feat: Adds OpenStack Neutron base install to UnderStack

rackerlabs · Jun 18, 2024 · 3330487 · 3330487
1 parent 9b0d5da
commit 3330487
Show file tree

Hide file tree

Showing 8 changed files with 273 additions and 0 deletions.
diff --git a/apps/components/neutron.yaml b/apps/components/neutron.yaml
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: neutron
+spec:
+  project: understack
+  sources:
+    - repoURL: https://github.com/rackerlabs/understack.git
+      path: components/neutron/
+      targetRevision: ${UC_REPO_REF}
+      ref: understack
+    - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/
+      chart: neutron
+      targetRevision: 0.3.44
+      helm:
+        releaseName: neutron
+        valueFiles:
+          - $understack/components/openstack-2024.1-jammy.yaml
+          - $understack/components/neutron/aio-values.yaml
+          - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml
+          - $secrets/helm-configs/${DEPLOY_NAME}/neutron.yaml
+    - repoURL: ${UC_DEPLOY_GIT_URL}
+      path: secrets/${DEPLOY_NAME}/
+      targetRevision: ${UC_DEPLOY_REF}
+      directory:
+        include: 'secret-neutron-*.yaml'
+      ref: secrets
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: openstack
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    managedNamespaceMetadata:
+      labels:
+        kubernetes.io/metadata.name: openstack
+        name: openstack
diff --git a/components/neutron/README.md b/components/neutron/README.md
@@ -0,0 +1 @@
+# OpenStack Neutron
diff --git a/components/neutron/aio-values.yaml b/components/neutron/aio-values.yaml
@@ -0,0 +1,76 @@
+---
+release_group: null
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  oslo_messaging:
+    statefulset:
+      replicas: 3
+      name: rabbitmq-server
+    hosts:
+      default: rabbitmq-nodes
+
+# (nicholas.kuechler) updating the jobs list to remove the 'neutron-rabbit-init' job.
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs: null
+  static:
+    db_sync:
+      jobs:
+    dhcp:
+      jobs:
+    l3:
+      jobs:
+    lb_agent:
+      jobs:
+    metadata:
+      jobs:
+    ovs_agent:
+      jobs:
+    server:
+      jobs:
+        - neutron-db-sync
+        - neutron-ks-user
+        - neutron-ks-endpoints
+    rpc_server:
+      jobs:
+        - neutron-db-sync
+    ironic_agent:
+      jobs:
+        - neutron-db-sync
+        - neutron-ks-user
+        - neutron-ks-endpoints
+
+manifests:
+  job_db_init: false
+  job_rabbit_init: false
+  pod_rally_test: false
+  secret_db: false
+  secret_keystone: true
+  daemonset_dhcp_agent: false
+  daemonset_l3_agent: false
+  daemonset_lb_agent: false
+  daemonset_metadata_agent: false
+  daemonset_ovs_agent: false
+  daemonset_sriov_agent: false
+  daemonset_l2gw_agent: false
+  daemonset_bagpipe_bgp: false
+  daemonset_bgp_dragent: false
+  deployment_ironic_agent: true
+
+# We don't want to enable OpenStack Helm's
+# helm.sh/hooks because they set them as
+# post-install,post-upgrade which in ArgoCD
+# maps to PostSync. However the deployments
+# and statefulsets in OpenStack Helm
+# depend on the jobs to complete to become
+# healthy. Which they cannot because they are in
+# the post step and not in the main step.
+# Turning this on results in the keys jobs
+# editing the annotation which deletes the item
+# and wipes our keys.
+helm3_hook: false
diff --git a/components/neutron/kustomization.yaml b/components/neutron/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - neutron-mariadb-db.yaml
+  - neutron-rabbitmq-queue.yaml
diff --git a/components/neutron/neutron-mariadb-db.yaml b/components/neutron/neutron-mariadb-db.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: Database
+metadata:
+  name: neutron
+  namespace: openstack
+spec:
+  # If you want the database to be created with a different name than the resource name
+  # name: data-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  characterSet: utf8
+  collate: utf8_general_ci
+  retryInterval: 5s
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: User
+metadata:
+  name: neutron
+  namespace: openstack
+spec:
+  # If you want the user to be created with a different name than the resource name
+  # name: user-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  passwordSecretKeyRef:
+    name: neutron-db-password
+    key: password
+  # This field is immutable and defaults to 10, 0 means unlimited.
+  maxUserConnections: 0
+  host: "%"
+  retryInterval: 5s
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: Grant
+metadata:
+  name: neutron-grant
+  namespace: openstack
+spec:
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  privileges:
+    - "ALL"
+  database: "neutron"
+  table: "*"
+  username: neutron
+  grantOption: true
+  host: "%"
+  retryInterval: 5s
diff --git a/components/neutron/neutron-rabbitmq-queue.yaml b/components/neutron/neutron-rabbitmq-queue.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: neutron
+  namespace: openstack
+spec:
+  tags:
+  - management  # available tags are 'management', 'policymaker', 'monitoring' and 'administrator'
+  - policymaker
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+  importCredentialsSecret:
+    name: neutron-rabbitmq-password
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Vhost
+metadata:
+  name: neutron-vhost
+  namespace: openstack
+spec:
+  name: "neutron"  # vhost name; required and cannot be updated
+  defaultQueueType: quorum  # default queue type for this vhost; require RabbitMQ version 3.11.12 or above
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: neutron-queue
+  namespace: openstack
+spec:
+  name: neutron-qq  # name of the queue
+  vhost: "neutron"  # default to '/' if not provided
+  type: quorum  # without providing a queue type, rabbitmq creates a classic queue
+  autoDelete: false
+  durable: true  # setting 'durable' to false means this queue won't survive a server restart
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: neutron-permission
+  namespace: openstack
+spec:
+  vhost: "neutron"  # name of a vhost
+  userReference:
+    name: "neutron"  # name of a user.rabbitmq.com in the same namespace; must specify either spec.userReference or spec.user
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
diff --git a/components/neutron/values.tpl.yaml b/components/neutron/values.tpl.yaml
@@ -0,0 +1,8 @@
+# add your values.yaml overrides for the helm chart here
+
+network:
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        cert-manager.io/cluster-issuer: ${DEPLOY_NAME}-cluster-issuer
diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh
@@ -111,6 +111,13 @@ export IRONIC_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)"
 export IRONIC_DB_PASSWORD="$(./scripts/pwgen.sh)"
 # rabbitmq user password for the ironic queues
 export IRONIC_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)"
+# neutron keystone service account
+export NEUTRON_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)"
+# neutron user password in mariadb for neutron db
+export NEUTRON_DB_PASSWORD="$(./scripts/pwgen.sh)"
+# rabbitmq user password for the neutron queues
+export NEUTRON_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)"
+
 
