuration openrc.sh facilement : ```bash @@ -161,7 +160,7 @@ export OS_PASSWORD="$KC_PASSWORD_INPUT" export OS_PROJECT_ID="$PROJECT_ID > $PROJECT_ID."-openrc.sh" ``` -> **Tips: Configuration d'un proxy** +> **Conseil: Configuration d'un proxy** > Si vous utilisez un proxy pour accéder a votre service, vous devez configurer vos variables d'environnement pour prendre en compte ce proxy. Pour ce faire, ajoutez les lignes de commande suivantes : @@ -197,4 +196,4 @@ Si ces commandes retournent des résultats, l’intégration **Keycloak ↔ Open - [Documentation Keycloak – OpenID Connect](https://www.keycloak.org/docs/latest/server_admin/#_oidc) - [Documentation OpenStack Keystone](https://docs.openstack.org/keystone/latest/) -- [Documentation OVHcloud OPCP](https://docs.opcp.ovh) +- [Documentation OVHcloud OPCP](https://docs.opcp.ovh) \ No newline at end of file From 20f7403348e2c18a1f35a80dd1728f98bc2c1c7c Mon Sep 17 00:00:00 2001 From: Montrealhub <89825661+Jessica41@users.noreply.github.com> Date: Mon, 10 Nov 2025 08:59:59 -0500 Subject: [PATCH 2/3] Update guide.fr-fr.md --- .../opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md index ffd8e193fbe..ff91e5f8c38 100644 --- a/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md +++ b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.fr-fr.md @@ -14,7 +14,7 @@ updated: 2025-11-07 - Être administrateur de l'infrastructure [OPCP](/links/hosted-private-cloud/onprem-cloud-platform) et avoir accès à l'interface d'administration (admin.dashboard). - Avoir accès à l'interface d'administration Keyloack admin. -- Avoir un utilisateur avec les droits suffisants pour se connecter à [Horizon](https://horizon.cloud.ovh.net/auth/login/) sur l'offre OPCP. +- Avoir un utilisateur avec les droits suffisants pour se connecter à Horizon sur l'offre OPCP. ## En pratique @@ -196,4 +196,4 @@ Si ces commandes retournent des résultats, l’intégration **Keycloak ↔ Open - [Documentation Keycloak – OpenID Connect](https://www.keycloak.org/docs/latest/server_admin/#_oidc) - [Documentation OpenStack Keystone](https://docs.openstack.org/keystone/latest/) -- [Documentation OVHcloud OPCP](https://docs.opcp.ovh) \ No newline at end of file +- [Documentation OVHcloud OPCP](https://docs.opcp.ovh) From dd2ca471ac9bc15b30ac0e948da410e1de52c19d Mon Sep 17 00:00:00 2001 From: Montrealhub <89825661+Jessica41@users.noreply.github.com> Date: Mon, 10 Nov 2025 09:00:22 -0500 Subject: [PATCH 3/3] Update guide.en-gb.md --- .../opcp/how-to-use-api-and-get-credentials/guide.en-gb.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md index abb20fdc3ba..1953bbfda6f 100644 --- a/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md +++ b/pages/hosted_private_cloud/opcp/how-to-use-api-and-get-credentials/guide.en-gb.md @@ -14,7 +14,7 @@ updated: 2025-11-07 - Be an administrator of the [OPCP](/links/hosted-private-cloud/onprem-cloud-platform) infrastructure and have access to the administration interface (admin.dashboard). - Have access to the Keyloack admin interface. -- Have a user with sufficient rights to log in to [Horizon](https://horizon.cloud.ovh.net/auth/login/) on the OPCP offer. +- Have a user with sufficient rights to log in to Horizon on the OPCP offer. ## Instructions @@ -196,4 +196,4 @@ If these commands return results, the **Keycloak ↔ OpenStack** integration is - [Keycloak Documentation – OpenID Connect](https://www.keycloak.org/docs/latest/server_admin/#_oidc) - [OpenStack Keystone Documentation](https://docs.openstack.org/keystone/latest/) -- [OVHcloud OPCP Documentation](https://docs.opcp.ovh) \ No newline at end of file +- [OVHcloud OPCP Documentation](https://docs.opcp.ovh)