From 3330487f48fafe0fb16d3b36357b4c45eaa29d30 Mon Sep 17 00:00:00 2001 From: nicholaskuechler Date: Tue, 18 Jun 2024 09:16:25 -0500 Subject: [PATCH] feat: Adds OpenStack Neutron base install to UnderStack --- apps/components/neutron.yaml | 39 ++++++++++ components/neutron/README.md | 1 + components/neutron/aio-values.yaml | 76 +++++++++++++++++++ components/neutron/kustomization.yaml | 7 ++ components/neutron/neutron-mariadb-db.yaml | 52 +++++++++++++ .../neutron/neutron-rabbitmq-queue.yaml | 59 ++++++++++++++ components/neutron/values.tpl.yaml | 8 ++ scripts/easy-secrets-gen.sh | 31 ++++++++ 8 files changed, 273 insertions(+) create mode 100644 apps/components/neutron.yaml create mode 100644 components/neutron/README.md create mode 100644 components/neutron/aio-values.yaml create mode 100644 components/neutron/kustomization.yaml create mode 100644 components/neutron/neutron-mariadb-db.yaml create mode 100644 components/neutron/neutron-rabbitmq-queue.yaml create mode 100644 components/neutron/values.tpl.yaml diff --git a/apps/components/neutron.yaml b/apps/components/neutron.yaml new file mode 100644 index 000000000..ef2162ba0 --- /dev/null +++ b/apps/components/neutron.yaml @@ -0,0 +1,39 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: neutron +spec: + project: understack + sources: + - repoURL: https://github.com/rackerlabs/understack.git + path: components/neutron/ + targetRevision: ${UC_REPO_REF} + ref: understack + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/ + chart: neutron + targetRevision: 0.3.44 + helm: + releaseName: neutron + valueFiles: + - $understack/components/openstack-2024.1-jammy.yaml + - $understack/components/neutron/aio-values.yaml + - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml + - $secrets/helm-configs/${DEPLOY_NAME}/neutron.yaml + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: ${UC_DEPLOY_REF} + directory: + include: 'secret-neutron-*.yaml' + ref: secrets + destination: + server: "https://kubernetes.default.svc" + namespace: openstack + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + managedNamespaceMetadata: + labels: + kubernetes.io/metadata.name: openstack + name: openstack diff --git a/components/neutron/README.md b/components/neutron/README.md new file mode 100644 index 000000000..687f07e8c --- /dev/null +++ b/components/neutron/README.md @@ -0,0 +1 @@ +# OpenStack Neutron diff --git a/components/neutron/aio-values.yaml b/components/neutron/aio-values.yaml new file mode 100644 index 000000000..ee6a4ad3c --- /dev/null +++ b/components/neutron/aio-values.yaml @@ -0,0 +1,76 @@ +--- +release_group: null + +# typically overridden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + oslo_messaging: + statefulset: + replicas: 3 + name: rabbitmq-server + hosts: + default: rabbitmq-nodes + +# (nicholas.kuechler) updating the jobs list to remove the 'neutron-rabbit-init' job. +dependencies: + dynamic: + common: + local_image_registry: + jobs: null + static: + db_sync: + jobs: + dhcp: + jobs: + l3: + jobs: + lb_agent: + jobs: + metadata: + jobs: + ovs_agent: + jobs: + server: + jobs: + - neutron-db-sync + - neutron-ks-user + - neutron-ks-endpoints + rpc_server: + jobs: + - neutron-db-sync + ironic_agent: + jobs: + - neutron-db-sync + - neutron-ks-user + - neutron-ks-endpoints + +manifests: + job_db_init: false + job_rabbit_init: false + pod_rally_test: false + secret_db: false + secret_keystone: true + daemonset_dhcp_agent: false + daemonset_l3_agent: false + daemonset_lb_agent: false + daemonset_metadata_agent: false + daemonset_ovs_agent: false + daemonset_sriov_agent: false + daemonset_l2gw_agent: false + daemonset_bagpipe_bgp: false + daemonset_bgp_dragent: false + deployment_ironic_agent: true + +# We don't want to enable OpenStack Helm's +# helm.sh/hooks because they set them as +# post-install,post-upgrade which in ArgoCD +# maps to PostSync. However the deployments +# and statefulsets in OpenStack Helm +# depend on the jobs to complete to become +# healthy. Which they cannot because they are in +# the post step and not in the main step. +# Turning this on results in the keys jobs +# editing the annotation which deletes the item +# and wipes our keys. +helm3_hook: false diff --git a/components/neutron/kustomization.yaml b/components/neutron/kustomization.yaml new file mode 100644 index 000000000..ddef0dd97 --- /dev/null +++ b/components/neutron/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - neutron-mariadb-db.yaml + - neutron-rabbitmq-queue.yaml diff --git a/components/neutron/neutron-mariadb-db.yaml b/components/neutron/neutron-mariadb-db.yaml new file mode 100644 index 000000000..6508f62d3 --- /dev/null +++ b/components/neutron/neutron-mariadb-db.