feat: Adds nova to understack

rackerlabs · Jun 18, 2024 · 979fe51 · 979fe51
1 parent fec9f57
commit 979fe51
Show file tree

Hide file tree

Showing 8 changed files with 271 additions and 1 deletion.
diff --git a/apps/components/nova.yaml b/apps/components/nova.yaml
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nova
+spec:
+  project: understack
+  sources:
+    - repoURL: https://github.com/rackerlabs/understack.git
+      path: components/nova/
+      targetRevision: ${UC_REPO_REF}
+      ref: understack
+    - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/
+      chart: nova
+      targetRevision: 0.3.42
+      helm:
+        releaseName: nova
+        valueFiles:
+          - $understack/components/openstack-2024.1-jammy.yaml
+          - $understack/components/nova/aio-values.yaml
+          - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml
+          - $secrets/helm-configs/${DEPLOY_NAME}/nova.yaml
+    - repoURL: ${UC_DEPLOY_GIT_URL}
+      path: secrets/${DEPLOY_NAME}/
+      targetRevision: ${UC_DEPLOY_REF}
+      directory:
+        include: 'secret-nova-*.yaml'
+      ref: secrets
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: openstack
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    managedNamespaceMetadata:
+      labels:
+        kubernetes.io/metadata.name: openstack
+        name: openstack
diff --git a/components/nova/README.md b/components/nova/README.md
@@ -0,0 +1 @@
+# OpenStack Nova
diff --git a/components/nova/aio-values.yaml b/components/nova/aio-values.yaml
@@ -0,0 +1,75 @@
+---
+release_group: null
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  oslo_messaging:
+    statefulset:
+      replicas: 3
+      name: rabbitmq-server
+    hosts:
+      default: rabbitmq-nodes
+
+# (nicholas.kuechler) Using custom dependencies in order to
+# prevent the nova-db-init and nova-rabbit-init jobs from running
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs: null
+  static:
+    api:
+      jobs:
+        - nova-db-sync
+        - nova-ks-user
+        - nova-ks-endpoints
+    api_metadata:
+      jobs:
+        - nova-db-sync
+        - nova-ks-user
+        - nova-ks-endpoints
+    cell_setup:
+      jobs:
+        - nova-db-sync
+    service_cleaner:
+      jobs:
+        - nova-db-sync
+    compute:
+      jobs:
+        - nova-db-sync
+    compute_ironic:
+      jobs:
+        - nova-db-sync
+    conductor:
+      jobs:
+        - nova-db-sync
+    archive_deleted_rows:
+      jobs:
+        - nova-db-sync
+    db_sync:
+      jobs:
+    scheduler:
+      jobs:
+        - nova-db-sync
+
+manifests:
+  job_db_init: false
+  job_rabbit_init: false
+  pod_rally_test: false
+  secret_db: false
+  secret_keystone: true
+
+# we don't want to enable OpenStack Helm's
+# helm.sh/hooks because they set them as
+# post-install,post-upgrade which in ArgoCD
+# maps to PostSync. However the deployments
+# and statefulsets in OpenStack Helm
+# depend on the jobs to complete to become
+# healthy. Which they cannot because they are in
+# the post step and not in the main step.
+# Turning this on results in the keys jobs
+# editing the annotation which deletes the item
+# and wipes our keys.
+helm3_hook: false
diff --git a/components/nova/kustomization.yaml b/components/nova/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - nova-mariadb-db.yaml
+  - nova-rabbitmq-queue.yaml
diff --git a/components/nova/nova-mariadb-db.yaml b/components/nova/nova-mariadb-db.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: Database
+metadata:
+  name: nova
+  namespace: openstack
+spec:
+  # If you want the database to be created with a different name than the resource name
+  # name: data-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  characterSet: utf8
+  collate: utf8_general_ci
+  retryInterval: 5s
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: User
+metadata:
+  name: nova
+  namespace: openstack
+spec:
+  # If you want the user to be created with a different name than the resource name
+  # name: user-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  passwordSecretKeyRef:
+    name: nova-db-password
+    key: password
+  # This field is immutable and defaults to 10, 0 means unlimited.
+  maxUserConnections: 0
+  host: "%"
+  retryInterval: 5s
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: Grant
+metadata:
+  name: nova-grant
+  namespace: openstack
+spec:
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  privileges:
+    - "ALL"
+  database: "nova"
+  table: "*"
+  username: nova
+  grantOption: true
+  host: "%"
+  retryInterval: 5s
diff --git a/components/nova/nova-rabbitmq-queue.yaml b/components/nova/nova-rabbitmq-queue.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: nova
+  namespace: openstack
+spec:
+  tags:
+  - management  # available tags are 'management', 'policymaker', 'monitoring' and 'administrator'
+  - policymaker
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+  importCredentialsSecret:
+    name: nova-rabbitmq-password
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Vhost
+metadata:
+  name: nova-vhost
+  namespace: openstack
+spec:
+  name: "nova"  # vhost name; required and cannot be updated
+  defaultQueueType: quorum  # default queue type for this vhost; require RabbitMQ version 3.11.12 or above
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: nova-queue
+  namespace: openstack
+spec:
+  name: nova-qq  # name of the queue
+  vhost: "nova"  # default to '/' if not provided
+  type: quorum  # without providing a queue type, rabbitmq creates a classic queue
+  autoDelete: false
+  durable: true  # setting 'durable' to false means this queue won't survive a server restart
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: nova-permission
+  namespace: openstack
+spec:
+  vhost: "nova"  # name of a vhost
+  userReference:
+    name: "nova"  # name of a user.rabbitmq.com in the same namespace; must specify either spec.userReference or spec.user
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
diff --git a/components/nova/values.tpl.yaml b/components/nova/values.tpl.yaml
@@ -0,0 +1,8 @@
+# add your values.yaml overrides for the helm chart here
+
+network:
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        cert-manager.io/cluster-issuer: ${DEPLOY_NAME}-cluster-issuer
diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh
@@ -117,7 +117,12 @@ export NEUTRON_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)"
 export NEUTRON_DB_PASSWORD="$(./scripts/pwgen.sh)"
 # rabbitmq user password for the neutron queues
 export NEUTRON_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)"
-
+# nova keystone service account
+export NOVA_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)"
+# nova user password in mariadb for nova db
+export NOVA_DB_PASSWORD="$(./scripts/pwgen.sh)"
+# rabbitmq user password for the inovaronic queues
+export NOVA_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)"
 
