diff --git a/.github/workflows/helm-prometheus.yaml b/.github/workflows/helm-prometheus.yaml new file mode 100644 index 00000000..bc11e06c --- /dev/null +++ b/.github/workflows/helm-prometheus.yaml @@ -0,0 +1,43 @@ +name: Helm GitHub Actions for Prometheus + +on: + pull_request: + paths: + - base-helm-configs/prometheus/** + - base-kustomize/prometheus/** + - .github/workflows/helm-prometheus.yaml +jobs: + helm: + strategy: + matrix: + overlays: + - base + name: Helm + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - uses: azure/setup-helm@v3 + with: + version: latest + token: "${{ secrets.GITHUB_TOKEN }}" + id: helm + - name: Add prometheus-community repo to helm + run: | + ${{ steps.helm.outputs.helm-path }} repo add prometheus-community https://prometheus-community.github.io/helm-charts + ${{ steps.helm.outputs.helm-path }} repo update + - name: Run Helm Template + run: | + ${{ steps.helm.outputs.helm-path }} template prometheus prometheus-community/kube-prometheus-stack \ + --create-namespace \ + --namespace=prometheus \ + -f ${{ github.workspace }}//base-helm-configs/prometheus/prometheus-helm-overrides.yaml \ + -f ${{ github.workspace }}//base-helm-configs/prometheus/alerting_rules.yaml \ + -f ${{ github.workspace }}//base-helm-configs/prometheus/alertmanager_config.yaml \ + --post-renderer ${{ github.workspace }}/base-kustomize/kustomize.sh \ + --post-renderer-args prometheus/${{ matrix.overlays }} > /tmp/rendered.yaml + - name: Return helm Build + uses: actions/upload-artifact@v4 + with: + name: helm-prometheus-artifact-${{ matrix.overlays }} + path: /tmp/rendered.yaml diff --git a/.github/workflows/kustomize-prometheus.yaml b/.github/workflows/kustomize-prometheus.yaml deleted file mode 100644 index 59fccfff..00000000 --- a/.github/workflows/kustomize-prometheus.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Kustomize GitHub Actions for Prometheus - -on: - pull_request: - paths: - - base-kustomize/prometheus/** - - .github/workflows/kustomize-prometheus.yaml -jobs: - kustomize: - name: Kustomize - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - uses: azure/setup-helm@v3 - with: - version: latest - token: "${{ secrets.GITHUB_TOKEN }}" - id: helm - - name: Kustomize Install - working-directory: /usr/local/bin/ - run: | - if [ ! -f /usr/local/bin/kustomize ]; then - curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | sudo bash - fi - - name: Run Kustomize Build - run: | - kustomize build base-kustomize/prometheus/ --enable-helm --helm-command ${{ steps.helm.outputs.helm-path }} > /tmp/rendered.yaml - - name: Return Kustomize Build - uses: actions/upload-artifact@v4 - with: - name: kustomize-prometheus-artifact - path: /tmp/rendered.yaml diff --git a/base-helm-configs/keystone/keystone-helm-overrides.yaml b/base-helm-configs/keystone/keystone-helm-overrides.yaml index ddfb75ce..716d145f 100644 --- a/base-helm-configs/keystone/keystone-helm-overrides.yaml +++ b/base-helm-configs/keystone/keystone-helm-overrides.yaml @@ -1020,6 +1020,13 @@ endpoints: http: default: 15672 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null namespace: null hosts: default: memcached diff --git a/base-kustomize/prometheus/alerting_rules.yaml b/base-helm-configs/prometheus/alerting_rules.yaml similarity index 100% rename from base-kustomize/prometheus/alerting_rules.yaml rename to base-helm-configs/prometheus/alerting_rules.yaml diff --git a/base-kustomize/prometheus/alertmanager_config.yaml b/base-helm-configs/prometheus/alertmanager_config.yaml similarity index 100% rename from base-kustomize/prometheus/alertmanager_config.yaml rename to base-helm-configs/prometheus/alertmanager_config.yaml diff --git a/base-kustomize/prometheus/values.yaml b/base-helm-configs/prometheus/prometheus-helm-overrides.yaml similarity index 100% rename from base-kustomize/prometheus/values.yaml rename to base-helm-configs/prometheus/prometheus-helm-overrides.yaml diff --git a/base-kustomize/prometheus/base/kustomization.yaml b/base-kustomize/prometheus/base/kustomization.yaml new file mode 100644 index 00000000..34f7f9bd --- /dev/null +++ b/base-kustomize/prometheus/base/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - all.yaml diff --git a/base-kustomize/prometheus/kustomization.yaml b/base-kustomize/prometheus/kustomization.yaml deleted file mode 100644 index ead3b609..00000000 --- a/base-kustomize/prometheus/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -resources: - - ns-prometheus.yaml - -helmCharts: - - name: kube-prometheus-stack - repo: https://prometheus-community.github.io/helm-charts - releaseName: kube-prometheus-stack - namespace: prometheus - includeCRDs: true - valuesFile: values.yaml - additionalValuesFiles: - - alerting_rules.yaml - - alertmanager_config.yaml diff --git a/base-kustomize/prometheus/ns-prometheus.yaml b/base-kustomize/prometheus/ns-prometheus.yaml deleted file mode 100644 index 968d863f..00000000 --- a/base-kustomize/prometheus/ns-prometheus.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - kubernetes.io/metadata.name: prometheus - name: prometheus - name: prometheus diff --git a/bin/create-secrets.sh b/bin/create-secrets.sh index 88ea5a86..1061170f 100755 --- a/bin/create-secrets.sh +++ b/bin/create-secrets.sh @@ -91,6 +91,7 @@ gnocchi_pgsql_password=$(generate_password 32) ceilometer_keystone_admin_password=$(generate_password 32) ceilometer_keystone_test_password=$(generate_password 32) ceilometer_rabbitmq_password=$(generate_password 32) +memcached_shared_secret=$(generate_password 32) OUTPUT_FILE="/etc/genestack/kubesecrets.yaml" @@ -581,6 +582,15 @@ metadata: type: Opaque data: password: $(echo -n $ceilometer_rabbitmq_password | base64 -w0) +--- +apiVersion: v1 +kind: Secret +metadata: + name: os-memcached + namespace: openstack +type: Opaque +data: + memcache_secret_key: $(echo -n $memcached_shared_secret | base64 -w0) EOF rm nova_ssh_key nova_ssh_key.pub diff --git a/bin/install-barbican.sh b/bin/install-barbican.sh new file mode 100755 index 00000000..8e00ec61 --- /dev/null +++ b/bin/install-barbican.sh @@ -0,0 +1,17 @@ +#!/bin/bash +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install barbican ./barbican \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/barbican/barbican-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.barbican.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args barbican/base "$@" +popd || exit diff --git a/bin/install-ceilometer.sh b/bin/install-ceilometer.sh index d42f7262..25d11695 100755 --- a/bin/install-ceilometer.sh +++ b/bin/install-ceilometer.sh @@ -1,23 +1,27 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm -helm upgrade --install ceilometer ./ceilometer \ - --namespace=openstack \ - --wait \ - --timeout 10m \ - -f /opt/genestack/base-helm-configs/ceilometer/ceilometer-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ceilometer.password="$(kubectl --namespace openstack get secret ceilometer-keystone-admin-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.test.password="$(kubectl --namespace openstack get secret ceilometer-keystone-test-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.username="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.username}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.ceilometer.password="$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.ceilometer.oslo_messaging_notifications.transport_url="\ -rabbit://ceilometer:$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/ceilometer"\ - --set conf.ceilometer.notification.messaging_urls.values="{\ -rabbit://ceilometer:$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/ceilometer,\ -rabbit://cinder:$(kubectl --namespace openstack get secret cinder-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/cinder,\ -rabbit://glance:$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/glance,\ -rabbit://heat:$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/heat,\ -rabbit://keystone:$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/keystone,\ -rabbit://neutron:$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/neutron,\ -rabbit://nova:$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/nova}" +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install ceilometer ./ceilometer \ + --namespace=openstack \ + --timeout 10m \ + -f /etc/genestack/helm-configs/ceilometer/ceilometer-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.ceilometer.password="$(kubectl --namespace openstack get secret ceilometer-keystone-admin-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.test.password="$(kubectl --namespace openstack get secret ceilometer-keystone-test-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.admin.username="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.username}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.ceilometer.password="$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.ceilometer.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.ceilometer.oslo_messaging_notifications.transport_url="\ + rabbit://ceilometer:$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/ceilometer"\ + --set conf.ceilometer.notification.messaging_urls.values="{\ + rabbit://ceilometer:$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/ceilometer,\ + rabbit://cinder:$(kubectl --namespace openstack get secret cinder-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/cinder,\ + rabbit://glance:$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/glance,\ + rabbit://heat:$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/heat,\ + rabbit://keystone:$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/keystone,\ + rabbit://neutron:$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/neutron,\ + rabbit://nova:$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/nova}" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args ceilometer/base "$@" +popd || exit diff --git a/bin/install-cinder.sh b/bin/install-cinder.sh index 7eab99ee..4e3f7f09 100755 --- a/bin/install-cinder.sh +++ b/bin/install-cinder.sh @@ -1,18 +1,18 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install heat ./heat \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/heat/heat-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.heat.database.slave_connection="mysql+pymysql://heat:$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/heat" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args heat/base +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install cinder ./cinder \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/cinder/cinder-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.cinder.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.cinder.database.slave_connection="mysql+pymysql://cinder:$(kubectl --namespace openstack get secret cinder-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/cinder" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args cinder/base "$@" +popd || exit diff --git a/bin/install-glance.sh b/bin/install-glance.sh index a3361661..87b01338 100755 --- a/bin/install-glance.sh +++ b/bin/install-glance.sh @@ -1,17 +1,18 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install glance ./glance \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/glance/glance-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.glance.database.slave_connection="mysql+pymysql://glance:$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/glance" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args glance/base +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install glance ./glance \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/glance/glance-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.glance.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.glance.database.slave_connection="mysql+pymysql://glance:$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/glance" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args glance/base "$@" +popd || exit diff --git a/bin/install-gnocchi.sh b/bin/install-gnocchi.sh index c3ab8ac4..7b482243 100755 --- a/bin/install-gnocchi.sh +++ b/bin/install-gnocchi.sh @@ -1,16 +1,18 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm-infra -helm upgrade --install gnocchi ./gnocchi \ - --namespace=openstack \ - --wait \ - --timeout 10m \ - -f /opt/genestack/base-helm-configs/gnocchi/gnocchi-helm-overrides.yaml \ - --set conf.ceph.admin_keyring="$(kubectl get secret --namespace rook-ceph rook-ceph-admin-keyring -o jsonpath='{.data.keyring}' | base64 -d)" \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_postgresql.auth.admin.password="$(kubectl --namespace openstack get secret postgresql-db-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_postgresql.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-pgsql-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args gnocchi/base +pushd /opt/genestack/submodules/openstack-helm-infra || exit + helm upgrade --install gnocchi ./gnocchi \ + --namespace=openstack \ + --timeout 10m \ + -f /etc/genestack/helm-configs/gnocchi/gnocchi-helm-overrides.yaml \ + --set conf.ceph.admin_keyring="$(kubectl get secret --namespace rook-ceph rook-ceph-admin-keyring -o jsonpath='{.data.keyring}' | base64 -d)" \ + --set conf.gnocchi.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db_postgresql.auth.admin.password="$(kubectl --namespace openstack get secret postgresql-db-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db_postgresql.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-pgsql-password -o jsonpath='{.data.password}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args gnocchi/base "$@" +popd || exit diff --git a/bin/install-heat.sh b/bin/install-heat.sh index 9c39de3a..b437b4c5 100755 --- a/bin/install-heat.sh +++ b/bin/install-heat.sh @@ -1,14 +1,20 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install horizon ./horizon \ +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install heat ./heat \ --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/horizon/horizon-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.horizon.local_settings.config.horizon_secret_key="$(kubectl --namespace openstack get secret horizon-secrete-key -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.horizon.password="$(kubectl --namespace openstack get secret horizon-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args horizon/base + --timeout 120m \ + -f /etc/genestack/helm-configs/heat/heat-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.heat.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.heat.database.slave_connection="mysql+pymysql://heat:$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/heat" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args heat/base "$@" +popd || exit diff --git a/bin/install-horizon.sh b/bin/install-horizon.sh new file mode 100755 index 00000000..c8cb5ccc --- /dev/null +++ b/bin/install-horizon.sh @@ -0,0 +1,14 @@ +#!