Project scoped auth don't have access to list-projects and list-domains. Api-server do list-domains during initialization.
So when project scoped auth parameters are used in contrail-keystone-auth.conf api-server is in initializing state.
Solutions:
1. Use domain scope auth parameters in contrail-keystone-auth.conf instead of project scope.
contrail-keystone-auth.conf ----------------------------- [KEYSTONE] auth_url=https://keystoneIp:35357/v3 auth_host=<keystoneIp> auth_protocol=https auth_port=35357 admin_user=admin admin_password=c0ntrail123 admin_tenant_name=admin memcache_servers=127.0.0.1:11211 insecure=False certfile=/etc/contrail/ssl/certs/keystone.pem keyfile=/etc/contrail/ssl/certs/keystone.pem cafile=/etc/contrail/ssl/certs/keystone_ca.pem auth_type = password user_domain_name = Default domain_name = Default <<<<<<<<< Domain scope auth
2. Use project scoped auth parameters in contrail-keystone-auth.conf, also set admin_project_name and admin_project_domain_name in [resource] section of keystone.conf
contrail-keystone-auth.conf ----------------------------- [KEYSTONE] auth_url=https://keystoneIp:35357/v3 auth_host=<keystoneIp> auth_protocol=https auth_port=35357 admin_user=admin admin_password=c0ntrail123 admin_tenant_name=admin memcache_servers=127.0.0.1:11211 insecure=False certfile=/etc/contrail/ssl/certs/keystone.pem keyfile=/etc/contrail/ssl/certs/keystone.pem cafile=/etc/contrail/ssl/certs/keystone_ca.pem auth_type = password user_domain_name = Default project_domain_name = Default <<<<< Project scope auth
keystone.conf --------------- [resource] admin_project_domain_name = Default <<<<< #admin_project_name = admin <<<<<
Project scoped auth don't have access to list-projects and list-domains.
Api-server do list-domains during initialization.
So when project scoped auth parameters are used in contrail- keystone- auth.conf api-server is in initializing state.
Solutions:
1. Use domain scope auth parameters in contrail- keystone- auth.conf instead of project scope.
contrail- keystone- auth.conf ------- ------- ------- - /keystoneIp: 35357/v3 <keystoneIp> c0ntrail123 name=admin servers= 127.0.0. 1:11211 /etc/contrail/ ssl/certs/ keystone. pem /etc/contrail/ ssl/certs/ keystone. pem /etc/contrail/ ssl/certs/ keystone_ ca.pem
-------
[KEYSTONE]
auth_url=https:/
auth_host=
auth_protocol=https
auth_port=35357
admin_user=admin
admin_password=
admin_tenant_
memcache_
insecure=False
certfile=
keyfile=
cafile=
auth_type = password
user_domain_name = Default
domain_name = Default <<<<<<<<< Domain scope auth
2. Use project scoped auth parameters in contrail- keystone- auth.conf, also set admin_project_name and admin_project_ domain_ name in [resource] section of keystone.conf
contrail- keystone- auth.conf ------- ------- ------- - /keystoneIp: 35357/v3 <keystoneIp> c0ntrail123 name=admin servers= 127.0.0. 1:11211 /etc/contrail/ ssl/certs/ keystone. pem /etc/contrail/ ssl/certs/ keystone. pem /etc/contrail/ ssl/certs/ keystone_ ca.pem
-------
[KEYSTONE]
auth_url=https:/
auth_host=
auth_protocol=https
auth_port=35357
admin_user=admin
admin_password=
admin_tenant_
memcache_
insecure=False
certfile=
keyfile=
cafile=
auth_type = password
user_domain_name = Default
project_domain_name = Default <<<<< Project scope auth
keystone.conf domain_ name = Default <<<<<
---------------
[resource]
admin_project_
#admin_project_name = admin <<<<<