diff --git a/apps/appsets/understack.yaml b/apps/appsets/understack.yaml new file mode 100644 index 000000000..75734f082 --- /dev/null +++ b/apps/appsets/understack.yaml @@ -0,0 +1,565 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: openstack +spec: + sourceRepos: + - '*' + destinations: + # make sure our operators don't install in the wrong place + - namespace: 'openstack' + server: '*' + - namespace: 'argo-events' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: understack-operators +spec: + sourceRepos: + - '*' + destinations: + # make sure our operators don't install in the wrong place + - namespace: 'cert-manager' + server: '*' + - namespace: 'rabbitmq-system' + server: '*' + - namespace: 'mariadb-operator' + server: '*' + - namespace: 'cnpg-system' + server: '*' + - namespace: 'external-secrets' + server: '*' + - namespace: 'rook-ceph' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: understack +spec: + sourceRepos: + - '*' + destinations: + - namespace: 'argo' + server: '*' + - namespace: 'argo-events' + server: '*' + - namespace: 'cert-manager' + server: '*' + - namespace: 'dex' + server: '*' + - namespace: 'nautobot' + server: '*' + - namespace: 'undersync' + server: '*' + - namespace: 'openstack' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: understack + namespace: argocd +spec: + syncPolicy: + applicationsSync: create-update + goTemplate: true + goTemplateOptions: ["missingkey=error"] + generators: + - matrix: + generators: + - clusters: + selector: + matchExpressions: + - key: understack.rackspace.com/role + operator: In + values: + - "global" + - "regional" + - "aio" + values: + uc_skip_components: '{{ default "[]" (index .metadata.annotations "uc_skip_components") }}' + uc_repo_git_url: '{{index .metadata.annotations "uc_repo_git_url"}}' + uc_repo_ref: '{{index .metadata.annotations "uc_repo_ref"}}' + uc_deploy_git_url: '{{index .metadata.annotations "uc_deploy_git_url"}}' + uc_deploy_ref: '{{index .metadata.annotations "uc_deploy_ref"}}' + uc_role: '{{index .metadata.labels "understack.rackspace.com/role"}}' + uc_dns_zone: '{{index .metadata.annotations "dns_zone" }}' + uc_cluster_issuer: '{{index .metadata.annotations "uc_cluster_issuer" }}' + uc_global_dns_zone: '{{index .metadata.annotations "uc_global_dns_zone" }}' + - list: + elements: + - component: cert-manager + componentProject: understack-operators + skipComponent: '{{has "cert-manager" (.values.uc_skip_components | fromJson)}}' + sources: + - repoURL: https://charts.jetstack.io + chart: cert-manager + targetRevision: '1.15.2' + helm: + releaseName: cert-manager + valuesObject: + crds: + enabled: true + - component: mariadb-operator + componentProject: understack-operators + skipComponent: '{{has "mariadb-operator" (.values.uc_skip_components | fromJson)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'operators/mariadb-operator' + - component: rabbitmq-system + componentProject: understack-operators + skipComponent: '{{has "rabbitmq-system" (.values.uc_skip_components | fromJson)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'operators/rabbitmq-system' + - component: cnpg-system + componentProject: understack-operators + skipComponent: '{{or (has "cnpg-system" (.values.uc_skip_components | fromJson)) (eq "regional" .values.uc_role)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'operators/cnpg-system' + - component: external-secrets + componentProject: understack-operators + skipComponent: '{{has "external-secrets" (.values.uc_skip_components | fromJson)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'operators/external-secrets' + - component: rook + componentNamespace: rook-ceph + componentProject: understack-operators + skipComponent: '{{or (has "rook" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: https://charts.rook.io/release + chart: rook-ceph + targetRevision: v1.15.0 + helm: + releaseName: rook-ceph + valueFiles: + - $understack/operators/rook/values-operator.yaml + - $deploy/{{.name}}/helm-configs/rook-operator.yaml + ignoreMissingValueFiles: true + - repoURL: https://charts.rook.io/release + chart: rook-ceph-cluster + targetRevision: v1.15.0 + helm: + releaseName: rook-ceph-cluster + valueFiles: + - $understack/operators/rook/values-cluster.yaml + - $deploy/{{.name}}/helm-configs/rook-cluster.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'operators/rook' + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + ref: deploy + - component: understack-cluster-issuer + componentNamespace: cert-manager + componentProject: understack + skipComponent: '{{has "understack-cluster-issuer" (.values.uc_skip_components | fromJson)}}' + sources: + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/cert-manager' + - component: dex + componentProject: understack + skipComponent: '{{or (has "dex" (.values.uc_skip_components | fromJson)) (eq "regional" .values.uc_role)}}' + sources: + - repoURL: https://charts.dexidp.io + chart: dex + targetRevision: 0.16.0 + helm: + releaseName: dex + valuesObject: + config: + issuer: 'https://dex.