/bin/bash +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install horizon ./horizon \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/horizon/horizon-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.horizon.local_settings.config.horizon_secret_key="$(kubectl --namespace openstack get secret horizon-secret-key -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.horizon.password="$(kubectl --namespace openstack get secret horizon-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args horizon/base "$@" +popd || exit diff --git a/bin/install-keystone.sh b/bin/install-keystone.sh index 665a9077..3eda9b67 100755 --- a/bin/install-keystone.sh +++ b/bin/install-keystone.sh @@ -1,18 +1,16 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install keystone ./keystone \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/keystone/keystone-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.keystone.database.slave_connection="mysql+pymysql://keystone:$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/keystone" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args keystone/base - -kubectl --namespace openstack apply -f /opt/genestack/manifests/utils/utils-openstack-client-admin.yaml +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install keystone ./keystone \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/keystone/keystone-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set conf.keystone.database.slave_connection="mysql+pymysql://keystone:$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/keystone" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args keystone/base "$@" +popd || exit diff --git a/bin/install-magnum.sh b/bin/install-magnum.sh new file mode 100755 index 00000000..f95b4fe3 --- /dev/null +++ b/bin/install-magnum.sh @@ -0,0 +1,17 @@ +#!/bin/bash +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install magnum ./magnum \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/magnum/magnum-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.magnum.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args magnum/base "$@" +popd || exit diff --git a/bin/install-neutron.sh b/bin/install-neutron.sh index 6a915942..e8a282b8 100755 --- a/bin/install-neutron.sh +++ b/bin/install-neutron.sh @@ -1,26 +1,28 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install neutron ./neutron \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/neutron/neutron-helm-overrides.yaml \ - --set conf.metadata_agent.DEFAULT.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.ovn_metadata_agent.DEFAULT.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.designate.password="$(kubectl --namespace openstack get secret designate-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.neutron.database.slave_connection="mysql+pymysql://neutron:$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/neutron" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.neutron.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.neutron.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.plugins.ml2_conf.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.plugins.ml2_conf.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args neutron/base +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install neutron ./neutron \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/neutron/neutron-helm-overrides.yaml \ + --set conf.metadata_agent.DEFAULT.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ + --set conf.ovn_metadata_agent.DEFAULT.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.designate.password="$(kubectl --namespace openstack get secret designate-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.neutron.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.neutron.database.slave_connection="mysql+pymysql://neutron:$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/neutron" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set conf.neutron.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ + --set conf.neutron.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ + --set conf.plugins.ml2_conf.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ + --set conf.plugins.ml2_conf.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args neutron/base "$@" +popd || exit diff --git a/bin/install-nova.sh b/bin/install-nova.sh index c06a31cd..99e3b63e 100755 --- a/bin/install-nova.sh +++ b/bin/install-nova.sh @@ -1,29 +1,31 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install nova ./nova \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/nova/nova-helm-overrides.yaml \ - --set conf.nova.neutron.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_api.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db_api.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_cell0.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db_cell0.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.nova.database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova" \ - --set conf.nova.api_database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_api" \ - --set conf.nova.cell0_database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_cell0" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.nova.password="$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set network.ssh.public_key="$(kubectl -n openstack get secret nova-ssh-keypair -o jsonpath='{.data.public_key}' | base64 -d)"$'\n' \ - --set network.ssh.private_key="$(kubectl -n openstack get secret nova-ssh-keypair -o jsonpath='{.data.private_key}' | base64 -d)"$'\n' \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args nova/base +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install nova ./nova \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/nova/nova-helm-overrides.yaml \ + --set conf.nova.neutron.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db_api.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db_api.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db_cell0.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db_cell0.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.nova.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.nova.database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova" \ + --set conf.nova.api_database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_api" \ + --set conf.nova.cell0_database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_cell0" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.nova.password="$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set network.ssh.public_key="$(kubectl -n openstack get secret nova-ssh-keypair -o jsonpath='{.data.public_key}' | base64 -d)"$'\n' \ + --set network.ssh.private_key="$(kubectl -n openstack get secret nova-ssh-keypair -o jsonpath='{.data.private_key}' | base64 -d)"$'\n' \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args nova/base "$@" +popd || exit diff --git a/bin/install-octavia.sh b/bin/install-octavia.sh index 948b9dc0..5235a4e2 100755 --- a/bin/install-octavia.sh +++ b/bin/install-octavia.sh @@ -1,20 +1,21 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install octavia ./octavia \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/octavia/octavia-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.database.slave_connection="mysql+pymysql://octavia:$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/octavia" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.certificates.ca_private_key_passphrase="$(kubectl --namespace openstack get secret octavia-certificates -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.octavia.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args octavia/base +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install octavia ./octavia \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/octavia/octavia-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_messaging.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.octavia.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.octavia.database.slave_connection="mysql+pymysql://octavia:$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/octavia" \ + --set conf.octavia.certificates.ca_private_key_passphrase="$(kubectl --namespace openstack get secret octavia-certificates -o jsonpath='{.data.password}' | base64 -d)" \ + --set conf.octavia.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ + --set conf.octavia.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args octavia/base "$@" +popd || exit diff --git a/bin/install-placement.sh b/bin/install-placement.sh index d4b092dd..19ccbc9a 100755 --- a/bin/install-placement.sh +++ b/bin/install-placement.sh @@ -1,15 +1,17 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install placement ./placement --namespace=openstack \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/placement/placement-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.placement.password="$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.placement.placement_database.slave_connection="mysql+pymysql://placement:$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/placement" \ - --set endpoints.oslo_db.auth.nova_api.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args placement/base +pushd /opt/genestack/submodules/openstack-helm || exit + helm upgrade --install placement ./placement --namespace=openstack \ + --namespace=openstack \ + --timeout 120m \ + -f /etc/genestack/helm-configs/placement/placement-helm-overrides.yaml \ + --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.placement.password="$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set endpoints.oslo_db.auth.nova_api.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ + --set conf.placement.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \ + --set conf.placement.placement_database.slave_connection="mysql+pymysql://placement:$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/placement" \ + --post-renderer /etc/genestack/kustomize/kustomize.sh \ + --post-renderer-args placement/base "$@" +popd || exit diff --git a/bin/install-postgresql.sh b/bin/install-postgresql.sh index b87dba05..b3eff2ac 100755 --- a/bin/install-postgresql.sh +++ b/bin/install-postgresql.sh @@ -1,5 +1,5 @@ #!/bin/bash -cd /opt/genestack/submodules/openstack-helm-infra +pushd /opt/genestack/submodules/openstack-helm-infra || exit helm upgrade --install postgresql ./postgresql \ --namespace=openstack \ --wait \ @@ -10,3 +10,4 @@ helm upgrade --install postgresql ./postgresql \ --set endpoints.postgresql.auth.admin.password="$(kubectl --namespace openstack get secret postgresql-db-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.postgresql.auth.exporter.password="$(kubectl --namespace openstack get secret postgresql-db-exporter -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.postgresql.auth.audit.password="$(kubectl --namespace openstack get secret postgresql-db-audit -o jsonpath='{.data.password}' | base64 -d)" +popd || exit diff --git a/bin/install-prometheus.sh b/bin/install-prometheus.sh new file mode 100644 index 00000000..4cf33df4 --- /dev/null +++ b/bin/install-prometheus.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +helm upgrade --install prometheus prometheus-community/kube-prometheus-stack \ + --create-namespace --namespace=prometheus --timeout 10m \ + -f /opt/genestack/base-helm-configs/prometheus/prometheus-helm-overrides.yaml \ + -f /etc/genestack/helm-configs/prometheus/prometheus-helm-overrides.yaml \ + -f /opt/genestack/base-helm-configs/prometheus/alerting_rules.yaml \ + -f /etc/genestack/helm-configs/prometheus/alerting_rules.yaml \ + -f /opt/genestack/base-helm-configs/prometheus/alertmanager_config.yaml \ + -f /etc/genestack/helm-configs/prometheus/alertmanager_config.yaml \ + --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ + --post-renderer-args prometheus/base "$@" diff --git a/bin/label-nodes.sh b/bin/label-nodes.sh index 91e7c751..c335b3fe 100755 --- a/bin/label-nodes.sh +++ b/bin/label-nodes.sh @@ -10,12 +10,13 @@ INVENTORY_FILE="$1" label_nodes() { local group=$1 local label=$2 - - if grep -q "$group:" $INVENTORY_FILE; then - local nodes=($(grep -A 1 "children:" $INVENTORY_FILE | grep -A 1 " $group:" | grep -Eo "^\s+\S+" | tr -d ' ')) + + if grep -q "$group:" "$INVENTORY_FILE"; then + # shellcheck disable=SC2207 + local nodes=($(grep -A 1 "children:" "$INVENTORY_FILE" | grep -A 1 " $group:" | grep -Eo "^\s+\S+" | tr -d ' ')) for node in "${nodes[@]}"; do if [[ $node != "|" ]]; then - kubectl label node $node $label --overwrite + kubectl label node "$node" "$label" --overwrite echo "Labeled node $node with $label" fi done @@ -40,13 +41,17 @@ label_nodes "cinder_storage_nodes" "openstack-storage-node=enabled" label_nodes "ovn_network_nodes" "openstack-network-node=enabled" # Label all workers - Identified by kube_node excluding kube_control_plane -if grep -q "kube_node:" $INVENTORY_FILE; then - kube_control_plane_nodes=($(grep -A 1 "children:" $INVENTORY_FILE | grep -A 1 " kube_control_plane:" | grep -Eo "^\s+\S+" | tr -d ' ')) - all_kube_nodes=($(grep -A 1 "children:" $INVENTORY_FILE | grep -A 1 " kube_node:" | grep -Eo "^\s+\S+" | tr -d ' ')) +if grep -q "kube_node:" "$INVENTORY_FILE"; then + # shellcheck disable=SC2207 + kube_control_plane_nodes=($(grep -A 1 "children:" "$INVENTORY_FILE" | grep -A 1 " kube_control_plane:" | grep -Eo "^\s+\S+" | tr -d ' ')) + # shellcheck disable=SC2207 + all_kube_nodes=($(grep -A 1 "children:" "$INVENTORY_FILE" | grep -A 1 " kube_node:" | grep -Eo "^\s+\S+" | tr -d ' ')) for node in "${all_kube_nodes[@]}"; do + # shellcheck disable=SC2199 + # shellcheck disable=SC2076 if [[ ! " ${kube_control_plane_nodes[@]} " =~ " ${node} " ]]; then - kubectl label node $node node-role.kubernetes.io/worker=worker --overwrite + kubectl label node "$node" node-role.kubernetes.io/worker=worker --overwrite echo "Labeled node $node with node-role.kubernetes.io/worker=worker" fi done diff --git a/docs/infrastructure-memcached.md b/docs/infrastructure-memcached.md index 217c18e8..5175b34d 100644 --- a/docs/infrastructure-memcached.md +++ b/docs/infrastructure-memcached.md @@ -23,3 +23,16 @@ View the [memcached exporter](prometheus-memcached-exporter.md) instructions to ``` shell kubectl --namespace openstack get horizontalpodautoscaler.autoscaling memcached -w ``` + +### Create shared os-memcached secret + +``` shell +kubectl --namespace openstack \ + create secret generic os-memcached \ + --type Opaque \ + --from-literal=memcache_secret_key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +``` + +!!! Note + + This is a shared secret that is distributed to all services that require it. Rotating this value means updating all services. diff --git a/docs/openstack-barbican.md b/docs/openstack-barbican.md index 8e88a55e..5926b7cf 100644 --- a/docs/openstack-barbican.md +++ b/docs/openstack-barbican.md @@ -28,23 +28,11 @@ OpenStack Barbican is the dedicated security service within the OpenStack ecosys ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install barbican ./barbican \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /etc/genestack/helm-configs/barbican/barbican-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args barbican/base -``` +!!! example "Run the Barbican deployment Script `bin/install-barbican.sh`" + + ``` shell + --8<-- "bin/install-barbican.sh" + ``` !!! tip diff --git a/docs/openstack-ceilometer.md b/docs/openstack-ceilometer.md index 43a6fdd3..e64c8ae2 100644 --- a/docs/openstack-ceilometer.md +++ b/docs/openstack-ceilometer.md @@ -24,32 +24,11 @@ OpenStack Ceilometer is the telemetry service within the OpenStack ecosystem, re ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm -helm upgrade --install ceilometer ./ceilometer \ - --namespace=openstack \ - --wait \ - --timeout 10m \ - -f /etc/genestack/helm-configs/ceilometer/ceilometer-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ceilometer.password="$(kubectl --namespace openstack get secret ceilometer-keystone-admin-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.test.password="$(kubectl --namespace openstack get secret ceilometer-keystone-test-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.username="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.username}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.ceilometer.password="$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.ceilometer.oslo_messaging_notifications.transport_url="\ -rabbit://ceilometer:$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/ceilometer"\ - --set conf.ceilometer.notification.messaging_urls.values="{\ -rabbit://ceilometer:$(kubectl --namespace openstack get secret ceilometer-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/ceilometer,\ -rabbit://cinder:$(kubectl --namespace openstack get secret cinder-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/cinder,\ -rabbit://glance:$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/glance,\ -rabbit://heat:$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/heat,\ -rabbit://keystone:$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/keystone,\ -rabbit://neutron:$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/neutron,\ -rabbit://nova:$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)@rabbitmq.openstack.svc.cluster.local:5672/nova}" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args ceilometer/base -``` +!!! example "Run the Ceilometer deployment Script `bin/install-ceilometer.sh`" + + ``` shell + --8<-- "bin/install-ceilometer.sh" + ``` !!! tip diff --git a/docs/openstack-cinder.md b/docs/openstack-cinder.md index 43ea0135..e1d74572 100644 --- a/docs/openstack-cinder.md +++ b/docs/openstack-cinder.md @@ -30,24 +30,11 @@ OpenStack Cinder is a core component of the OpenStack cloud computing platform, ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install cinder ./cinder \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /etc/genestack/helm-configs/cinder/cinder-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.cinder.database.slave_connection="mysql+pymysql://cinder:$(kubectl --namespace openstack get secret cinder-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/cinder" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args cinder/base -``` +!!! example "Run the Cinder deployment Script `bin/install-cinder.sh`" + + ``` shell + --8<-- "bin/install-cinder.sh" + ``` !!! tip diff --git a/docs/openstack-cloud-design-regions.md b/docs/openstack-cloud-design-regions.md index 3381f0ef..9e2f9438 100644 --- a/docs/openstack-cloud-design-regions.md +++ b/docs/openstack-cloud-design-regions.md @@ -1,19 +1,95 @@ # Regions -Regions are separate physical locations served by a single cloud. In OpenStack, a Region is defined as an independently deployed cloud excepting Keystone and Horizon or Skyline. +Regions are separate physical locations served by a single cloud. In terms of our taxonomy, a Cloud can contain several Regions. ![Regions in Cloud Hierarchy](assets/images/cloud-hierarchy-region.png) -## Designing Services for Multiple Available Zones +In OpenStack, a Region is defined as an independently deployed cloud infrastructure, excepting authentication (Keystone) and possibly a dashboard (Horizon or Skyline.) **_A Region should be able to operate autonomously from other Regions._** This means that a Region has it's own API endpoints for most services. For the OpenStack CLI, this usually means a separate entry in +[`clouds.yaml`](https://docs.openstack.org/python-openstackclient/latest/configuration/index.html#clouds-yaml){:target="_blank"} +or a separate `openrc` file. -!!! info "To Do" +!!! tip - Describe how to implement a multi-region cloud with the following OpenStack services: + For discoverability, you may elect to have "generic" DNS names for some services that use geo-IP or other context clues to direct user to the appropriate endpoint. - - Keystone - - Nova - - Neutron - - Cinder - - Glance + For example, if you have an internal cloud that has geographic regions on continents or countries, "cloud.company.corp" may just direct user to their in-region Horizon or Keystone instance, like "us.cloud.company.corp" for North America or "apac.cloud.company.corp" for Asia. -... +## Designing Services for Multiple Regions + +### Keystone + +A unified [Keystone](https://docs.openstack.org/keystone/latest/){:target="_blank"} service is essentially what separates a Region deployment from a Cloud deployment. + +In most cases, when you deploy a multi-region cloud, you first either deploy a global Keystone service first, either stand-alone or as a part of your primary region, and then deploy additional regions federating from it. + +This is usually trivial, as you ought to be backing Keystone with some large-scale authentication (authn) and authorization (authz) infrastructure such as a [LDAP](https://docs.openstack.org/keystone/latest/admin/configuration.html#integrate-identity-with-ldap){:target="_blank"}[^1]. You can also use Keystone's built-in federation, as is done at [Rackspace](openstack-keystone-federation.md). + +### Horizon/Skyline + +The [Horizon](https://docs.openstack.org/horizon/latest/){:target="_blank"} and [Skyline](https://docs.openstack.org/skyline/latest/){:target="_blank"} web control panels are one of the primary ways that users interact with OpenStack. Collectively, we usually refer to their functionality as the "Dashboard." + +Regions can have their own dashboard logins[^2], or a cloud provider may want to create a landing page where there is the ability for the user to select the region into which they want to login. + +OpenStack currently does not have any multi-region capability with the dashboards, so if a "single pane of glass" approach is desired, third-party tooling will need to be required. + +!!! Example + [ManageIQ](https://docs.openstack.org/horizon/latest/){:target="_blank"} is an open-source [Cloud Management Platform (CMP)](https://en.wikipedia.org/wiki/Cloud_management#Cloud_Management_Platforms_(CMP)){:target="_blank"} that is capable of managing multiple OpenStack clouds or regions. ManageIQ has excellent support via it's [OpenStack provider](https://www.manageiq.org/docs/reference/latest/managing_providers/cloud_providers/openstack_providers.html){:target="_blank"} and multiple OpenStack API endpoints can be added to provide common management through the ManageIQ web interface and [API](https://www.manageiq.org/docs/api){:target="_blank"}. + +### Nova + +[Nova](https://docs.openstack.org/nova/latest/){:target="_blank"} is probably the easiest service to rationalize on a per-Region basis. Cloud users generally have few issues understanding Regions as a cloud organization structure around compute resources. + +Regions are generally assumed to be autonomous and self-contained with respect to compute. In fact, Regions usually