feat: Adds OpenStack Octavia load balancers

apps/appsets/openstack.yaml

@@ -43,6 +43,9 @@ spec:
                 - component: horizon
                   repoURL: https://tarballs.opendev.org/openstack/openstack-helm
                   chartVersion: 2024.2.1+34d1672a-93ed069c
+                - component: octavia
+                  repoURL: https://tarballs.opendev.org/openstack/openstack-helm
+                  chartVersion: 2024.2.4+6b985e51b
   template:
     metadata:
       name: '{{.name}}-{{.component}}'

components/octavia/README.md

@@ -0,0 +1 @@
+# OpenStack Octavia Load Balancers

components/octavia/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - octavia-rabbitmq-queue.yaml
+  - octavia-mariadb-db.yaml

components/octavia/octavia-mariadb-db.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: octavia
+  namespace: openstack
+spec:
+  # If you want the database to be created with a different name than the resource name
+  # name: data-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  characterSet: utf8
+  collate: utf8_general_ci
+  retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: octavia
+  namespace: openstack
+spec:
+  # If you want the user to be created with a different name than the resource name
+  # name: user-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  passwordSecretKeyRef:
+    name: octavia-db-password
+    key: password
+  # This field is immutable and defaults to 10, 0 means unlimited.
+  maxUserConnections: 0
+  host: "%"
+  retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: octavia-grant
+  namespace: openstack
+spec:
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  privileges:
+    - "ALL"
+  database: "octavia"
+  table: "*"
+  username: octavia
+  grantOption: true
+  host: "%"
+  retryInterval: 5s

components/octavia/octavia-rabbitmq-queue.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: octavia
+  namespace: openstack
+spec:
+  tags:
+  - management  # available tags are 'management', 'policymaker', 'monitoring' and 'administrator'
+  - policymaker
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+  importCredentialsSecret:
+    name: octavia-rabbitmq-password
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Vhost
+metadata:
+  name: octavia-vhost
+  namespace: openstack
+spec:
+  name: "octavia"  # vhost name; required and cannot be updated
+  defaultQueueType: quorum  # default queue type for this vhost; require RabbitMQ version 3.11.12 or above
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: octavia-queue
+  namespace: openstack
+spec:
+  name: octavia-qq  # name of the queue
+  vhost: "octavia"  # default to '/' if not provided
+  type: quorum  # without providing a queue type, rabbitmq creates a classic queue
+  autoDelete: false
+  durable: true  # setting 'durable' to false means this queue won't survive a server restart
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: octavia-permission
+  namespace: openstack
+spec:
+  vhost: "octavia"  # name of a vhost
+  userReference:
+    name: "octavia"  # name of a user.rabbitmq.com in the same namespace; must specify either spec.userReference or spec.user
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack

components/octavia/values.yaml

@@ -0,0 +1,123 @@
+---
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  oslo_messaging:
+    statefulset:
+      replicas: 3
+      name: rabbitmq-server
+    hosts:
+      default: rabbitmq-nodes
+  load_balancer:
+    port:
+      api:
+        public: 443
+    scheme:
+      public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: octavia-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
+
+network:
+  # configure OpenStack Helm to use Undercloud's ingress
+  # instead of expecting the ingress controller provided
+  # by OpenStack Helm
+  use_external_ingress_controller: true
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
+    external_policy_local: false
+    node_port:
+      enabled: false
+
+conf:
+  octavia:
+    api_settings:
+      enabled_provider_drivers:
+        ovn: ovn
+      default_provider_driver: ovn
+    ovn:
+      ovn_nb_connection: tcp:ovn-ovsdb-nb.openstack.svc.cluster.local:6641
+      ovn_sb_connection: tcp:ovn-ovsdb-sb.openstack.svc.cluster.local:6642
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs: null
+  static:
+    api:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+    worker:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+    housekeeping:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+    health_manager:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+    db_sync:
+      jobs:
+
+manifests:
+  job_db_init: false
+  job_rabbit_init: false
+  pod_rally_test: false
+  secret_db: true
+  secret_keystone: true
+  service_ingress_api: false
+
+# we don't want to enable OpenStack Helm's
+# helm.sh/hooks because they set them as
+# post-install,post-upgrade which in ArgoCD
+# maps to PostSync. However the deployments
+# and statefulsets in OpenStack Helm
+# depend on the jobs to complete to become
+# healthy. Which they cannot because they are in
+# the post step and not in the main step.
+# Turning this on results in the keys jobs
+# editing the annotation which deletes the item
+# and wipes our keys.
+helm3_hook: false
+
+annotations:
+  job:
+    octavia_db_sync:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+      argocd.argoproj.io/sync-options: Replace=true
+    octavia_ks_service:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+      argocd.argoproj.io/sync-options: Replace=true
+    octavia_ks_user:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+      argocd.argoproj.io/sync-options: Replace=true
+    octavia_ks_endpoints:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+      argocd.argoproj.io/sync-options: Replace=true
+    octavia_bootstrap:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+      argocd.argoproj.io/sync-options: Replace=true

components/openstack-secrets.tpl.yaml

@@ -28,6 +28,9 @@ endpoints:
       # this user is the service account that placement uses
       placement:
         password: "${PLACEMENT_KEYSTONE_PASSWORD}"
+      # this user is the service account that octavia uses
+      octavia:
+        password: "${OCTAVIA_KEYSTONE_PASSWORD}"
 
     # set our public facing URL
     host_fqdn_override:
@@ -64,6 +67,9 @@ endpoints:
       # this is what the horizon dashboard service uses to connect to MariaDB
       horizon:
         password: "${HORIZON_DB_PASSWORD}"
+      # this is what the octavia service uses to connect to MariaDB
+      octavia:
+        password: "${OCTAVIA_DB_PASSWORD}"
 
   # 'oslo_db_api' is for MariaDB specific for nova
   oslo_db_api:
@@ -95,6 +101,9 @@ endpoints:
       # this is what the nova service uses to connect to RabbitMQ
       nova:
         password: "${NOVA_RABBITMQ_PASSWORD}"
+      # this is what the octavia service uses to connect to RabbitMQ
+      octavia:
+        password: "${OCTAVIA_RABBITMQ_PASSWORD}"
 
   # 'baremetal' is the ironic service
   baremetal:
@@ -138,6 +147,13 @@ endpoints:
       public:
         host: horizon.${DNS_ZONE}
 
+  # 'octavia' is the load balancer service
+  load_balancer:
+    # set our public facing URL
+    host_fqdn_override:
+      public:
+        host: octavia.${DNS_ZONE}
+
 # necessary cause the ingress definition in openstack-helm-infra helm-toolkit hardcodes this
 secrets:
   tls:
@@ -162,4 +178,7 @@ secrets:
     dashboard:
       dashboard:
         public: horizon-tls-public
+    load_balancer:
+      api:
+        public: octavia-tls-public
 ...

scripts/gitops-secrets-gen.sh

@@ -312,7 +312,7 @@ create_os_secret() {
 ## OpenStack component secret generation
 ## each openstack component is very similar to collapse this
 ## into a loop to generate the same thing for each
-for component in keystone ironic placement neutron nova glance; do
+for component in keystone ironic placement neutron nova glance octavia; do
     echo "Checking ${component}"
     mkdir -p "${DEST_DIR}/${component}/"
     # keystone service account username