This post will cover details of the recently implemented instance-users blueprint, which makes use of keystone domains to contain users related to credentials which are deployed inside instances created by heat. If you just want to know how the new stuff works, you can skip to the last sections :)
So...why does heat create users at all?
Lets start with a bit of context. Heat has historically needed to do some or all of the following:
- Provide metadata to agents inside instances, which poll for changes and apply the configuration expressed in the metadata to the instance.
- Signal completion of some action, typically configuration of software on a VM after it is booted (because nova moves the state of a VM to "Active" as soon as it spawns it, not when heat has fully configured it)
- Provide application level status or metrics from inside the instance, e.g to allow AutoScaling actions to be performed in response to some measure of performance or quality of service.
Heat provides API's which enable all of these things, but all of those API's require some sort of authentication, e.g credentials so whatever agent is running on the instance is able to access it. So credentials must be deployed inside the instance, e.g here's how things work if you're using the heat-cfntools agents:
|heat-cfntools agents data-flow with CFN-compatible API's|