feat: Adds post-deploy OpenStack Octavia playbook

Author: nicholaskuechler

ansible/playbooks/openstack_network.yaml

@@ -13,7 +13,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-- name: Openstack Network
+- name: OpenStack Network
   hosts: neutron
   connection: local
 

ansible/playbooks/openstack_octavia.yaml

@@ -0,0 +1,29 @@
+---
+# Copyright (c) 2025 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: OpenStack Octavia Post Deployment
+  hosts: neutron
+  connection: local
+
+  pre_tasks:
+    - name: Fail if ENV variables are not set
+      ansible.builtin.fail:
+        msg: "Environment variable {{ item }} is not set. Exiting playbook."
+      when: lookup('env', item) == ''
+      loop:
+        - OS_CLOUD
+
+  roles:
+    - role: openstack_octavia

ansible/roles/openstack_octavia/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+openstack_octavia_load_balancer_network_name: "lb-mgmt-net"
+openstack_octavia_load_balancer_subnet_name: "lb-mgmt-subnet"
+openstack_octavia_load_balancer_subnet: "172.31.0.0/24"
+openstack_octavia_load_balancer_subnet_start: "172.31.0.2"
+openstack_octavia_load_balancer_subnet_end: "172.31.0.200"
+openstack_octavia_provider_network_type: "ovn"

ansible/roles/openstack_octavia/tasks/main.yml

@@ -0,0 +1,143 @@
+---
+
+- name: Get network info
+  openstack.cloud.networks_info:
+    name: "{{ openstack_octavia_load_balancer_network_name }}"
+  register: existing_networks
+  run_once: true
+
+- name: Create network if not exists
+  openstack.cloud.network:
+    name: "{{ openstack_octavia_load_balancer_network_name }}"
+    provider_network_type: "{{ openstack_octavia_provider_network_type }}"
+    state: present
+  when: existing_networks | length == 0
+  run_once: true
+
+- name: Get network info again with the ID this time
+  openstack.cloud.networks_info:
+    name: "{{ openstack_octavia_load_balancer_network_name }}"
+  register: existing_networks_again
+  run_once: true
+
+- name: Create a new subnet in neutron
+  openstack.cloud.subnet:
+    network_name: "{{ openstack_octavia_load_balancer_network_name }}"
+    name: "{{ openstack_octavia_load_balancer_subnet_name }}"
+    cidr: "{{ openstack_octavia_load_balancer_subnet }}"
+    allocation_pool_start: "{{ openstack_octavia_load_balancer_subnet_start }}"
+    allocation_pool_end: "{{ openstack_octavia_load_balancer_subnet_end }}"
+    state: present
+  run_once: true
+
+- name: Create a security group
+  openstack.cloud.security_group:
+    name: lb-mgmt-sec-grp
+    state: present
+    description: security group for octavia load balancers
+  run_once: true
+
+- name: Create a security group rule
+  openstack.cloud.security_group_rule:
+    security_group: lb-mgmt-sec-grp
+    protocol: icmp
+    remote_ip_prefix: 0.0.0.0/0
+  run_once: true
+
+- name: Create a security group rule
+  openstack.cloud.security_group_rule:
+    security_group: lb-mgmt-sec-grp
+    protocol: tcp
+    port_range_min: 22
+    port_range_max: 22
+    remote_ip_prefix: 0.0.0.0/0
+  run_once: true
+
+- name: Create a security group rule
+  openstack.cloud.security_group_rule:
+    security_group: lb-mgmt-sec-grp
+    protocol: tcp
+    port_range_min: 9443
+    port_range_max: 9443
+    remote_ip_prefix: 0.0.0.0/0
+  run_once: true
+
+- name: Create a security group for octavia health manager
+  openstack.cloud.security_group:
+    name: lb-health-mgr-sec-grp
+    state: present
+    description: security group for octavia health manager
+  run_once: true
+  register: security_group
+
+- name: Create health manager group security rules
+  openstack.cloud.security_group_rule:
+    security_group: lb-health-mgr-sec-grp
+    protocol: udp
+    port_range_min: 5555
+    port_range_max: 5555
+    remote_ip_prefix: 0.0.0.0/0
+  run_once: true
+
+- name: Create ports debug
+  ansible.builtin.debug:
+    msg: "item {{ item }}"
+  with_items: "{{ groups['all']
+                  | map('extract', hostvars)
+                  | selectattr('ovs_enabled', 'defined')
+                  | selectattr('ovs_enabled', 'equalto', true)
+                  | map(attribute='inventory_hostname')
+                  | list }}"
+
+- name: Build octavia_port_names (override or hostname)
+  ansible.builtin.set_fact:
+    octavia_port_names: "{{ octavia_port_names | default([]) + [ (hostvars[item].octavia_host_override | default(item)) ] }}"
+  loop: "{{ groups['all'] }}"
+  when:
+    - hostvars[item].ovs_enabled is defined
+    - hostvars[item].ovs_enabled | bool
+  run_once: true
+  delegate_to: localhost
+  loop_control:
+    label: "{{ item }}"
+
+- name: Create ports debug
+  ansible.builtin.debug:
+    msg: "item {{ item }}"
+  with_items: "{{ octavia_port_names }}"
+  run_once: true
+
+# We want to create the ports on the ovn nodes. In Understack, we can
+# identify those as the nodes having the ansible host var setting
+# `ovs_enabled=true`.
+# - name: Create ports
+#   openstack.cloud.port:
+#     name: "octavia-health-manager-port-{{ item }}"
+#     network: "{{ openstack_octavia_load_balancer_network_name }}"
+#     security_groups: lb-health-mgr-sec-grp
+#     device_owner: "Octavia:health-mgr"
+#     host: "{{ item }}"
+#     state: present
+#   with_items: "{{ octavia_port_names }}"
+#   run_once: true
+
+# ansible's openstack.cloud.port module doesn't permit you to specify
+# the binding:host_id, so we have to do it the hard way using
+# openstack.cloud.resource.
+- name: Create Octavia health manager port (set binding host_id)
+  openstack.cloud.resource:
+    state: present
+    service: network
+    type: port
+    attributes:
+      name: "octavia-health-manager-port-{{ item }}"
+      network_id: "{{ existing_networks_again[0].id }}"
+      device_owner: "Octavia:health-mgr"
+      # IMPORTANT: this is the host identifier to bind the port to
+      binding_host_id: "{{ item }}"
+      # pass SG id(s)
+      security_groups:
+        - "{{ security_group.id }}"
+  register: create_octavia_port
+  with_items: "{{ octavia_port_names }}"
+  run_once: true

