feat: Adds post-deploy OpenStack Octavia playbook

Author: nicholaskuechler

ansible/playbooks/openstack_network.yaml

@@ -13,7 +13,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-- name: Openstack Network
+- name: OpenStack Network
   hosts: neutron
   connection: local
 

ansible/playbooks/openstack_octavia.yaml

@@ -0,0 +1,29 @@
+---
+# Copyright (c) 2025 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: OpenStack Octavia Post Deployment
+  hosts: neutron
+  connection: local
+
+  pre_tasks:
+    - name: Fail if ENV variables are not set
+      ansible.builtin.fail:
+        msg: "Environment variable {{ item }} is not set. Exiting playbook."
+      when: lookup('env', item) == ''
+      loop:
+        - OS_CLOUD
+
+  roles:
+    - role: openstack_octavia

ansible/roles/openstack_octavia/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+load_balancer_network_name: "lb-mgmt-net"
+load_balancer_subnet_name: "lb-mgmt-subnet"
+load_balancer_subnet: "172.31.0.0/24"
+load_balancer_subnet_start: "172.31.0.10"
+load_balancer_subnet_end: "172.31.0.200"
+provider_network_type: "ovn"

ansible/roles/openstack_octavia/tasks/main.yml

@@ -0,0 +1,91 @@
+---
+
+- name: Get network info
+  openstack.cloud.networks_info:
+    name: "{{ load_balancer_network_name }}"
+  register: existing_networks
+  run_one: true
+
+- name: Create network if not exists
+  openstack.cloud.network:
+    name: "{{ load_balancer_network_name }}"
+    provider_network_type: "{{ provider_network_type }}"
+    state: present
+  when: existing_networks | length == 0
+  run_one: true
+
+- name: Create a new subnet in neutron
+  openstack.cloud.subnet:
+    network_name: "{{ load_balancer_network_name }}"
+    name: "{{ load_balancer_subnet_name }}"
+    cidr: "{{ load_balancer_subnet }}"
+    allocation_pool_start: "{{ load_balancer_subnet_start }}"
+    allocation_pool_end: "{{ load_balancer_subnet_end }}"
+    state: present
+  run_one: true
+
+- name: Create a security group
+  openstack.cloud.security_group:
+    name: lb-mgmt-sec-grp
+    state: present
+    description: security group for octavia load balancers
+  run_one: true
+
+- name: Create a security group rule
+  openstack.cloud.security_group_rule:
+    security_group: lb-mgmt-sec-grp
+    protocol: icmp
+    remote_ip_prefix: 0.0.0.0/0
+  run_one: true
+
+- name: Create a security group rule
+  openstack.cloud.security_group_rule:
+    security_group: lb-mgmt-sec-grp
+    protocol: tcp
+    port_range_min: 22
+    port_range_max: 22
+    remote_ip_prefix: 0.0.0.0/0
+  run_one: true
+
+- name: Create a security group rule
+  openstack.cloud.security_group_rule:
+    security_group: lb-mgmt-sec-grp
+    protocol: tcp
+    port_range_min: 9443
+    port_range_max: 9443
+    remote_ip_prefix: 0.0.0.0/0
+  run_one: true
+
+- name: Create a security group for octavia health manager
+  openstack.cloud.security_group:
+    name: lb-health-mgr-sec-grp
+    state: present
+    description: security group for octavia health manager
+  run_one: true
+
+- name: Create a health group security rules
+  openstack.cloud.security_group_rule:
+    security_group: lb-health-mgr-sec-grp
+    protocol: udp
+    port_range_min: 5555
+    port_range_max: 5555
+    remote_ip_prefix: 0.0.0.0/0
+  run_one: true
+
+# We want to create the ports on the ovn nodes. In Understack, we can
+# identify those as the nodes having the ansible host var setting
+# `ovs_enabled=true`.
+- name: Create ports
+  openstack.cloud.port:
+    name: "octavia-health-manager-port-{{ item }}"
+    network: lb-mgmt-net
+    security_groups: lb-health-mgr-sec-grp
+    device_owner: "Octavia:health-mgr"
+    binding_host_id: "{{ item }}"
+    state: present
+  with_items: "{{ groups['all']
+                  | map('extract', hostvars)
+                  | selectattr('ovs_enabled', 'defined')
+                  | selectattr('ovs_enabled', 'equalto', true)
+                  | map(attribute='inventory_hostname')
+                  | list }}"

