Skip to content

Commit

Permalink
Octavia adoption docs
Browse files Browse the repository at this point in the history 
Adoption of public SSH key for Amphorae

OSPNET-1078
  • Loading branch information
@weinimo
weinimo committed Dec 17, 2024
1 parent 6a8b4e9 commit 99d4611
Show file tree
Hide file tree
Showing 8 changed files with 294 additions and 21 deletions.
2 changes: 1 addition & 1 deletion docs_user/modules/proc_adopting-the-identity-service.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ control plane, excluding the {identity_service} and its endpoints:
----
$ openstack endpoint list | grep keystone | awk '/admin/{ print $2; }' | xargs ${BASH_ALIASES[openstack]} endpoint delete || true
for service in aodh heat heat-cfn barbican cinderv3 glance gnocchi manila manilav2 neutron nova placement swift ironic-inspector ironic; do
for service in aodh heat heat-cfn barbican cinderv3 glance gnocchi manila manilav2 neutron nova placement swift ironic-inspector ironic octavia; do
openstack service list | awk "/ $service /{ print \$2; }" | xargs -r ${BASH_ALIASES[openstack]} service delete || true
done
----
Expand Down
259 changes: 242 additions & 17 deletions docs_user/modules/proc_adopting-the-loadbalancer-service.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,39 +5,264 @@
During the adoption process the {loadbalancer_first_ref} service
must stay disabled in the new control plane.

== Certificates
Before running the script below the shell variables `CONTROLLER1_SSH` and
`CONTROLLER1_SCP` must be set to contain the command to log into one of the
controllers using `ssh` and `scp` respectively as root user as shown below.
== Control plane adoption steps

. Create an alias for the `openstack` command
+
[source,bash]
----
$ CONTROLLER1_SSH="ssh -i <path to the ssh key> [email protected]"
$ CONTROLLER1_SCP="scp -i <path to the ssh key> [email protected]"
$ alias openstack="oc exec -t openstackclient -- openstack"
----

Make sure to replace `<path to the ssh key>` with the correct path to the ssh
key for connecting to the controller.

. Certificates
+
Before running the script below set the
`CONTROLLER1_SCP` shell variable based on the value of the
existing `CONTROLLER1_SSH` variable:
+
[source,bash]
----
$ CONTROLLER1_SCP=$(echo "$CONTROLLER1_SSH" | sed 's/^ssh/scp/g')
----
+
Then run the following set of commands in order to regenerate the
keys and certificates and install the data in OpenShift. These
commands convert the existing single CA configuration into a
dual CA configuration.
+
[source,bash]
----
include::../../tests/roles/dataplane_adoption/tasks/octavia_certs.yaml[lines="7..83",indent=0]
----

These commands convert the existing single CA configuration into a dual CA configuration.
. (Optional) Public SSH key of Amphorae
+
These commands will copy the existing public SSH key that can be used for connecting to the amphorae and installs it in Openshift.
+
[source,bash]
----
include::../../tests/roles/dataplane_adoption/tasks/octavia_ssh.yaml[lines="7..20",indent=0]
----

// == TODO: Other things
// TODO
. Add the octavia interfaces to each NodeNetworkConfigurationPolicy.
+
The following command adds the network interface that is being
used as the VLAN base interface for the management network
(in this example `enp6s0`) for network isolation on the OpenShift nodes.
Please replace `enp6s0` with the name of the network interface in your
OpenShift setup. The correct mtu value depends on the requirements of your environment and might need to be changed as well.
+
[source,bash]
----
oc get -n openstack --no-headers nncp | cut -f 1 -d ' ' | while read ; do
oc patch -n openstack nncp $REPLY --type=merge --patch '
spec:
desiredState:
interfaces:
- description: Octavia vlan host interface
name: enp6s0.24
state: up
type: vlan
vlan:
base-iface: enp6s0
id: 24
- bridge:
options:
stp:
enabled: false
port:
- name: enp6s0.24
description: Configuring bridge octbr
mtu: 1500
name: octbr
state: up
type: linux-bridge
'
done
----