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: mariadb.mmontes.io/v1alpha1 +kind: Database +metadata: + name: neutron + namespace: openstack +spec: + # If you want the database to be created with a different name than the resource name + # name: data-custom + mariaDbRef: + name: mariadb # name of the MariaDB kind + waitForIt: true + characterSet: utf8 + collate: utf8_general_ci + retryInterval: 5s +--- +apiVersion: mariadb.mmontes.io/v1alpha1 +kind: User +metadata: + name: neutron + namespace: openstack +spec: + # If you want the user to be created with a different name than the resource name + # name: user-custom + mariaDbRef: + name: mariadb # name of the MariaDB kind + waitForIt: true + passwordSecretKeyRef: + name: neutron-db-password + key: password + # This field is immutable and defaults to 10, 0 means unlimited. + maxUserConnections: 0 + host: "%" + retryInterval: 5s +--- +apiVersion: mariadb.mmontes.io/v1alpha1 +kind: Grant +metadata: + name: neutron-grant + namespace: openstack +spec: + mariaDbRef: + name: mariadb # name of the MariaDB kind + waitForIt: true + privileges: + - "ALL" + database: "neutron" + table: "*" + username: neutron + grantOption: true + host: "%" + retryInterval: 5s diff --git a/components/neutron/neutron-rabbitmq-queue.yaml b/components/neutron/neutron-rabbitmq-queue.yaml new file mode 100644 index 000000000..4a0ee2137 --- /dev/null +++ b/components/neutron/neutron-rabbitmq-queue.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: rabbitmq.com/v1beta1 +kind: User +metadata: + name: neutron + namespace: openstack +spec: + tags: + - management # available tags are 'management', 'policymaker', 'monitoring' and 'administrator' + - policymaker + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack + importCredentialsSecret: + name: neutron-rabbitmq-password +--- +apiVersion: rabbitmq.com/v1beta1 +kind: Vhost +metadata: + name: neutron-vhost + namespace: openstack +spec: + name: "neutron" # vhost name; required and cannot be updated + defaultQueueType: quorum # default queue type for this vhost; require RabbitMQ version 3.11.12 or above + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack +--- +apiVersion: rabbitmq.com/v1beta1 +kind: Queue +metadata: + name: neutron-queue + namespace: openstack +spec: + name: neutron-qq # name of the queue + vhost: "neutron" # default to '/' if not provided + type: quorum # without providing a queue type, rabbitmq creates a classic queue + autoDelete: false + durable: true # setting 'durable' to false means this queue won't survive a server restart + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack +--- +apiVersion: rabbitmq.com/v1beta1 +kind: Permission +metadata: + name: neutron-permission + namespace: openstack +spec: + vhost: "neutron" # name of a vhost + userReference: + name: "neutron" # name of a user.rabbitmq.com in the same namespace; must specify either spec.userReference or spec.user + permissions: + write: ".*" + configure: ".*" + read: ".*" + rabbitmqClusterReference: + name: rabbitmq # rabbitmqCluster must exist in the same namespace as this resource + namespace: openstack diff --git a/components/neutron/values.tpl.yaml b/components/neutron/values.tpl.yaml new file mode 100644 index 000000000..ec1b430fe --- /dev/null +++ b/components/neutron/values.tpl.yaml @@ -0,0 +1,8 @@ +# add your values.yaml overrides for the helm chart here + +network: + api: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + cert-manager.io/cluster-issuer: ${DEPLOY_NAME}-cluster-issuer diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index 345c116a3..d92161e90 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -111,6 +111,13 @@ export IRONIC_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" export IRONIC_DB_PASSWORD="$(./scripts/pwgen.sh)" # rabbitmq user password for the ironic queues export IRONIC_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" +# neutron keystone service account +export NEUTRON_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" +# neutron user password in mariadb for neutron db +export NEUTRON_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the neutron queues +export NEUTRON_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" + [ ! -f "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" ] && \ kubectl --namespace openstack \ @@ -161,6 +168,30 @@ kubectl --namespace openstack \ --from-literal=password="${IRONIC_KEYSTONE_PASSWORD}" \ --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-keystone-password.yaml" +# neutron credentials +[ ! -f "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic neutron-rabbitmq-password \ + --type Opaque \ + --from-literal=username="neutron" \ + --from-literal=password="${NEUTRON_RABBITMQ_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml" + +[ ! -f "${DEST_DIR}/secret-neutron-db-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic neutron-db-password \ + --type Opaque \ + --from-literal=password="${NEUTRON_DB_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-db-password.yaml" + +[ ! -f "${DEST_DIR}/secret-neutron-keystone-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic neutron-keystone-password \ + --type Opaque \ + --from-literal=username="neutron" \ + --from-literal=password="${NEUTRON_KEYSTONE_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-keystone-password.yaml" + if [ "x${DO_TMPL_VALUES}" = "xy" ]; then [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \ yq '(.. | select(tag == "!!str")) |= envsubst' \