From f24d25accb8504ca5ccc32597aa7b58cdd86e520 Mon Sep 17 00:00:00 2001 From: nicholaskuechler Date: Mon, 10 Jun 2024 09:33:18 -0500 Subject: [PATCH 1/4] feat: Adds nova to understack --- apps/components/nova.yaml | 39 ++++++++++++ components/nova/README.md | 1 + components/nova/aio-values.yaml | 75 ++++++++++++++++++++++++ components/nova/kustomization.yaml | 7 +++ components/nova/nova-mariadb-db.yaml | 52 ++++++++++++++++ components/nova/nova-rabbitmq-queue.yaml | 59 +++++++++++++++++++ components/nova/values.tpl.yaml | 8 +++ scripts/easy-secrets-gen.sh | 31 +++++++++- 8 files changed, 271 insertions(+), 1 deletion(-) create mode 100644 apps/components/nova.yaml create mode 100644 components/nova/README.md create mode 100644 components/nova/aio-values.yaml create mode 100644 components/nova/kustomization.yaml create mode 100644 components/nova/nova-mariadb-db.yaml create mode 100644 components/nova/nova-rabbitmq-queue.yaml create mode 100644 components/nova/values.tpl.yaml diff --git a/apps/components/nova.yaml b/apps/components/nova.yaml new file mode 100644 index 000000000..a01cd5935 --- /dev/null +++ b/apps/components/nova.yaml @@ -0,0 +1,39 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nova +spec: + project: understack + sources: + - repoURL: https://github.com/rackerlabs/understack.git + path: components/nova/ + targetRevision: ${UC_REPO_REF} + ref: understack + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/ + chart: nova + targetRevision: 0.3.42 + helm: + releaseName: nova + valueFiles: + - $understack/components/openstack-2024.1-jammy.yaml + - $understack/components/nova/aio-values.yaml + - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml + - $secrets/helm-configs/${DEPLOY_NAME}/nova.yaml + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: ${UC_DEPLOY_REF} + directory: + include: 'secret-nova-*.yaml' + ref: secrets + destination: + server: "https://kubernetes.default.svc" + namespace: openstack + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + managedNamespaceMetadata: + labels: + kubernetes.io/metadata.name: openstack + name: openstack diff --git a/components/nova/README.md b/components/nova/README.md new file mode 100644 index 000000000..983da095f --- /dev/null +++ b/components/nova/README.md @@ -0,0 +1 @@ +# OpenStack Nova diff --git a/components/nova/aio-values.yaml b/components/nova/aio-values.yaml new file mode 100644 index 000000000..9a1ec8d39 --- /dev/null +++ b/components/nova/aio-values.yaml @@ -0,0 +1,75 @@ +--- +release_group: null + +# typically overridden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + oslo_messaging: + statefulset: + replicas: 3 + name: rabbitmq-server + hosts: + default: rabbitmq-nodes + +# (nicholas.kuechler) Using custom dependencies in order to +# prevent the nova-db-init and nova-rabbit-init jobs from running +dependencies: + dynamic: + common: + local_image_registry: + jobs: null + static: + api: + jobs: + - nova-db-sync + - nova-ks-user + - nova-ks-endpoints + api_metadata: + jobs: + - nova-db-sync + - nova-ks-user + - nova-ks-endpoints + cell_setup: + jobs: + - nova-db-sync + service_cleaner: + jobs: + - nova-db-sync + compute: + jobs: + - nova-db-sync + compute_ironic: + jobs: + - nova-db-sync + conductor: + jobs: + - nova-db-sync + archive_deleted_rows: + jobs: + - nova-db-sync + db_sync: + jobs: + scheduler: + jobs: + - nova-db-sync + +manifests: + job_db_init: false + job_rabbit_init: false + pod_rally_test: false + secret_db: false + secret_keystone: true + +# we don't want to enable OpenStack Helm's +# helm.sh/hooks because they set them as +# post-install,post-upgrade which in ArgoCD +# maps to PostSync. However the deployments +# and statefulsets in OpenStack Helm +# depend on the jobs to complete to become +# healthy. Which they cannot because they are in +# the post step and not in the main step. +# Turning this on results in the keys jobs +# editing the annotation which deletes the item +# and wipes our keys. +helm3_hook: false diff --git a/components/nova/kustomization.yaml b/components/nova/kustomization.yaml new file mode 100644 index 000000000..e78f42500 --- /dev/null +++ b/components/nova/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - nova-mariadb-db.yaml + - nova-rabbitmq-queue.yaml diff --git a/components/nova/nova-mariadb-db.yaml b/components/nova/nova-mariadb-db.yaml new file mode 100644 index 000000000..f0f44d0d4 --- /dev/null +++ b/components/nova/nova-mariadb-db.