 [ ! -f "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" ] && \
 kubectl --namespace openstack \
@@ -192,6 +197,30 @@ kubectl --namespace openstack \
     --from-literal=password="${NEUTRON_KEYSTONE_PASSWORD}" \
     --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-keystone-password.yaml"
 
+# nova credentials
+[ ! -f "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" ] && \
+kubectl --namespace openstack \
+    create secret generic nova-rabbitmq-password \
+    --type Opaque \
+    --from-literal=username="nova" \
+    --from-literal=password="${NOVA_RABBITMQ_PASSWORD}" \
+    --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-rabbitmq-password.yaml"
+
+[ ! -f "${DEST_DIR}/secret-nova-db-password.yaml" ] && \
+kubectl --namespace openstack \
+    create secret generic nova-db-password \
+    --type Opaque \
+    --from-literal=password="${NOVA_DB_PASSWORD}" \
+    --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-db-password.yaml"
+
+[ ! -f "${DEST_DIR}/secret-nova-keystone-password.yaml" ] && \
+kubectl --namespace openstack \
+    create secret generic nova-keystone-password \
+    --type Opaque \
+    --from-literal=username="nova" \
+    --from-literal=password="${NOVA_KEYSTONE_PASSWORD}" \
+    --dry-run=client -o yaml > "${DEST_DIR}/secret-nova-keystone-password.yaml"
+
 if [ "x${DO_TMPL_VALUES}" = "xy" ]; then
     [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \
     yq '(.. | select(tag == "!!str")) |= envsubst' \