== Enabling the {loadbalancer_service} in OpenShift
Run the following command in order to enable the {loadbalancer_service} CR.
. Configure the network attachment definition
+
The `octavia` network attachment is needed to connect pods
that manage amphorae
and the OpenvSwitch pods (managed by the OVN operator):
+
[source,bash]
----
$ cat >> octavia-nad.yaml << EOF_CAT
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
labels:
osp/net: octavia
name: octavia
namespace: openstack
spec:
config: |
{
"cniVersion": "0.3.1",
"name": "octavia",
"type": "bridge",
"bridge": "octbr",
"ipam": {
"type": "whereabouts",
"range": "172.23.0.0/24",
"range_start": "172.23.0.30",
"range_end": "172.23.0.70",
"routes": [
{
"dst": "172.24.0.0/16",
"gw" : "172.23.0.150"
}
]
}
}
EOF_CAT
$ oc apply -n openstack -f octavia-nad.yaml
----

. Enable the {loadbalancer_service} service in OpenShift
+
[source,bash]
----
$ oc patch openstackcontrolplane openstack --type=merge --patch '
$ oc patch openstackcontrolplane openstack -n openstack --type=merge --patch '
spec:
ovn:
template:
ovnController:
networkAttachment: tenant
nicMappings:
octavia: octbr
octavia:
enabled: true
template: {}
template:
apacheContainerImage: registry.redhat.io/rhel8/httpd-24:latest
amphoraImageContainerImage: quay.io/gthiemonge/octavia-amphora-image
databaseInstance: openstack
octaviaHousekeeping:
networkAttachments:
- octavia
octaviaHealthManager:
networkAttachments:
- octavia
octaviaWorker:
networkAttachments:
- octavia
'
----

. Wait for the {loadbalancer_service} control plane services CRs to become ready
+
[source,bash]
----
$ oc wait --for condition=Ready --timeout=300s octavia.octavia.openstack.org octavia
----
+

. Ensure the {loadbalancer_service} service is registered in the {identity_service}:
+
[source,bash]
----
$ openstack service list | grep load-balancer
| bd078ca6f90c4b86a48801f45eb6f0d7 | octavia | load-balancer |
$ openstack endpoint list | grep load-balancer
| f1ae7756b6164baf9cb82a1a670067a2 | regionOne | octavia | load-balancer | True | public | https://octavia-public-openstack.apps-crc.testing |
| ff3222b4621843669e89843395213049 | regionOne | octavia | load-balancer | True | internal | http://octavia-internal.openstack.svc:9876 |
----

== Clean up old resources

. Change the ONBOOT option in the network script for the management interface to no.
+
Connect to each of the controllers on the old control plane, open the configuration script for the management interface
(e.g. `/etc/sysconfig/network-scripts/ifcfg-o-hm0`, the exact name depends on the previous `OctaviaMgmtPortDevName` setting).
Change the line `ONBOOT=yes` to `ONBOOT=no` so the interface does not get enabled automatically on reboot anymore.

. Delete old flavors that have been migrated
+
[source,bash]
----
$ openstack flavor list --all | grep octavia
| 484c351a-57ca-4a4b-8e6e-93d31596fec5 | octavia-amphora-4vcpus | 4096 | 3 | 0 | 4 | False |
| 65 | octavia_65 | 1024 | 3 | 0 | 1 | False |
| amphora-mvcpu-ha | octavia_amphora-mvcpu-ha | 4096 | 3 | 0 | 4 | False |
| cf9d1d80-5680-4ed8-a051-e8ec4c5871e0 | octavia-amphora | 1024 | 3 | 0 | 1 | False |
$ openstack flavor delete octavia_65
$ openstack flavor delete octavia_amphora-mvcpu-ha
$ openstack flavor list --all | grep octavia
| 484c351a-57ca-4a4b-8e6e-93d31596fec5 | octavia-amphora-4vcpus | 4096 | 3 | 0 | 4 | False |
| cf9d1d80-5680-4ed8-a051-e8ec4c5871e0 | octavia-amphora | 1024 | 3 | 0 | 1 | False |
----