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: mariadb.mmontes.io/v1alpha1 +kind: Database +metadata: + name: nova + namespace: openstack +spec: + # If you want the database to be created with a different name than the resource name + # name: data-custom + mariaDbRef: + name: mariadb # name of the MariaDB kind + waitForIt: true + characterSet: utf8 + collate: utf8_general_ci + retryInterval: 5s +--- +apiVersion: mariadb.mmontes.io/v1alpha1 +kind: User +metadata: + name: nova + namespace: openstack +spec: + # If you want the user to be created with a different name than the resource name + # name: user-custom + mariaDbRef: + name: mariadb # name of the MariaDB kind + waitForIt: true + passwordSecretKeyRef: + name: nova-db-password + key: password + # This field is immutable and defaults to 10, 0 means unlimited. + maxUserConnections: 0 + host: "%" + retryInterval: 5s +--- +apiVersion: mariadb.mmontes.io/v1alpha1 +kind: Grant +metadata: + name: nova-grant + namespace: openstack +spec: + mariaDbRef: + name: mariadb # name of the MariaDB kind + waitForIt: true + privileges: + - "ALL" + database: "nova" + table: "*" + username: nova + grantOption: true + host: "%" + retryInterval: 5s diff --git a/components/nova/nova-rabbitmq-queue.yaml b/components/nova/nova-rabbitmq-queue.yaml new file mode 100644 index 000000000..59f6cecec --- /dev/null +++ b/components/nova/nova-rabbitmq-queue.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: rabbitmq.com/v1beta1 +kind: User +metadata: + name: nova + namespace: openstack +spec: + tags: + - management # available tags are 'management', 'policymaker', 'monitoring' and 'administrator' + - policymaker + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack + importCredentialsSecret: + name: nova-rabbitmq-password +--- +apiVersion: rabbitmq.com/v1beta1 +kind: Vhost +metadata: + name: nova-vhost + namespace: openstack +spec: + name: "nova" # vhost name; required and cannot be updated + defaultQueueType: quorum # default queue type for this vhost; require RabbitMQ version 3.11.12 or above + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack +--- +apiVersion: rabbitmq.com/v1beta1 +kind: Queue +metadata: + name: nova-queue + namespace: openstack +spec: + name: nova-qq # name of the queue + vhost: "nova" # default to '/' if not provided + type: quorum # without providing a queue type, rabbitmq creates a classic queue + autoDelete: false + durable: true # setting 'durable' to false means this queue won't survive a server restart + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack +--- +apiVersion: rabbitmq.com/v1beta1 +kind: Permission +metadata: + name: nova-permission + namespace: openstack +spec: + vhost: "nova" # name of a vhost + userReference: + name: "nova" # name of a user.rabbitmq.com in the same namespace; must specify either spec.userReference or spec.user + permissions: + write: ".*" + configure: ".*" + read: ".*" + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack diff --git a/components/nova/values.tpl.yaml b/components/nova/values.tpl.yaml new file mode 100644 index 000000000..ec1b430fe --- /dev/null +++ b/components/nova/values.tpl.yaml @@ -0,0 +1,8 @@ +# add your values.yaml overrides for the helm chart here + +network: + api: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + cert-manager.io/cluster-issuer: ${DEPLOY_NAME}-cluster-issuer diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index 3f8ecf2a3..f12192fae 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -119,7 +119,12 @@ export NEUTRON_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" export NEUTRON_DB_PASSWORD="$(./scripts/pwgen.sh)" # rabbitmq user password for the neutron queues export NEUTRON_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" - +# nova keystone service account +export NOVA_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" +# nova user password in mariadb for nova db +export NOVA_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the inovaronic queues +export NOVA_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" [ ! -f "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" ] && \ kubectl --namespace openstack \ @@ -194,6 +199,30 @@ kubectl --namespace openstack \ --from-literal=password="${NEUTRON_KEYSTONE_PASSWORD}" \ --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-keystone-password.yaml" +# nova credentials +[ ! -f "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic nova-rabbitmq-password \ + --type Opaque \ + --from-literal=username="nova" \ + --from-literal=password="${NOVA_RABBITMQ_PASSWORD}" \ + --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" + +[ ! -f "${DEST_DIR}/secret-nova-db-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic nova-db-password \ + --type Opaque \ + --from-literal=password="${NOVA_DB_PASSWORD}" \ + --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-db-password.yaml" + +[ ! -f "${DEST_DIR}/secret-nova-keystone-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic nova-keystone-password \ + --type Opaque \ + --from-literal=username="nova" \ + --from-literal=password="${NOVA_KEYSTONE_PASSWORD}" \ + --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-keystone-password.yaml" + if [ "x${DO_TMPL_VALUES}" = "xy" ]; then [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \ yq '(.. | select(tag == "!!str")) |= envsubst' \ From 32662890c16635ca01066be04780428b006b5fe8 Mon Sep 17 00:00:00 2001 From: nicholaskuechler Date: Tue, 25 Jun 2024 10:14:33 -0500 Subject: [PATCH 2/4] Switch secrets gen to use sealed secrets --- scripts/easy-secrets-gen.