docs/deploy-guide/load-balancers.md

@@ -0,0 +1,77 @@
+# Load Balancer Configuration
+
+If you decide to use Octavia Load Balancers there are some one-time, post-install
+steps to be completed before load balancers can be used.
+
+## Create security groups and their rules
+
+``` bash
+openstack security group create lb-mgmt-sec-grp
+openstack security group rule create --protocol icmp lb-mgmt-sec-grp
+openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp
+openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp
+openstack security group create lb-health-mgr-sec-grp
+openstack security group rule create --protocol udp --dst-port 5555 lb-health-mgr-sec-grp
+```
+
+## Create a network
+
+During the execution of the below command, please save the of BRNAME and MGMT_PORT_MAC in a notepad for further reference.
+
+``` bash
+OCTAVIA_MGMT_SUBNET=172.16.0.0/12
+OCTAVIA_MGMT_SUBNET_START=172.16.0.100
+OCTAVIA_MGMT_SUBNET_END=172.16.31.254
+OCTAVIA_MGMT_PORT_IP=172.16.0.2
+
+openstack network create lb-mgmt-net
+openstack subnet create --subnet-range $OCTAVIA_MGMT_SUBNET --allocation-pool \
+  start=$OCTAVIA_MGMT_SUBNET_START,end=$OCTAVIA_MGMT_SUBNET_END \
+  --network lb-mgmt-net lb-mgmt-subnet
+
+SUBNET_ID=$(openstack subnet show lb-mgmt-subnet -f value -c id)
+PORT_FIXED_IP="--fixed-ip subnet=$SUBNET_ID,ip-address=$OCTAVIA_MGMT_PORT_IP"
+
+MGMT_PORT_ID=$(openstack port create --security-group \
+  lb-health-mgr-sec-grp --device-owner Octavia:health-mgr \
+  --host=$(hostname) -c id -f value --network lb-mgmt-net \
+PORT_FIXED_IP octavia-health-manager-listen-port)
+
+MGMT_PORT_MAC=$(openstack port show -c mac_address -f value \
+MGMT_PORT_ID)
+```
+
+
+``` bash
+OSH_LB_SUBNET="172.31.0.0/24"
+OSH_LB_SUBNET_START="172.31.0.2"
+OSH_LB_SUBNET_END="172.31.0.200"
+
+openstack network create lb-mgmt-net -f value -c id
+openstack subnet create --subnet-range $OSH_LB_SUBNET --allocation-pool start=$OSH_LB_SUBNET_START,end=$OSH_LB_SUBNET_END --network lb-mgmt-net lb-mgmt-subnet -f value -c id
+openstack security group create lb-mgmt-sec-grp
+openstack security group rule create --protocol icmp lb-mgmt-sec-grp
+openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp
+openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp
+
+# Create security group for Octavia health manager
+openstack security group create lb-health-mgr-sec-grp
+openstack security group rule create --protocol udp --dst-port 5555 lb-health-mgr-sec-grp
+```
+
+``` bash
+node=1327172-hp1
+PORTNAME=octavia-health-manager-port-1327172-hp1
+
+openstack port create --security-group lb-health-mgr-sec-grp --device-owner Octavia:health-mgr --host=$node -c id -f value --network lb-mgmt-net $PORTNAME
+IP=$(openstack port show $PORTNAME -c fixed_ips -f value | awk -F',' '{print $1}' | awk -F'=' '{print $2}' | tr -d \')
+echo $IP
+```
+
+``` bash
+NETWORK_NODES=$(kubectl get nodes -l openstack-network-node=enabled -o name | awk -F"/" '{print $2}')
+for node in $NETWORK_NODES; do 
+
+done
+
+```

docs/deploy-guide/testing-verification.md

@@ -0,0 +1,50 @@
+# Testing and Verification
+
+After deploying a new Understack, we have a few tools available to help us test our new deployment
+and ensure everything is working.
+
+## OpenStack Tempest
+
+We'll use [OpenStack Tempest](https://docs.openstack.org/tempest/latest/index.html)
+to quickly perform API tests against Understack.
+
+Here's a small example using tempest to run keypair tests against an Understack instance:
+
+``` text
+$ tempest run --concurrency 1 --serial --include-list include-keypair.txt
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_get_keypair_detail [1.563604s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypair_create_delete [0.884011s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypair_create_with_pub_key [0.893123s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs.KeyPairsV2TestJSON.test_keypairs_create_list_delete [3.178549s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_invalid_name [0.589208s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_when_public_key_bits_exceeds_maximum [0.432699s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_duplicate_name [1.471715s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_empty_name_string [0.540209s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_empty_public_key [0.440568s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_create_keypair_with_long_keynames [0.435756s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_keypair_create_with_invalid_pub_key [0.479691s] ... ok
+{0} tempest.api.compute.keypairs.test_keypairs_negative.KeyPairsNegativeTestJSON.test_keypair_delete_nonexistent_key [0.509478s] ... ok
+
+======
+Totals
+======
+Ran: 12 tests in 12.3828 sec.
+ - Passed: 12
+ - Skipped: 0
+ - Expected Fail: 0
+ - Unexpected Success: 0
+ - Failed: 0
+Sum of execute time for each test: 11.4186 sec.
+
+==============
+Worker Balance
+==============
+ - Worker 0 (12 tests) => 0:00:12.382768
+```
+
+## OpenStack Rally
+
+We'll also use [OpenStack Rally](https://docs.openstack.org/rally/latest/) to run integration and scenario tests.
+
+See the [understack-tests](https://github.com/rackerlabs/understack/tree/main/python/understack-tests) in the understack repo
+for docs on running our rally scenarios.