. Delete old octavia flavors that have been migrated
+
[source,bash]
----
$ openstack loadbalancer flavor list
+--------------------------------------+--------------------------+--------------------------------------+---------+
| id | name | flavor_profile_id | enabled |
+--------------------------------------+--------------------------+--------------------------------------+---------+
| 5db54d9b-ba08-4b51-a859-0a81533604aa | octavia_amphora-mvcpu-ha | 4fa6a793-4c20-4480-be4f-806912840511 | True |
| 6d649fd5-6322-4265-b5f3-c3277fc29ec8 | amphora-4vcpus | d9764a80-99f5-4f22-bbe0-3ddbdc5c485c | True |
| 93f34308-24a7-42de-9065-959a3b36e7f6 | amphora | e75e50c8-7786-4623-abcf-bccbea59d213 | True |
+--------------------------------------+--------------------------+--------------------------------------+---------+
$ openstack loadbalancer flavor delete octavia_amphora-mvcpu-ha
$ openstack loadbalancer flavor list
+--------------------------------------+----------------+--------------------------------------+---------+
| id | name | flavor_profile_id | enabled |
+--------------------------------------+----------------+--------------------------------------+---------+
| 6d649fd5-6322-4265-b5f3-c3277fc29ec8 | amphora-4vcpus | d9764a80-99f5-4f22-bbe0-3ddbdc5c485c | True |
| 93f34308-24a7-42de-9065-959a3b36e7f6 | amphora | e75e50c8-7786-4623-abcf-bccbea59d213 | True |
+--------------------------------------+----------------+--------------------------------------+---------+
----

. Delete old flavorprofile that have been migrated
+
[source,bash]
----
$ openstack loadbalancer flavorprofile list
+--------------------------------------+----------------------------------+---------------+
| id | name | provider_name |
+--------------------------------------+----------------------------------+---------------+
| 4fa6a793-4c20-4480-be4f-806912840511 | octavia_amphora-mvcpu-ha_profile | amphora |
| d9764a80-99f5-4f22-bbe0-3ddbdc5c485c | amphora-4vcpus | amphora |
| e75e50c8-7786-4623-abcf-bccbea59d213 | amphora | amphora |
+--------------------------------------+----------------------------------+---------------+
$ openstack loadbalancer flavorprofile delete octavia_amphora-mvcpu-ha_profile
$ openstack loadbalancer flavorprofile list
+--------------------------------------+----------------+---------------+
| id | name | provider_name |
+--------------------------------------+----------------+---------------+
| d9764a80-99f5-4f22-bbe0-3ddbdc5c485c | amphora-4vcpus | amphora |
| e75e50c8-7786-4623-abcf-bccbea59d213 | amphora | amphora |
+--------------------------------------+----------------+---------------+
----

. Delete the old management network ports
+
The first command stores the network ID of the old management network in the
variable WALLABY_LB_MGMT_NET_ID for later use. Then all ports that are used in the network get deleted.
+
[source,bash]
----
$ for net_id in $(openstack network list -f value -c ID --name lb-mgmt-net); do desc=$(openstack network show "$net_id" -f value -c description); [ -z "$desc" ] && WALLABY_LB_MGMT_NET_ID="$net_id" ; done
$ echo $WALLABY_LB_MGMT_NET_ID
1e21f9c1-7485-4104-a2f3-eed098ab9cad
$ for id in $(openstack port list --network "$WALLABY_LB_MGMT_NET_ID" -f value -c ID) ; do openstack port delete "$id" ; done
----

. Delete the old management network
+
[source,bash]
----
$ openstack network delete "$WALLABY_LB_MGMT_NET_ID"
----