 [ ! -f "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" ] && \
 kubectl --namespace openstack \
@@ -161,6 +168,30 @@ kubectl --namespace openstack \
     --from-literal=password="${IRONIC_KEYSTONE_PASSWORD}" \
     --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-keystone-password.yaml"
 
+# neutron credentials
+[ ! -f "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml" ] && \
+kubectl --namespace openstack \
+    create secret generic neutron-rabbitmq-password \
+    --type Opaque \
+    --from-literal=username="neutron" \
+    --from-literal=password="${NEUTRON_RABBITMQ_PASSWORD}" \
+    --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml"
+
+[ ! -f "${DEST_DIR}/secret-neutron-db-password.yaml" ] && \
+kubectl --namespace openstack \
+    create secret generic neutron-db-password \
+    --type Opaque \
+    --from-literal=password="${NEUTRON_DB_PASSWORD}" \
+    --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-db-password.yaml"
+
+[ ! -f "${DEST_DIR}/secret-neutron-keystone-password.yaml" ] && \
+kubectl --namespace openstack \
+    create secret generic neutron-keystone-password \
+    --type Opaque \
+    --from-literal=username="neutron" \
+    --from-literal=password="${NEUTRON_KEYSTONE_PASSWORD}" \
+    --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-keystone-password.yaml"
+
 if [ "x${DO_TMPL_VALUES}" = "xy" ]; then
     [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \
     yq '(.. | select(tag == "!!str")) |= envsubst' \