Do I need Openstack's keypair and cloud-init's ssh_authorized_keys together?

Solution 1:

Effectively they should be doing the same, but as far as I know they won't be applied at the same time.

cloud-init runs in the image/template used to create the new instance and will customise the template with instance specific settings at first boot. Cloud-init calls on the OpenStack meta-data provider fairly early on and will download meta-data, such as the OpenStack ssh key and your user-data/cloud-config script scripts/init_instance.cfg

I think that the SSH key from OpenStack will be applied first.

Since it validates the key before it is accepted relying on OpenStack to deploy a key should be quite robust and reliable. But OpenStack has the limitation that it only allows you to assign a single key to deploy to an instance.

A user-data / cloud-config script such as your scripts/init_instance.cfg is the last thing that gets executed by cloud-init.
cloud-config does't have the one key limitation and allows you to assign multiple ssh key's and perform many additional configuration tasks as well.

It might be beneficial to have a key deployed by OpenStack, in case your cloud-config scripts contains invalid yaml and fails completely ; you should then still have an instance you can access and debug...