docs/deploy-guide/troubleshooting.md

@@ -0,0 +1,16 @@
+# Deployment Troubleshooting
+
+We have documentation for individual components in the [Operator Guide](../operator-guide/index.md).
+
+## ArgoCD Stuck Syncing
+
+We have seen ArgoCD can sometimes become "stuck" while processing deployments. Sometimes
+this can be due to the app component running a kubernetes job which gets stuck indefinitely.
+
+For example, some openstack-helm components have init jobs which depends on other steps being
+completed or may have a misconfiguration, where the init will loop forever. In argo you can
+see what jobs are stuck, then check the kubernetes job pod logs for further details. Note that
+a lot of OpenStack pods may have multiple containers, so interesting logs may not be in the
+default container output.
+
+In argo, we've also seen it can be helpful to terminate an old sync and issue a new sync.

mkdocs.yml

@@ -132,6 +132,10 @@ nav:
       - deploy-guide/config-argo-workflows.md
     - Starting the Deployment:
       - deploy-guide/management-cluster.md
+    - Post Deployment:
+      - deploy-guide/load-balancers.md
+      - deploy-guide/testing-verification.md
+      - deploy-guide/troubleshooting.md
     - Further Actions:
       - deploy-guide/extra-sites.md
       - deploy-guide/add-remove-app.md

workflows/openstack/eventsources/eventsource-k8s-openstack-octavia.yaml

@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventSource
+metadata:
+  name: k8s-openstack-octavia
+  namespace: openstack
+spec:
+  template:
+    serviceAccountName: k8s-openstack-events
+  # Kubernetes resource event sources
+  resource:
+    octavia-deployment:
+      # monitor deployment resources under openstack namespace
+      namespace: openstack
+      resource: deployments
+      group: apps
+      version: v1
+      # Event types to listen for (e.g., ADD, UPDATE, DELETE). Here we want only when deployment is created.
+      eventTypes:
+        - ADD
+      filter:
+        # filter based these labels to match octavia-api deployment
+        labels:
+          - key: application
+            value: octavia
+          - key: component
+            value: api

workflows/openstack/sensors/sensor-k8s-octavia-deployment.yaml

@@ -0,0 +1,65 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Sensor
+metadata:
+  name: octavia-deployment
+  namespace: openstack
+spec:
+  template:
+    serviceAccountName: k8s-openstack-events
+  # events the Sensor listens for
+  dependencies:
+    - eventName: octavia-deployment
+      eventSourceName: k8s-openstack-octavia
+      name: openstack-octavia-server-deployment
+  # actions executed when dependencies are satisfied (StandardK8STrigger designed to create or update a generic Kubernetes resource.)
+  triggers:
+    - template:
+        name: octavia-post-deploy
+        k8s:
+          operation: create
+          source:
+            resource:
+              apiVersion: batch/v1
+              kind: Job
+              metadata:
+                generateName: octavia-post-deploy-job
+              spec:
+                template:
+                  spec:
+                    containers:
+                      - name: octavia-post-deploy
+                        image: ghcr.io/rackerlabs/understack/ansible:latest
+                        imagePullPolicy: Always
+                        command: ["ansible-runner", "run", "/runner", "--playbook", "openstack_octavia.yaml"]
+                        env:
+                          - name: OS_CLOUD
+                            value: understack
+                        volumeMounts:
+                          - name: ansible-inventory
+                            mountPath: /runner/inventory/hosts.yaml
+                            subPath: hosts.yaml
+                          - name: ansible-kubernetes-inventory
+                            mountPath: /runner/inventory/inventory.yaml
+                            subPath: inventory.yaml
+                          - name: ansible-group-vars
+                            mountPath: /runner/inventory/group_vars/
+                          - name: openstack-svc-acct
+                            mountPath: /etc/openstack
+                            readOnly: true
+                    volumes:
+                      - name: runner-data
+                        emptyDir: {}
+                      - name: ansible-inventory
+                        configMap:
+                          name: ansible-inventory
+                      - name: ansible-kubernetes-inventory
+                        configMap:
+                          name: ansible-kubernetes-inventory
+                      - name: ansible-group-vars
+                        configMap:
+                          name: ansible-group-vars
+                      - name: openstack-svc-acct
+                        secret:
+                          secretName: openstack-svc-acct
+                    restartPolicy: OnFailure