{{ .values.uc_dns_zone }}' + env: + DNS_ZONE: '{{ .values.uc_dns_zone }}' + + ingress: + hosts: + - host: 'dex.{{ .values.uc_dns_zone }}' + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: dex-ingress-tls + hosts: + - 'dex.{{ .values.uc_dns_zone }}' + valueFiles: + - $understack/components/dex/values.yaml + - $deploy/{{.name}}/helm-configs/dex.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'components/dex' + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + ref: deploy + path: '{{.name}}/manifests/dex' + - component: openstack + skipComponent: '{{has "openstack" (.values.uc_skip_components | fromJson)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'components/openstack' + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/openstack' + - component: keystone + componentNamespace: openstack + componentProject: openstack + skipComponent: '{{or (has "keystone" (.values.uc_skip_components | fromJson)) (eq "regional" .values.uc_role)}}' + sources: + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm + chart: keystone + targetRevision: 0.3.17 + helm: + releaseName: keystone + valueFiles: + - $understack/components/openstack-2024.2-jammy.yaml + - $understack/components/keystone/aio-values.yaml + - $deploy/{{.name}}/manifests/secret-openstack.yaml + - $deploy/{{.name}}/helm-configs/keystone.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: components/keystone/ + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/keystone' + ref: deploy + ignoreDifferences: + - kind: Secret + name: keystone-fernet-keys + jqPathExpressions: + - .data + - kind: Secret + name: keystone-credential-keys + jqPathExpressions: + - .data + - component: horizon + componentNamespace: openstack + componentProject: openstack + skipComponent: '{{or (has "horizon" (.values.uc_skip_components | fromJson)) (eq "regional" .values.uc_role)}}' + sources: + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm + chart: horizon + targetRevision: 0.3.17 + helm: + releaseName: horizon + valueFiles: + - $understack/components/openstack-2024.2-jammy.yaml + - $understack/components/horizon/aio-values.yaml + - $deploy/{{.name}}/manifests/secret-openstack.yaml + - $deploy/{{.name}}/helm-configs/horizon.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: components/horizon/ + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/horizon' + ref: deploy + - component: ironic + componentNamespace: openstack + componentProject: openstack + skipComponent: '{{or (has "ironic" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm + chart: ironic + targetRevision: 0.3.17 + helm: + releaseName: ironic + valueFiles: + - $understack/components/openstack-2024.2-jammy.yaml + - $understack/components/ironic/aio-values.yaml + - $deploy/{{.name}}/manifests/secret-openstack.yaml + - $deploy/{{.name}}/helm-configs/ironic.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: components/ironic/ + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/ironic' + ref: deploy + - component: placement + componentNamespace: openstack + componentProject: openstack + skipComponent: '{{or (has "placement" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm + chart: placement + targetRevision: 0.3.17 + helm: + releaseName: placement + valueFiles: + - $understack/components/openstack-2024.2-jammy.yaml + - $understack/components/placement/{{.values.uc_role}}-values.yaml + - $deploy/{{.name}}/manifests/secret-openstack.yaml + - $deploy/{{.name}}/helm-configs/placement.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: components/placement/ + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/placement' + ref: deploy + - component: neutron + componentNamespace: openstack + componentProject: openstack + skipComponent: '{{or (has "neutron" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm + chart: neutron + targetRevision: 0.3.17 + helm: + releaseName: neutron + valueFiles: + - $understack/components/openstack-2024.2-jammy.yaml + - $understack/components/neutron/{{.values.uc_role}}-values.yaml + - $deploy/{{.name}}/manifests/secret-openstack.yaml + - $deploy/{{.name}}/helm-configs/neutron.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: components/neutron/ + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/neutron' + ref: deploy + - component: glance + componentNamespace: openstack + componentProject: openstack + skipComponent: '{{or (has "glance" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm + chart: glance + targetRevision: 0.3.17 + helm: + releaseName: glance + valueFiles: + - $understack/components/openstack-2024.2-jammy.yaml + - $understack/components/glance/aio-values.yaml + - $deploy/{{.name}}/manifests/secret-openstack.yaml + - $deploy/{{.name}}/helm-configs/glance.