become one of the defining factors for how compute resources in a cloud are +organized. This is no different in OpenStack. + +When migrating compute resources from one region to another, it is generally assumed that users will export their instances from one region, and import them into another. More likely, compute instances will be deployed in multiple regions simultaneously, using networking, load balancers, DNS, and other tools to steer traffic and divide workloads across various regions. + +### Neutron + +Connecting [Neutron](https://docs.openstack.org/neutron/latest/){:target="_blank"} across regions can be very useful for users. In fact, having this capability can be essential for users to see your cloud as being viable for high-availability. + +Inter-region connectivity is a key capability that can underlie various HA-enablement services such as data replication, automated disaster recovery, block device mirroring, service locality (e.g. GeoIP.) That being said, building inter-region connectivity into Neutron proper would raise some questions that would be difficult to answer in terms of design: + +1. Which region would "own" the resource being created? +2. If both regions "own" it, how is that synchronized? Also, wouldn't that limit the autonomy of regions? + +These kind of "existential questions" should always raise a red flag – the main goal of Region is to be able to operate autonomously, so the best solution will be to create something that isn't "owned" by either end -- a VPN. + +!!! tip + + While it may seem like Neutron's [VPN as a Service (VPNaaS)](https://docs.openstack.org/neutron-vpnaas/latest/user/index.html){:target="_blank"} is a good fit for something like this, VPNaaS is primarily designed for client-server VPNs. This application is better suited for point-to-point VPNs. + +!!! example + + You may even want your cloud users to look at something like [Tailscale](https://tailscale.com/){:target="_blank"} or even just plain [Wireguard](https://www.wireguard.com/){:target="_blank"} to create their own site-to-site VPN overlay networks. + +### Cinder + +In most cases, [Cinder](https://docs.openstack.org/cinder/latest/){:target="_blank"}, like Nova, should be contained within it's region. However, there are special cases like block-device replication that may make you want to consider how to accomplish this within the framework of Cinder. + +As with Neutron, the key is designing services that can be put together with other building blocks to create the useful combinations that cloud users are looking to take advantage of. For Cinder, this usually means some kind of cross-region replication. + +Currently, Cinder [replication](https://docs.openstack.org/cinder/latest/contributor/replication.html){:target="_blank"} is limited to in-region backend failure scenarios where volumes can be +saved to multiple backends. + +Replicating Cinder volumes from one Region to another is more complicated in the sense that not only does the actual volume storage need to be replicated, but both regions would need to have the metadata in sync for those volumes. Ultimately, there would need to be a way to synchronize the _state_ of those volumes so that both Regions understand the local and the remote to be the _same volume_. This is much more complex. + +### Glance + +If we strictly adhere to the definition that regions are separate physical locations served by a single cloud, then [Glance](https://docs.openstack.org/glance/latest/){:target="_blank"} should just be deployed on a per-region bases like most services. However, Glance is one of the OpenStack services that can you may want to consider to deploy cloud-wide. + +Glance provides a simple way to do with with [glance-replicator](https://docs.openstack.org/glance/latest/cli/glancereplicator.html){:target="_blank"}. While this is good for bootstrapping a new glance instance, you will need to continuously keep your regions in sync for this to be useful. + +A good way to do this is to have a shared Glance service with distributed backends – this is best if when OpenStack instances are located across several sites. + +!!! Example + One way to accomplish this would be to use a Glance backend on top of replicated storage. Then, you can replicate the Glace storage backend across multiple regions and expose the service from a single IP in the service catalog. That service IP could resolve to localized endpoints via geo-IP. + + Remember – your glance back-end does not necessarily need to be shared with Cinder or Swift or any other services, so using an existing storage backend with replication capabilities that you already deploy could be a economically-efficient way to achieve this goal. + +[^1]: + LDAP integration can also be used to [integrate Keystone with Active Directory](https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD){:target="_blank"}. + +[^2]: + Having your dashboard URL and API endpoint URL for regions follow a specific schema, like + `.region.cloud.corp` can make things easily discoverable for your users. diff --git a/docs/openstack-compute-kit-neutron.md b/docs/openstack-compute-kit-neutron.md index e299d094..c1c3d2cd 100644 --- a/docs/openstack-compute-kit-neutron.md +++ b/docs/openstack-compute-kit-neutron.md @@ -1,32 +1,10 @@ # Deploy Neutron -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install neutron ./neutron \ - --namespace=openstack \ - --timeout 120m \ - -f /etc/genestack/helm-configs/neutron/neutron-helm-overrides.yaml \ - --set conf.metadata_agent.DEFAULT.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.ovn_metadata_agent.DEFAULT.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.designate.password="$(kubectl --namespace openstack get secret designate-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.neutron.database.slave_connection="mysql+pymysql://neutron:$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/neutron" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.neutron.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.neutron.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.plugins.ml2_conf.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.plugins.ml2_conf.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args neutron/base -``` +!!! example "Run the Neutron deployment Script `bin/install-neutron.sh`" + + ``` shell + --8<-- "bin/install-neutron.sh" + ``` !!! tip diff --git a/docs/openstack-compute-kit-nova.md b/docs/openstack-compute-kit-nova.md index 10b8a535..fdd83719 100644 --- a/docs/openstack-compute-kit-nova.md +++ b/docs/openstack-compute-kit-nova.md @@ -1,35 +1,10 @@ # Deploy Nova -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install nova ./nova \ - --namespace=openstack \ - --timeout 120m \ - -f /etc/genestack/helm-configs/nova/nova-helm-overrides.yaml \ - --set conf.nova.neutron.metadata_proxy_shared_secret="$(kubectl --namespace openstack get secret metadata-shared-secret -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_api.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db_api.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_cell0.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db_cell0.