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index f12192fae..fd84a24b9 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -206,14 +206,14 @@ kubectl --namespace openstack \ --type Opaque \ --from-literal=username="nova" \ --from-literal=password="${NOVA_RABBITMQ_PASSWORD}" \ - --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" [ ! -f "${DEST_DIR}/secret-nova-db-password.yaml" ] && \ kubectl --namespace openstack \ create secret generic nova-db-password \ --type Opaque \ --from-literal=password="${NOVA_DB_PASSWORD}" \ - --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-db-password.yaml" + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-db-password.yaml" [ ! -f "${DEST_DIR}/secret-nova-keystone-password.yaml" ] && \ kubectl --namespace openstack \ @@ -221,7 +221,7 @@ kubectl --namespace openstack \ --type Opaque \ --from-literal=username="nova" \ --from-literal=password="${NOVA_KEYSTONE_PASSWORD}" \ - --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-keystone-password.yaml" + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-keystone-password.yaml" if [ "x${DO_TMPL_VALUES}" = "xy" ]; then [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \ From d45a868cc6bf90c30e1366937ea07d043b20cd76 Mon Sep 17 00:00:00 2001 From: nicholaskuechler Date: Wed, 26 Jun 2024 13:26:36 -0500 Subject: [PATCH 3/4] Removes unneeded nova component --- apps/components/nova.yaml | 39 --------------------------------------- 1 file changed, 39 deletions(-) delete mode 100644 apps/components/nova.yaml diff --git a/apps/components/nova.yaml b/apps/components/nova.yaml deleted file mode 100644 index a01cd5935..000000000 --- a/apps/components/nova.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: nova -spec: - project: understack - sources: - - repoURL: https://github.com/rackerlabs/understack.git - path: components/nova/ - targetRevision: ${UC_REPO_REF} - ref: understack - - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/ - chart: nova - targetRevision: 0.3.42 - helm: - releaseName: nova - valueFiles: - - $understack/components/openstack-2024.1-jammy.yaml - - $understack/components/nova/aio-values.yaml - - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml - - $secrets/helm-configs/${DEPLOY_NAME}/nova.yaml - - repoURL: ${UC_DEPLOY_GIT_URL} - path: secrets/${DEPLOY_NAME}/ - targetRevision: ${UC_DEPLOY_REF} - directory: - include: 'secret-nova-*.yaml' - ref: secrets - destination: - server: "https://kubernetes.default.svc" - namespace: openstack - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - managedNamespaceMetadata: - labels: - kubernetes.io/metadata.name: openstack - name: openstack From c6b0a7bfc3f66cf2b5a9123b0d724fc285d66d16 Mon Sep 17 00:00:00 2001 From: nicholaskuechler Date: Wed, 26 Jun 2024 13:30:07 -0500 Subject: [PATCH 4/4] update appsets and components for openstack --- apps/appsets/openstack/openstack.yaml | 4 +++ apps/components/neutron.yaml | 39 --------------------------- 2 files changed, 4 insertions(+), 39 deletions(-) delete mode 100644 apps/components/neutron.yaml diff --git a/apps/appsets/openstack/openstack.yaml b/apps/appsets/openstack/openstack.yaml index e84eb53b3..a58806c62 100644 --- a/apps/appsets/openstack/openstack.yaml +++ b/apps/appsets/openstack/openstack.yaml @@ -18,6 +18,10 @@ spec: chartVersion: 0.3.13 - component: ironic chartVersion: 0.2.15 + - component: neutron + chartVersion: 0.3.44 + - component: nova + chartVersion: 0.3.42 template: metadata: name: '{{.name}}-{{.component}}' diff --git a/apps/components/neutron.yaml b/apps/components/neutron.yaml deleted file mode 100644 index ef2162ba0..000000000 --- a/apps/components/neutron.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: neutron -spec: - project: understack - sources: - - repoURL: https://github.com/rackerlabs/understack.git - path: components/neutron/ - targetRevision: ${UC_REPO_REF} - ref: understack - - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/ - chart: neutron - targetRevision: 0.3.44 - helm: - releaseName: neutron - valueFiles: - - $understack/components/openstack-2024.1-jammy.yaml - - $understack/components/neutron/aio-values.yaml - - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml - - $secrets/helm-configs/${DEPLOY_NAME}/neutron.yaml - - repoURL: ${UC_DEPLOY_GIT_URL} - path: secrets/${DEPLOY_NAME}/ - targetRevision: ${UC_DEPLOY_REF} - directory: - include: 'secret-neutron-*.yaml' - ref: secrets - destination: - server: "https://kubernetes.default.svc" - namespace: openstack - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - managedNamespaceMetadata: - labels: - kubernetes.io/metadata.name: openstack - name: openstack