. Verify only one lb-mgmt-net and one lb-mgmt-subnet exists
+
[source,bash]
----
$ openstack network list | grep lb-mgmt-net
| fe470c29-0482-4809-9996-6d636e3feea3 | lb-mgmt-net | 6a881091-097d-441c-937b-5a23f4f243b7 |
$ openstack subnet list | grep lb-mgmt-subnet
| 6a881091-097d-441c-937b-5a23f4f243b7 | lb-mgmt-subnet | fe470c29-0482-4809-9996-6d636e3feea3 | 172.24.0.0/16 |
----
8 changes: 7 additions & 1 deletion docs_user/modules/proc_rolling-back-the-control-plane-adoption.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,13 @@ ServicesToStart=("tripleo_horizon.service"
"tripleo_ceilometer_agent_notification.service"
"tripleo_ovn_cluster_north_db_server.service"
"tripleo_ovn_cluster_south_db_server.service"
"tripleo_ovn_cluster_northd.service")
"tripleo_ovn_cluster_northd.service"
"tripleo_octavia_api.service"
"tripleo_octavia_health_manager.service"
"tripleo_octavia_rsyslog.service"
"tripleo_octavia_driver_agent.service"
"tripleo_octavia_housekeeping.service"
"tripleo_octavia_worker.service")
PacemakerResourcesToStart=("galera-bundle"
"haproxy-bundle"
Expand Down
6 changes: 6 additions & 0 deletions docs_user/modules/proc_stopping-openstack-services.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@ ServicesToStop=("tripleo_aodh_api.service"
"tripleo_aodh_notifier.service"
"tripleo_ceilometer_agent_central.service"
"tripleo_ceilometer_agent_notification.service"
"tripleo_octavia_api.service"
"tripleo_octavia_health_manager.service"
"tripleo_octavia_rsyslog.service"
"tripleo_octavia_driver_agent.service"
"tripleo_octavia_housekeeping.service"
"tripleo_octavia_worker.service"
"tripleo_horizon.service"
"tripleo_keystone.service"
"tripleo_barbican_api.service"
Expand Down
8 changes: 7 additions & 1 deletion tests/roles/control_plane_rollback/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,13 @@
"tripleo_ceilometer_agent_notification.service"
"tripleo_ovn_cluster_north_db_server.service"
"tripleo_ovn_cluster_south_db_server.service"
"tripleo_ovn_cluster_northd.service")
"tripleo_ovn_cluster_northd.service"
"tripleo_octavia_api.service"
"tripleo_octavia_health_manager.service"
"tripleo_octavia_rsyslog.service"
"tripleo_octavia_driver_agent.service"
"tripleo_octavia_housekeeping.service"
"tripleo_octavia_worker.service")
PacemakerResourcesToStart=("galera-bundle"
"haproxy-bundle"
Expand Down
6 changes: 5 additions & 1 deletion tests/roles/dataplane_adoption/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,12 +458,16 @@
ansible.builtin.include_tasks:
file: neutron_verify.yaml


- name: Adopt Octavia Certificates Wallaby->Antelope FFU
when: octavia_adoption|bool
ansible.builtin.include_tasks:
file: octavia_certs.yaml

- name: Adopt Octavia Amphora public SSH key Wallaby->Antelope FFU
when: octavia_adoption|bool
ansible.builtin.include_tasks:
file: octavia_ssh.yaml

- name: Adopted Cinder post-checks
ansible.builtin.include_tasks:
file: cinder_verify.yaml
20 changes: 20 additions & 0 deletions tests/roles/dataplane_adoption/tasks/octavia_ssh.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
- name: Migrate old Octavia public SSH key for amphorae
ansible.builtin.shell: |
{{ shell_header }}
{{ oc_header }}
CONTROLLER1_SCP="{{ controller1_ssh | regex_replace('^ssh', 'scp')}}"
${CONTROLLER1_SCP}:/root/.ssh/id_ecdsa.pub $HOME/octavia_sshkey.pub
# Install new data in k8s
oc apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: sshPubkey
namespace: openstack
data:
key: $(cat $HOME/octavia_sshkey.pub)
EOF
rm -f $HOME/octavia_sshkey.pub
6 changes: 6 additions & 0 deletions tests/roles/stop_openstack_services/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@
"tripleo_aodh_notifier.service"
"tripleo_ceilometer_agent_central.service"
"tripleo_ceilometer_agent_notification.service"
"tripleo_octavia_api.service"
"tripleo_octavia_health_manager.service"
"tripleo_octavia_rsyslog.service"
"tripleo_octavia_driver_agent.service"
"tripleo_octavia_housekeeping.service"
"tripleo_octavia_worker.service"
"tripleo_horizon.service"
"tripleo_keystone.service"
"tripleo_barbican_api.service"
Expand Down

0 comments on commit 99d4611

Please sign in to comment.