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.nova.database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova" \ - --set conf.nova.api_database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_api" \ - --set conf.nova.cell0_database.slave_connection="mysql+pymysql://nova:$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_cell0" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.nova.password="$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set network.ssh.public_key="$(kubectl -n openstack get secret nova-ssh-keypair -o jsonpath='{.data.public_key}' | base64 -d)"$'\n' \ - --set network.ssh.private_key="$(kubectl -n openstack get secret nova-ssh-keypair -o jsonpath='{.data.private_key}' | base64 -d)"$'\n' \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args nova/base -``` +!!! example "Run the Nova deployment Script `bin/install-nova.sh`" + + ``` shell + --8<-- "bin/install-nova.sh" + ``` !!! tip diff --git a/docs/openstack-compute-kit-placement.md b/docs/openstack-compute-kit-placement.md index ef31b1e9..e17f2a63 100644 --- a/docs/openstack-compute-kit-placement.md +++ b/docs/openstack-compute-kit-placement.md @@ -1,21 +1,10 @@ # Deploy Placement -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install placement ./placement --namespace=openstack \ - --namespace=openstack \ - --timeout 120m \ - -f /etc/genestack/helm-configs/placement/placement-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.placement.password="$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.placement.placement_database.slave_connection="mysql+pymysql://placement:$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/placement" \ - --set endpoints.oslo_db.auth.nova_api.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args placement/base -``` +!!! example "Run the Placement deployment Script `bin/install-placement.sh`" + + ``` shell + --8<-- "bin/install-placement.sh" + ``` ## Custom Listeners diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index 6304ee62..7da31b92 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -32,24 +32,11 @@ OpenStack Glance is the image service within the OpenStack ecosystem, responsibl ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install glance ./glance \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /etc/genestack/helm-configs/glance/glance-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.glance.database.slave_connection="mysql+pymysql://glance:$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/glance" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args glance/base -``` +!!! example "Run the Glance deployment Script `bin/install-glance.sh`" + + ``` shell + --8<-- "bin/install-glance.sh" + ``` !!! tip diff --git a/docs/openstack-gnocchi.md b/docs/openstack-gnocchi.md index b0316ceb..8d4defdb 100644 --- a/docs/openstack-gnocchi.md +++ b/docs/openstack-gnocchi.md @@ -144,23 +144,11 @@ gnocchi-metricd). ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm-infra -helm upgrade --install gnocchi ./gnocchi \ - --namespace=openstack \ - --wait \ - --timeout 10m \ - -f /etc/genestack/helm-configs/gnocchi/gnocchi-helm-overrides.yaml \ - --set conf.ceph.admin_keyring="$(kubectl get secret --namespace rook-ceph rook-ceph-admin-keyring -o jsonpath='{.data.keyring}' | base64 -d)" \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_postgresql.auth.admin.password="$(kubectl --namespace openstack get secret postgresql-db-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_postgresql.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-pgsql-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args gnocchi/base -``` +!!! example "Run the Gnocchi deployment Script `bin/install-gnocchi.sh`" + + ``` shell + --8<-- "bin/install-gnocchi.sh" + ``` !!! tip diff --git a/docs/openstack-heat.md b/docs/openstack-heat.md index a4531d60..2a8372e5 100644 --- a/docs/openstack-heat.md +++ b/docs/openstack-heat.md @@ -36,25 +36,11 @@ OpenStack Heat is the orchestration service within the OpenStack ecosystem, desi ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install heat ./heat \ - --namespace=openstack \ - --timeout 120m \ - -f /etc/genestack/helm-configs/heat/heat-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.heat.database.slave_connection="mysql+pymysql://heat:$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/heat" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args heat/base -``` +!!! example "Run the Heat deployment Script `bin/install-heat.sh`" + + ``` shell + --8<-- "bin/install-heat.sh" + ``` !!! tip diff --git a/docs/openstack-horizon.md b/docs/openstack-horizon.md index b3323a75..f69bd222 100644 --- a/docs/openstack-horizon.md +++ b/docs/openstack-horizon.md @@ -24,21 +24,11 @@ OpenStack Horizon is the web-based dashboard for the OpenStack ecosystem, provid ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install horizon ./horizon \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /etc/genestack/helm-configs/horizon/horizon-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.horizon.local_settings.config.horizon_secret_key="$(kubectl --namespace openstack get secret horizon-secret-key -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.horizon.password="$(kubectl --namespace openstack get secret horizon-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args horizon/base -``` +!!! example "Run the Horizon deployment Script `bin/install-horizon.sh`" + + ``` shell + --8<-- "bin/install-horizon.sh" + ``` !!! tip diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 4192bafd..04b7df46 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -32,23 +32,11 @@ OpenStack Keystone is the identity service within the OpenStack ecosystem, servi ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install keystone ./keystone \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /etc/genestack/helm-configs/keystone/keystone-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.keystone.database.slave_connection="mysql+pymysql://keystone:$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/keystone" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args keystone/base -``` +!!! example "Run the Keystone deployment Script `bin/install-keystone.sh`" + + ``` shell + --8<-- "bin/install-keystone.sh" + ``` !!! tip diff --git a/docs/openstack-magnum.md b/docs/openstack-magnum.md index 621661b5..337f4241 100644 --- a/docs/openstack-magnum.md +++ b/docs/openstack-magnum.md @@ -32,22 +32,11 @@ OpenStack Magnum is the container orchestration service within the OpenStack eco ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install magnum ./magnum \ - --namespace=openstack \ - --timeout 120m \ - -f /etc/genestack/helm-configs/magnum/magnum-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args magnum/base -``` +!!! example "Run the Magnum deployment Script `bin/install-magnum.sh`" + + ``` shell + --8<-- "bin/install-magnum.sh" + ``` !!! tip diff --git a/docs/openstack-octavia.md b/docs/openstack-octavia.md index b08cdfb5..bc02da98 100644 --- a/docs/openstack-octavia.md +++ b/docs/openstack-octavia.md @@ -32,26 +32,11 @@ OpenStack Octavia is the load balancing service within the OpenStack ecosystem, ## Run the package deployment -``` shell -cd /opt/genestack/submodules/openstack-helm - -helm upgrade --install octavia ./octavia \ - --namespace=openstack \ - --timeout 120m \ - -f /etc/genestack/helm-configs/octavia/octavia-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.database.slave_connection="mysql+pymysql://octavia:$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/octavia" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.certificates.ca_private_key_passphrase="$(kubectl --namespace openstack get secret octavia-certificates -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.octavia.