Generating credentials prior to install for automated deployment

[dcontiveros-nf]

Hello.

I am attempting to fully automate an install of cloudstack. I have the management node fully deployed via Salt, so software dependencies are not an issue.

My main issue stems from having to rely on the GUI to "continue the install". Ideally I would like to run commands against the API to create the Zones and remaining hierarchy.

I saw another post where someone suggested using admin/password, but I feel that's highly insecure. Ideally, I’d like to specify a deployment token via a secrets mechanism—like a vault or key-value store—and use that for deployments and continued setup.

Is this possible? Having to use a GUI is highly irregular imo. I also open to running SQL edits as part of the setup, since our database for this is hosted on another server.

Thanks!

[DaanHoogland]

@dcontiveros-nf , you can do most steps using an api-/secret-key pair using the API, you will have to have that generated initially. so the one first call will have to be with admin/password. Having the install script do that generation is not implemented.

The use of a vault is depending on the API client you are using. For instance in cmk, it would be in a (private) config file. This file can of course be generated by some external tool if you so wish.

hope this helps.

[dcontiveros-nf]

So essentially there is no way to fully automate this in a safe manner without defaulting to creating my user post install via API. I'm wondering if I should place a feature request because not being able to automate deploys will be an issue once we start scaling.

[DaanHoogland]

@dcontiveros-nf you can call the API without loging into the GUI. see https://cloudstack.apache.org/api/apidocs-4.20/apis/registerUserKeys.html

[dcontiveros-nf]

I think we are getting out of sync. Let me explain my understanding:

1. when I first deploy a management node via Cloudstack, I only have admin/password default credentials
2. There is no way to modify this on install
3. I am trying to avoid the GUI to create the proper hosting hierarchy with my network info, essentially mimicking the continue installer prompts via API

I was thinking about going this route:

• Use default admin/password to log into the API to auth as the default admin user
• Create an equivalent admin user via API
• Register them with the developer API via the above endpoint (thus getting the apikey/secretkey)
• Using the generated keys from the registerUserKeys endpoint to create the proper hierarchy via API.

Is this an accurate procedure and also is this possible?

[DaanHoogland]

about "There is no way to modify this on install” I am not sure, but your proposed procedure should work (without using the GUI).

you can alternatively

• Use default admin/password to log into the API to auth as the default admin user
• register API keys and logout (or/and change default pw on the fly)
• do the rest with API keys

if so desired:

• Create an equivalent admin user via API
• Register them with the developer API via the above endpoint (thus getting the apikey/secretkey)
• Using the generated keys from the registerUserKeys endpoint to create the proper hierarchy via API.

[dcontiveros-nf]

Ok so let's drill down even more:

1. Use default admin credentials to log into API
2. Use registerUserKeys to generate apikey/secretkey for default admin user
3. Use these keys to generate the hosting hierarchy specific to my needs with the other API andpoints

Believe that is my plan of action. I would need to get approval but at minimum I believe this should work.

Does that sound accurate?

[dcontiveros-nf]

Is there anyway to skip this wizard? I Was attempting to see how the database would look like post wizard so I can add the appropriate zones. However, I cannot get past the adding hosts part here:

For documentation purposes, I think we need a headless install option. Think my only avenue at this point is the above method, REST API interaction.