components/octavia/kustomization.yaml

@@ -5,3 +5,4 @@ kind: Kustomization
 resources:
   - octavia-rabbitmq-queue.yaml
   - octavia-mariadb-db.yaml
+  - octavia-post-deployment-job.yaml

components/octavia/octavia-post-deployment-job.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: octavia-post-deployment-job
+  generateName: octavia-post-deployment-job-
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  template:
+    spec:
+      containers:
+        - name: octavia-post-deploy
+          # TODO: switch back to latest tag
+          image: ghcr.io/rackerlabs/understack/ansible:pr-1182
+          imagePullPolicy: Always
+          command: ["ansible-runner", "run", "/runner", "-vvv", "--playbook", "openstack_octavia.yaml"]
+          env:
+            - name: OS_CLOUD
+              value: understack
+          volumeMounts:
+            - name: ansible-inventory
+              mountPath: /runner/inventory/hosts.yaml
+              subPath: hosts.yaml
+            - name: ansible-kubernetes-inventory
+              mountPath: /runner/inventory/inventory.yaml
+              subPath: inventory.yaml
+            - name: ansible-group-vars
+              mountPath: /runner/inventory/group_vars/
+            - name: openstack-svc-acct
+              mountPath: /etc/openstack
+              readOnly: true
+      volumes:
+        - name: runner-data
+          emptyDir: {}
+        - name: ansible-inventory
+          configMap:
+            name: ansible-inventory
+        - name: ansible-kubernetes-inventory
+          configMap:
+            name: ansible-kubernetes-inventory
+        - name: ansible-group-vars
+          configMap:
+            name: ansible-group-vars
+        - name: openstack-svc-acct
+          secret:
+            secretName: openstack-svc-acct
+      restartPolicy: OnFailure

