-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
170 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| # OpenStack Ironic | ||
|
|
||
| So unfortunately OpenStack Helm doesn't publish helm charts that can be consumed like | ||
| regular helm charts. You must instead clone two of their git repos side by side and | ||
| build the dependencies manually. They additionally don't split out secrets but instead | ||
| template them into giant config files or even executable scripts that then get stored | ||
| as secrets, a clear violation of <https://12factor.net>. As a result we cannot store | ||
| a declarative config of Keystone and allow users to supply their own secrets. | ||
|
|
||
| Due to the above issues, for now we'll skip the ArgoCD ability for this deployment. | ||
|
|
||
| ## Get OpenStack Helm Ready | ||
|
|
||
| You may have done this for another OpenStack component and can share the same | ||
| git clones. This assumes you're doing this from the top level of this repo. | ||
|
|
||
| ```bash | ||
| # clone the two repos because they reference the infra one as a relative path | ||
| # so you can't use real helm commands | ||
| git clone https://github.com/openstack/openstack-helm | ||
| git clone https://github.com/openstack/openstack-helm-infra | ||
| # update the dependencies cause we can't use real helm references | ||
| ./scripts/openstack-helm-depend-sync.sh ironic | ||
| ``` | ||
|
|
||
| ## Deploy Ironic | ||
|
|
||
| Since we cannot refer to the secrets by name, we must look them up live from the cluster | ||
| so that we can injected them into the templated configs. Upstream should really allow | ||
| secrets to be passed by reference. As a result of this we cannot use GitOps to generate | ||
| these charts and have them applied to the cluster. | ||
|
|
||
| Secrets Reference: | ||
|
|
||
| - openstack-default-user is created by the messaging-topology-operator which is | ||
| executed by the rabbitmq-queues component. The name stems from the RabbitMQ | ||
| cluster from the rabbitmq-cluster component. `${CLUSTER_NAME}-default-user` | ||
|
|
||
| ```bash | ||
| helm --namespace openstack template \ | ||
| ironic \ | ||
| ./openstack-helm/ironic/ \ | ||
| -f components/13-ironic/aio-values.yaml \ | ||
| --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ | ||
| --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ | ||
| --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ | ||
| --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret openstack-default-user -o jsonpath='{.data.password}' | base64 -d)" \ | ||
| --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ | ||
| --post-renderer $(git rev-parse --show-toplevel)/scripts/openstack-helm-sealed-secrets.sh \ | ||
| | kubectl -n openstack apply -f - | ||
| ``` | ||
|
|
||
| At this point Keystone will go through some initialization and start uo. | ||
|
|
||
| ## Validating Keystone | ||
|
|
||
| You can run an OpenStack client in the cluster to validate it is running correctly. | ||
|
|
||
| ```bash | ||
| # start up a pod with the client | ||
| kubectl -n openstack apply -f https://raw.githubusercontent.com/rackerlabs/genestack/main/manifests/utils/utils-openstack-client-admin.yaml | ||
| ``` | ||
|
|
||
| Show the catalog list | ||
|
|
||
| ```bash | ||
| kubectl exec -it openstack-admin-client -n openstack -- openstack catalog list | ||
| ``` | ||
|
|
||
| Show the service list | ||
|
|
||
| ```bash | ||
| kubectl exec -it openstack-admin-client -n openstack -- openstack service list | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| --- | ||
|
|
||
| images: | ||
| tags: | ||
| ironic_manage_cleaning_network: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| ironic_retrive_cleaning_network: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| ironic_retrive_swift_config: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| bootstrap: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| db_init: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| db_drop: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| ironic_db_sync: "docker.io/openstackhelm/ironic:2023.1-ubuntu_jammy" | ||
| ironic_api: "docker.io/openstackhelm/ironic:2023.1-ubuntu_jammy" | ||
| ironic_conductor: "docker.io/openstackhelm/ironic:2023.1-ubuntu_jammy" | ||
| ironic_pxe: "docker.io/openstackhelm/ironic:2023.1-ubuntu_jammy" | ||
| ironic_pxe_init: "docker.io/openstackhelm/ironic:2023.1-ubuntu_jammy" | ||
| ironic_pxe_http: docker.io/nginx:1.13.3 | ||
| ks_user: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| ks_service: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| ks_endpoints: "docker.io/openstackhelm/heat:2023.1-ubuntu_jammy" | ||
| rabbit_init: docker.io/rabbitmq:3.7-management | ||
| dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 | ||
| image_repo_sync: docker.io/docker:17.07.0 | ||
| pull_policy: "IfNotPresent" | ||
| local_registry: | ||
| active: false | ||
| exclude: | ||
| - dep_check | ||
| - image_repo_sync | ||
|
|
||
| bootstrap: | ||
| image: | ||
| enabled: false | ||
| openstack: | ||
| enabled: false | ||
| network: | ||
| enabled: false | ||
| openstack: | ||
| enabled: false | ||
| object_store: | ||
| enabled: false | ||
| openstack: | ||
| enabled: false | ||
|
|
||
| conf: | ||
| ironic: | ||
| ironic_conductor: | ||
| automated_clean: false | ||
|
|
||
| endpoints: | ||
| identity: | ||
| name: keystone | ||
|
|
||
| network: | ||
| api: | ||
| ingress: | ||
| public: true | ||
| classes: | ||
| namespace: "nginx" | ||
| cluster: "nginx-openstack" | ||
| annotations: | ||
| nginx.ingress.kubernetes.io/rewrite-target: / | ||
| external_policy_local: false | ||
| node_port: | ||
| enabled: false | ||
|
|
||
| dependencies: | ||
| dynamic: | ||
| common: | ||
| local_image_registry: | ||
| jobs: null | ||
| static: | ||
| api: | ||
| jobs: | ||
| - ironic-db-sync | ||
| - ironic-ks-user | ||
| - ironic-ks-endpoints | ||
| services: | ||
| - endpoint: internal | ||
| service: oslo_db | ||
| - endpoint: internal | ||
| service: oslo_messaging | ||
| conductor: | ||
| jobs: | ||
| - ironic-db-sync | ||
| - ironic-ks-user | ||
| - ironic-ks-endpoints | ||
| services: | ||
| - endpoint: internal | ||
| service: oslo_db | ||
| - endpoint: internal | ||
| service: oslo_messaging | ||
|
|
||
| manifests: | ||
| job_manage_cleaning_network: false | ||
| job_rabbit_init: false | ||
| secret_registry: false |