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args octavia/base -``` +!!! example "Run the Octavia deployment Script `bin/install-octavia.sh`" + + ``` shell + --8<-- "bin/install-octavia.sh" + ``` !!! tip diff --git a/docs/prometheus.md b/docs/prometheus.md index 583bfe4b..d5946695 100644 --- a/docs/prometheus.md +++ b/docs/prometheus.md @@ -1,27 +1,47 @@ # Prometheus -We are taking advantage of the prometheus community kube-prometheus-stack as well as other various components for monitoring and alerting. For more information take a look at [Prometheus Kube Stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) +We are taking advantage of the prometheus community kube-prometheus-stack as +well as other various components for monitoring and alerting. For more +information, take a look at [Prometheus Kube Stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack). -#### Install kube-prometheus-stack helm chart +!!! tip -## Update Alertmanager configurations + You may need to provide custom values to configure prometheus. For a simple + single region or lab deployment you can supply an additional overrides flag + using the example found at `base-helm-configs/aio-example-openstack-overrides.yaml`. + In other cases such as a multi-region deployment you may want to view the + [Multi-Region Support](multi-region-support.md) guide to for a workflow + solution. -Currently you can supply a Teams webhook url to send all current alerts to a teams channel. This section will be updated to be more comprehensive in the future... +## Install the Prometheus Stack -!!! tip +!!! example "Run the Prometheus deployment Script `bin/install-prometheus.sh`" - You can ignore this step if you don't want to send alerts to teams, the alertmanager will still deploy and provide information + ``` shell + --8<-- "bin/install-prometheus.sh" + ``` -``` shell -webhook_url='https://my.webhook.example' -sed -i -e "s#https://webhook_url.example#$webhook_url#" /etc/genestack/kustomize/prometheus/alertmanager_config.yaml -``` +!!! success -## Install the prometheus stack + If the installation is successful, you should see the related exporter pods + in the prometheus namespace. + ``` shell + kubectl -n prometheus get pods -l "release=prometheus" + ``` -``` shell -kubectl kustomize --enable-helm /etc/genestack/kustomize/prometheus | kubectl apply --server-side -f - -``` +## Update Alertmanager Configuration -!!! success - If the installation is successful, you should see the related exporter pods in the prometheus namespace. +In this example, we supply a Teams webhook URL to send all open alerts to a +teams channel. However, there are a plethora of other receivers available. +For a full list, review prometheus documentation: [receiver-integration-settings](https://prometheus.io/docs/alerting/latest/configuration/#receiver-integration-settings). + +!!! example + + You can ignore this step if you don't want to send alerts to Teams, the + alertmanager will still deploy and provide information. + + ``` shell + read -p "webhook_url: " webhook_url; + sed -i -e "s#https://webhook_url.example#$webhook_url#" \ + /etc/genestack/helm-configs/prometheus/alertmanager_config.yaml + ``` diff --git a/scripts/openstack-run-all.sh b/scripts/openstack-run-all.sh deleted file mode 100644 index 7c099389..00000000 --- a/scripts/openstack-run-all.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash -cd /opt/genestack/submodules/openstack-helm || exit - -helm upgrade --install keystone ./keystone \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/keystone/keystone-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args keystone/base & - -helm upgrade --install glance ./glance \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/glance/glance-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args glance/base & - -helm upgrade --install heat ./heat \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/heat/heat-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args heat/base & - -helm upgrade --install cinder ./cinder \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/cinder/cinder-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args cinder/base & - -helm upgrade --install neutron ./neutron \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/neutron/neutron-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.designate.password="$(kubectl --namespace openstack get secret designate-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.neutron.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.neutron.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.plugins.ml2_conf.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.plugins.ml2_conf.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args neutron/base & - -helm upgrade --install nova ./nova \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/nova/nova-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.nova.password="$(kubectl --namespace openstack get secret nova-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.neutron.password="$(kubectl --namespace openstack get secret neutron-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.cinder.password="$(kubectl --namespace openstack get secret cinder-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_api.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db_api.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db_cell0.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db_cell0.auth.nova.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.nova.password="$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args nova/base & - -helm upgrade --install placement ./placement --namespace=openstack \ - --namespace=openstack \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/placement/placement-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.placement.password="$(kubectl --namespace openstack get secret placement-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.placement.password="$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.nova_api.password="$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args placement/base & - -helm upgrade --install barbican ./barbican \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /etc/genestack/helm-configs/barbican/barbican-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /etc/genestack/kustomize/kustomize.sh \ - --post-renderer-args barbican/base & - -helm upgrade --install octavia ./octavia \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/octavia/octavia-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.identity.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_messaging.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.certificates.ca_private_key_passphrase="$(kubectl --namespace openstack get secret octavia-certificates -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.octavia.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --set conf.octavia.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args octavia/base & - -helm upgrade --install horizon ./horizon \ - --namespace=openstack \ - --wait \ - --timeout 120m \ - -f /opt/genestack/base-helm-configs/horizon/horizon-helm-overrides.yaml \ - --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set conf.horizon.local_settings.config.horizon_secret_key="$(kubectl --namespace openstack get secret horizon-secrete-key -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.horizon.password="$(kubectl --namespace openstack get secret horizon-db-password -o jsonpath='{.data.password}' | base64 -d)" \ - --post-renderer /opt/genestack/base-kustomize/kustomize.sh \ - --post-renderer-args horizon/base &