docs/deploy-guide/load-balancers.md

@@ -0,0 +1,18 @@
+# Load Balancer Configuration
+
+If you decide to use Octavia Load Balancers there is a post-install ansible
+playbook which sets up networks, security groups, and ports for octavia's
+use.
+
+The ansible playbook is `understack/ansible/playbooks/openstack_octavia.yaml`
+and it gets triggered after ArgoCD successfully syncs the octavia component
+from an ArgoCD post sync hook:
+
+``` yaml
+metadata:
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+```
+
+The post-sync job is `components/octavia/octavia-post-deployment-job.yaml`.

docs/deploy-guide/testing-verification.md

@@ -0,0 +1,50 @@
+# Testing and Verification
+
+After deploying a new Understack, we have a few tools available to help us test our new deployment
+and ensure everything is working.
+
+## OpenStack Tempest
+
+We'll use [OpenStack Tempest](https://docs.openstack.org/tempest/latest/index.html)
+to quickly perform API tests against Understack.
+
+Here's a small example using tempest to run keypair tests against an Understack instance:
+
+``` text
+$ tempest run --concurrency 1 --serial --include-list include-keypair.txt
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_get_keypair_detail [1.563604s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypair_create_delete [0.884011s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypair_create_with_pub_key [0.893123s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypairs_create_list_delete [3.178549s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_invalid_name [0.589208s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_when_public_key_bits_exceeds_maximum [0.432699s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_duplicate_name [1.471715s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_empty_name_string [0.540209s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_empty_public_key [0.440568s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_long_keynames [0.435756s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_keypair_create_with_invalid_pub_key [0.479691s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_keypair_delete_nonexistent_key [0.509478s] ... ok
+
+======
+Totals
+======
+Ran: 12 tests in 12.3828 sec.
+ - Passed: 12
+ - Skipped: 0
+ - Expected Fail: 0
+ - Unexpected Success: 0
+ - Failed: 0
+Sum of execute time for each test: 11.4186 sec.
+
+==============
+Worker Balance
+==============
+ - Worker 0 (12 tests) => 0:00:12.382768
+```
+
+## OpenStack Rally
+
+We'll also use [OpenStack Rally](https://docs.openstack.org/rally/latest/) to run integration and scenario tests.
+
+See the [understack-tests](https://github.com/rackerlabs/understack/tree/main/python/understack-tests) in the understack repo
+for docs on running our rally scenarios.

docs/deploy-guide/troubleshooting.md

@@ -0,0 +1,16 @@
+# Deployment Troubleshooting
+
+We have documentation for individual components in the [Operator Guide](../operator-guide/index.md).
+
+## ArgoCD Stuck Syncing
+
+We have seen ArgoCD can sometimes become "stuck" while processing deployments. Sometimes
+this can be due to the app component running a kubernetes job which gets stuck indefinitely.
+
+For example, some openstack-helm components have init jobs which depends on other steps being
+completed or may have a misconfiguration, where the init will loop forever. In argo you can
+see what jobs are stuck, then check the kubernetes job pod logs for further details. Note that
+a lot of OpenStack pods may have multiple containers, so interesting logs may not be in the
+default container output.
+
+In argo, we've also seen it can be helpful to terminate an old sync and issue a new sync.

mkdocs.yml

@@ -135,6 +135,10 @@ nav:
       - deploy-guide/config-argo-workflows.md
     - Starting the Deployment:
       - deploy-guide/management-cluster.md
+    - Post Deployment:
+      - deploy-guide/load-balancers.md
+      - deploy-guide/testing-verification.md
+      - deploy-guide/troubleshooting.md
     - Further Actions:
       - deploy-guide/extra-sites.md
       - deploy-guide/add-remove-app.md