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: components/glance/ + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/glance' + ref: deploy + - component: nova + componentNamespace: openstack + componentProject: openstack + skipComponent: '{{or (has "nova" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm + chart: nova + targetRevision: 0.3.17 + helm: + releaseName: nova + valueFiles: + - $understack/components/openstack-2024.2-jammy.yaml + - $understack/components/nova/{{.values.uc_role}}-values.yaml + - $deploy/{{.name}}/manifests/secret-openstack.yaml + - $deploy/{{.name}}/helm-configs/nova.yaml + ignoreMissingValueFiles: true + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: components/nova/ + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/nova' + ref: deploy + - component: nautobot + componentProject: understack + skipComponent: '{{or (has "nautobot" (.values.uc_skip_components | fromJson)) (eq "regional" .values.uc_role)}}' + sources: + - repoURL: https://nautobot.github.io/helm-charts/ + chart: nautobot + targetRevision: 2.1.3 + helm: + releaseName: nautobot + valuesObject: + ingress: + hostname: 'nautobot.{{ .values.uc_dns_zone }}' + valueFiles: + - $understack/components/nautobot/values.yaml + - $deploy/{{.name}}/helm-configs/nautobot.yaml + ignoreMissingValueFiles: true + fileParameters: + - name: nautobot.config + # until ArgoCD 2.13.0 is released we cannot use a reference + # path: $understack/components/nautobot/nautobot_config.py + path: 'https://raw.githubusercontent.com/rackerlabs/understack/{{ .values.uc_repo_ref }}/components/nautobot/nautobot_config.py' + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'components/nautobot' + ref: understack + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/nautobot' + ref: deploy + - component: undersync + componentProject: understack + skipComponent: '{{or (has "undersync" (.values.uc_skip_components | fromJson)) (eq "regional" .values.uc_role)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'components/undersync' + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/undersync' + - component: argo + componentProject: understack + skipComponent: '{{or (has "argo" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'components/argo' + kustomize: + patches: + - target: + kind: ConfigMap + name: workflow-controller-configmap + patch: |- + - op: replace + path: /data/sso + value: |- + # This is the root URL of the OIDC provider (required). + issuer: https://dex.{{ default .values.uc_dns_zone .values.uc_global_dns_zone }} + # This defines how long your login is valid for (in hours). (optional) + # If omitted, defaults to 10h. Example below is 10 days. + sessionExpiry: 240h + # This is name of the secret and the key in it that contain OIDC client + # ID issued to the application by the provider (required). + clientId: + name: argo-sso + key: client-id + # This is name of the secret and the key in it that contain OIDC client + # secret issued to the application by the provider (required). + clientSecret: + name: argo-sso + key: client-secret + # This is the redirect URL supplied to the provider (optional). It must + # be in the form /oauth2/callback. It must be + # browser-accessible. If omitted, will be automatically generated. + redirectUrl: https://workflows.{{ .values.uc_dns_zone }}/oauth2/callback + # Additional scopes to request. Typically needed for SSO RBAC. >= v2.12 + scopes: + - groups + - email + - profile + # RBAC Config. >= v2.12 + rbac: + enabled: false + - target: + kind: Ingress + name: argo-workflows + patch: |- + - op: replace + path: /metadata/annotations/cert-manager.io~1cluster-issuer + value: {{ default "understack-cluster-issuer" .values.uc_cluster_issuer }} + - op: replace + path: /spec/rules/0/host + value: workflows.{{ .values.uc_dns_zone }} + - op: replace + path: /spec/tls/0/hosts/0 + value: workflows.{{ .values.uc_dns_zone }} + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/argo' + - component: dex-regional + componentProject: understack + componentNamespace: dex + skipComponent: '{{or (has "dex" (.values.uc_skip_components | fromJson)) (ne "regional" .values.uc_role)}}' + sources: + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/dex' + - component: argo-events + componentProject: understack + skipComponent: '{{or (has "argo-events" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'components/argo-events' + - repoURL: '{{ .values.uc_deploy_git_url }}' + targetRevision: '{{ .values.uc_deploy_ref }}' + path: '{{.name}}/manifests/argo-events' + - component: understack-workflows + componentProject: understack + componentNamespace: argo-events + skipComponent: '{{or (has "understack-workflows" (.values.uc_skip_components | fromJson)) (eq "global" .values.uc_role)}}' + sources: + - repoURL: '{{ .values.uc_repo_git_url }}' + targetRevision: '{{ .values.uc_repo_ref }}' + path: 'workflows' + + selector: + # by setting the key in the elements 'skipComponent' to 'true' it will skip installing it + # ArgoCD's templating operates with strings so it's the string "true" + matchExpressions: + - key: skipComponent + operator: NotIn + values: + - "true" + template: + metadata: + name: '{{.name}}-{{.component}}' + finalizers: + - resources-finalizer.argocd.argoproj.io + spec: + project: '{{coalesce (get . "componentProject") .component}}' + destination: + server: '{{.server}}' + namespace: '{{coalesce (get . "componentNamespace") .component}}' + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + - RespectIgnoreDifferences=true + templatePatch: | + spec: + sources: + {{- range $source := .sources }} + # indentation matters so collapse to single line with toJson to keep it + - {{ $source | toJson }} + {{- end }} + {{- if hasKey . "ignoreDifferences" }} + # indentation matters so collapse to single line with toJson to keep it + ignoreDifferences: {{ .ignoreDifferences | toJson }} + {{- end }} diff --git a/components/argo/kustomization.yaml b/components/argo/kustomization.yaml index 31371a9ae..f4a17fa98 100644 --- a/components/argo/kustomization.yaml +++ b/components/argo/kustomization.yaml @@ -25,7 +25,6 @@ patches: - --namespaced - --managed-namespace - argo-events - - target: # configure the workflow controller to monitor the argo-events namespace group: apps version: v1 diff --git a/components/dex/ingress.yaml b/components/dex/ingress.yaml deleted file mode 100644 index 082da7aea..000000000 --- a/components/dex/ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: dex - annotations: - cert-manager.io/cluster-issuer: understack-cluster-issuer - nginx.ingress.kubernetes.io/backend-protocol: HTTP -spec: - ingressClassName: nginx - rules: - - host: dex.DNS_ZONE - http: - paths: - - backend: - service: - name: dex - port: - number: 5556 - path: / - pathType: Prefix - tls: - - hosts: - - dex.DNS_ZONE - secretName: dex-ingress-tls diff --git a/components/dex/kustomization.yaml b/components/dex/kustomization.yaml index 5a27ef5a7..728e10845 100644 --- a/components/dex/kustomization.yaml +++ b/components/dex/kustomization.yaml @@ -3,4 +3,3 @@ kind: Kustomization resources: - secretstore-dex.yaml - - ingress.yaml diff --git a/components/dex/values.yaml b/components/dex/values.yaml index f1ea2a572..afa2fd17f 100644 --- a/components/dex/values.yaml +++ b/components/dex/values.yaml @@ -110,3 +110,9 @@ envVars: secretKeyRef: name: grafana-sso key: client-secret + +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: understack-cluster-issuer diff --git a/components/neutron/regional-values.yaml b/components/neutron/regional-values.yaml new file mode 100644 index 000000000..b2c5e70d7 --- /dev/null +++ b/components/neutron/regional-values.yaml @@ -0,0 +1,190 @@ +--- +release_group: null + +# typically overridden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + oslo_messaging: + statefulset: + replicas: 3 + name: rabbitmq-server + hosts: + default: rabbitmq-nodes + network: + port: + api: + public: 443 + scheme: + public: https + host_fqdn_override: + public: + tls: + secretName: neutron-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer + + +network: + # we're using ironic and actual switches + backend: + - baremetal + + # configure OpenStack Helm to use Undercloud's ingress + # instead of expecting the ingress controller provided + # by OpenStack Helm + use_external_ingress_controller: true + server: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer + +conf: + plugins: + ml2_conf: + ml2: + # set the default ml2 backend to our plugin, neutron_understack + mechanism_drivers: understack + tenant_network_types: "vxlan,local" + type_drivers: "vlan,local,understack_vxlan" + neutron: + DEFAULT: + # the 'trunk' plugin allows for us to create and configure trunk ports to allow + # multiple networks to be trunked into the node and let the node apply the VLAN + # the 'network_segment_range' plugin allows us to set the allowed VNIs or VLANs + # for a given network and let's OpenStack select one from the available pool. We + # are also able to see which ones are used from the OpenStack API. + service_plugins: "l3_understack,trunk,network_segment_range" + # we don't want HA L3 routers. It's a Python value so we need to quote it in YAML. + l3_ha: "False" + # we aren't using availability zones so having calls attempt to add things to + # availability zones won't work. + default_availability_zones: "" + service_providers: + service_provider: "L3_ROUTER_NAT:cisco-asa:neutron_understack.l3_service_cisco_asa.CiscoAsa" + +# disable the neutron-ironic-agent from loading a non-existent config +pod: + use_fqdn: + neutron_agent: false + lifecycle: + disruption_budget: + server: + # this should be set to no more than (pod.replicas.server - 1) + # usually set on per-deployment basis. + min_available: 0 + mounts: + neutron_server: + neutron_server: + volumeMounts: + - mountPath: /etc/nb-token/ + name: nb-token + readOnly: true + - mountPath: /etc/undersync/ + name: undersync-token + readOnly: true + volumes: + - name: nb-token + secret: + secretName: nautobot-token + - name: undersync-token + secret: + secretName: undersync-token + neutron_rpc_server: + neutron_rpc_server: + volumeMounts: + - mountPath: /etc/nb-token/ + name: nb-token + readOnly: true + - mountPath: /etc/undersync/ + name: undersync-token + readOnly: true + volumes: + - name: nb-token + secret: + secretName: nautobot-token + - name: undersync-token + secret: + secretName: undersync-token +# (nicholas.kuechler) updating the jobs list to remove the 'neutron-rabbit-init' job. +dependencies: + dynamic: + common: + local_image_registry: + jobs: null + static: + db_sync: + jobs: + dhcp: + jobs: + l3: + jobs: + lb_agent: + jobs: + metadata: + jobs: + ovs_agent: + jobs: + server: + jobs: + - neutron-db-sync + - neutron-ks-user + - neutron-ks-endpoints + rpc_server: + jobs: + - neutron-db-sync + ironic_agent: + jobs: + - neutron-db-sync + - neutron-ks-user + - neutron-ks-endpoints + +manifests: + job_db_init: false + job_rabbit_init: false + pod_rally_test: false + secret_db: false + secret_keystone: true + daemonset_dhcp_agent: false + daemonset_l3_agent: false + daemonset_lb_agent: false + daemonset_metadata_agent: false + daemonset_ovs_agent: false + daemonset_sriov_agent: false + daemonset_l2gw_agent: false + daemonset_bagpipe_bgp: false + daemonset_bgp_dragent: false + daemonset_netns_cleanup_cron: false + deployment_ironic_agent: true + service_ingress_server: false + +# We don't want to enable OpenStack Helm's +# helm.sh/hooks because they set them as +# post-install,post-upgrade which in ArgoCD +# maps to PostSync. However the deployments +# and statefulsets in OpenStack Helm +# depend on the jobs to complete to become +# healthy. Which they cannot because they are in +# the post step and not in the main step. +# Turning this on results in the keys jobs +# editing the annotation which deletes the item +# and wipes our keys. +helm3_hook: false + +annotations: + job: + neutron_db_sync: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + neutron_ks_service: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + neutron_ks_user: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + neutron_ks_endpoints: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation diff --git a/components/nova/regional-values.yaml b/components/nova/regional-values.yaml new file mode 100644 index 000000000..a5fb5a4c6 --- /dev/null +++ b/components/nova/regional-values.yaml @@ -0,0 +1,236 @@ +--- +release_group: null + +# temporarily set this to the same as the control plane +labels: + agent: + compute_ironic: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +# typically overridden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + oslo_messaging: + statefulset: + replicas: 3 + name: rabbitmq-server + hosts: + default: rabbitmq-nodes + compute: + port: + api: + public: 443 + scheme: + public: https + host_fqdn_override: + public: + tls: + secretName: nova-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer + +network: + # we're using ironic and actual switches + backend: + - baremetal + + # configure OpenStack Helm to use Undercloud's ingress + # instead of expecting the ingress controller provided + # by OpenStack Helm + use_external_ingress_controller: true + osapi: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer + +conf: + ceph: + # ceph is providing block storage to VM creation and is connected via libvirt + # we aren't using this so we don't want to enable this part of the chart + enabled: false + DEFAULT: + # We are not wiring up the network to the nova metadata API so we must use + # config_drive to pass data. To avoid users having to remember this, just + # force it on always. + force_config_drive: true + nova_ironic: + ironic: + # this is where we populate our hardware + project_domain_name: infra + project_name: baremetal + nova: + quota: + # adjust default quotas to make it possible to use baremetal + cores: 512 + ram: 512000 + + +console: + # we are working with baremetal nodes and not QEMU so we don't need novnc or spice + # connected to QEMU + console_kind: none + +# (nicholas.kuechler) Using custom dependencies in order to +# prevent the nova-db-init and nova-rabbit-init jobs from running +dependencies: + dynamic: + common: + local_image_registry: + jobs: null + static: + api: + jobs: + - nova-db-sync + - nova-ks-user + - nova-ks-endpoints + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: oslo_db + api_metadata: + jobs: + - nova-db-sync + - nova-ks-user + - nova-ks-endpoints + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: oslo_db + bootstrap: + services: + - endpoint: internal + service: compute + cell_setup: + jobs: + - nova-db-sync + # remove default dependency to run on the same node as a compute service + pod: [] + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: oslo_db + - endpoint: internal + service: compute + service_cleaner: + jobs: + - nova-db-sync + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: oslo_db + - endpoint: internal + service: compute + compute: + pod: [] + jobs: + - nova-db-sync + compute_ironic: + jobs: + - nova-db-sync + # this chunk is here just to disable waiting on glance/image service + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: compute + - endpoint: internal + service: network + - endpoint: internal + service: baremetal + conductor: + jobs: + - nova-db-sync + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: oslo_db + - endpoint: internal + service: compute + archive_deleted_rows: + jobs: + - nova-db-sync + db_sync: + jobs: + ks_endpoints: + jobs: + - nova-ks-service + services: [] + ks_service: + services: [] + ks_user: + services: [] + scheduler: + jobs: + - nova-db-sync + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: oslo_db + - endpoint: internal + service: compute +pod: + lifecycle: + disruption_budget: + osapi: + # this should be set to no more than (pod.replicas.osapi - 1) + # usually set on per-deployment basis. + min_available: 0 + +manifests: + job_db_init: false + job_rabbit_init: false + job_storage_init: false + pod_rally_test: false + secret_db_api: true + secret_db_cell0: true + secret_db: true + secret_keystone: true + service_ingress_metadata: false + service_ingress_osapi: false + daemonset_compute: false + statefulset_compute_ironic: true + +# we don't want to enable OpenStack Helm's +# helm.sh/hooks because they set them as +# post-install,post-upgrade which in ArgoCD +# maps to PostSync. However the deployments +# and statefulsets in OpenStack Helm +# depend on the jobs to complete to become +# healthy. Which they cannot because they are in +# the post step and not in the main step. +# Turning this on results in the keys jobs +# editing the annotation which deletes the item +# and wipes our keys. +helm3_hook: false + +annotations: + job: + nova_db_sync: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + nova_ks_service: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + nova_ks_user: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + nova_ks_endpoints: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + nova_cell_setup: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + nova_bootstrap: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation diff --git a/components/placement/regional-values.yaml b/components/placement/regional-values.yaml new file mode 100644 index 000000000..f7a7d47f6 --- /dev/null +++ b/components/placement/regional-values.yaml @@ -0,0 +1,86 @@ +--- +release_group: null + +network: + # configure OpenStack Helm to use Undercloud's ingress + # instead of expecting the ingress controller provided + # by OpenStack Helm + use_external_ingress_controller: true + api: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer + +# (nicholas.kuechler) updating the jobs list to remove the 'placement-db-init' job. +dependencies: + dynamic: + common: + local_image_registry: + jobs: null + static: + db_sync: + jobs: [] + ks_endpoints: + services: [] + ks_service: + services: [] + ks_user: + services: [] + +pod: + lifecycle: + disruption_budget: + api: + # this should be set to no more than (pod.replicas.api - 1) + # usually set on per-deployment basis. + min_available: 0 + +manifests: + job_db_init: false + secret_db: false + service_ingress: false + +# We don't want to enable OpenStack Helm's +# helm.sh/hooks because they set them as +# post-install,post-upgrade which in ArgoCD +# maps to PostSync. However the deployments +# and statefulsets in OpenStack Helm +# depend on the jobs to complete to become +# healthy. Which they cannot because they are in +# the post step and not in the main step. +# Turning this on results in the keys jobs +# editing the annotation which deletes the item +# and wipes our keys. +helm3_hook: false + +annotations: + job: + placement_db_sync: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + placement_ks_service: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + placement_ks_user: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + placement_ks_endpoints: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +endpoints: + placement: + scheme: + public: 'https' + port: + api: + public: 443 + host_fqdn_override: + public: + tls: + secretName: placement-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer