Add skupper for BKL and keystone to SKMO job by vakwetu · Pull Request #3836 · openstack-k8s-operators/ci-framework

vakwetu · 2026-04-07T18:54:46Z

[skmo] Add Skupper for cross-region RabbitMQ and Keystone internal routing

Add hook playbooks and configuration to establish Skupper virtual
services for RabbitMQ and Keystone internal endpoints, enabling
cross-region connectivity in the multi-namespace SKMO scenario.

skupper-connector.yaml: query the RabbitMQ TLS secret from the correct
CRD - rabbitmq.openstack.org/v1beta1 (RabbitMq) as used by the
OpenStack infra-operator, not the community rabbitmq.com/v1beta1
(RabbitmqCluster). Add retries to wait for spec.tls.secretName to
be populated before creating the Skupper Connector.

skupper-keystone-connector.yaml: add retries to the KeystoneAPI CR
lookup to wait for spec.tls.api.internal.secretName to be available,
since that field is not populated until Keystone completes TLS setup.

configure-leaf-keystone-internal.yaml: after patching the leaf OSCP
to use the Skupper Keystone virtual service, also create a MetalLB
LoadBalancer Service (keystone-regionone-lb) and a DNSData CR
(keystone-skupper) so that EDPM compute nodes outside the OCP cluster
can resolve and connect to the Keystone auth_url. The Skupper Listener
creates a ClusterIP-only Service that is unreachable from EDPM nodes;
the LoadBalancer Service obtains a MetalLB IP on the leaf internalapi
network and the DNSData entry registers both the short (.svc) and
fully-qualified (.svc.cluster.local) names in the dnsmasq instance
serving those nodes.

softwarefactory-project-zuul · 2026-04-10T19:39:55Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/451747df4e864222b9ec4411ae75617d

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 42m 53s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 24m 33s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 28m 47s
❌ cifmw-crc-podified-edpm-baremetal-minor-update RETRY_LIMIT in 32m 49s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 9m 10s
✔️ cifmw-pod-pre-commit SUCCESS in 8m 56s

evallesp

In general LGTM

softwarefactory-project-zuul · 2026-04-17T04:14:44Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/faf40921ee674e6c9ef0143267a03148

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 17m 33s
❌ podified-multinode-edpm-deployment-crc FAILURE in 24m 42s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 34m 29s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 2h 04m 18s
✔️ cifmw-pod-zuul-files SUCCESS in 8m 04s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 11m 47s
✔️ cifmw-pod-pre-commit SUCCESS in 10m 18s
✔️ cifmw-molecule-federation SUCCESS in 2m 43s

vakwetu · 2026-04-17T15:39:38Z

Note: the prefix check is failing because the earliest commit contains [federation] changes. Once #3847 is merged, then I will rebase and federation role changes will no longer be in this or subsequent PRs.

…uting Add hook playbooks and configuration to establish Skupper virtual services for RabbitMQ and Keystone internal endpoints, enabling cross-region connectivity in the multi-namespace SKMO scenario. skupper-connector.yaml: query the RabbitMQ TLS secret from the correct CRD - rabbitmq.openstack.org/v1beta1 (RabbitMq) as used by the OpenStack infra-operator, not the community rabbitmq.com/v1beta1 (RabbitmqCluster). Add retries to wait for spec.tls.secretName to be populated before creating the Skupper Connector. skupper-keystone-connector.yaml: add retries to the KeystoneAPI CR lookup to wait for spec.tls.api.internal.secretName to be available, since that field is not populated until Keystone completes TLS setup. configure-leaf-keystone-internal.yaml: after patching the leaf OSCP to use the Skupper Keystone virtual service, also create a MetalLB LoadBalancer Service (keystone-regionone-lb) and a DNSData CR (keystone-skupper) so that EDPM compute nodes outside the OCP cluster can resolve and connect to the Keystone auth_url. The Skupper Listener creates a ClusterIP-only Service that is unreachable from EDPM nodes; the LoadBalancer Service obtains a MetalLB IP on the leaf internalapi network and the DNSData entry registers both the short (.svc) and fully-qualified (.svc.cluster.local) names in the dnsmasq instance serving those nodes. Signed-off-by: Ade Lee <alee@redhat.com> Co-authored-by: Claude <noreply@anthropic.com> Made-with: Cursor

softwarefactory-project-zuul · 2026-04-21T22:19:19Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/cfb35b7b9f12422aa41653bb512ad800

❌ openstack-k8s-operators-content-provider FAILURE in 15m 55s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal-minor-update SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 17s
✔️ cifmw-pod-pre-commit SUCCESS in 16m 37s

danpawlik · 2026-04-22T06:12:06Z

recheck

michburk

/lgtm

abays

/lgtm
/approve

michburk · 2026-04-23T17:52:54Z

/approve

openshift-ci · 2026-04-23T17:53:00Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abays, michburk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [michburk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[skmo] Add Skupper for cross-region RabbitMQ and Keystone [skmo] Add Skupper for cross-region RabbitMQ and Keystone internal routing Add automation variables and kustomize configuration to establish Skupper virtual services for RabbitMQ and Keystone internal endpoints, enabling cross-region connectivity in the multi-namespace SKMO scenario. The RabbitMQ Skupper connector routes barbican-keystone-listener traffic from the leaf (openstack2) namespace to the central (openstack) RabbitMQ over an mTLS tunnel, avoiding exposure on the public network. The Keystone Skupper connector routes internal service-to-service authentication traffic from leaf region services to the central Keystone endpoint, replacing the previous approach of using the public Keystone URL for internal traffic. To make the Skupper Keystone virtual service reachable from EDPM compute nodes (which run outside the OCP cluster and cannot reach ClusterIP services), a MetalLB LoadBalancer Service and a DNSData CR are created alongside the Skupper Listener. This ensures nova-compute can resolve and connect to the Keystone auth_url on startup. Also adds skupper-keystone-internal.md documenting the full procedure, including the EDPM DNS workaround and the rationale for each step. Depends-On: openstack-k8s-operators/ci-framework#3836 Reviewed-by: Enrique Vallespi Gil Reviewed-by: Andrew Bays <andrew.bays@gmail.com> Reviewed-by: Ade Lee Reviewed-by: Daniel Pawlik Reviewed-by: John Fulton <johfulto@redhat.com>

vakwetu added the do-not-merge/work-in-progress label Apr 7, 2026

vakwetu force-pushed the skmo-skupper-keystone branch from e91b57c to 74abdbd Compare April 7, 2026 18:57

github-actions Bot added the Ready For Review label Apr 7, 2026

vakwetu force-pushed the skmo-skupper-keystone branch from 74abdbd to f87154f Compare April 8, 2026 19:48

github-actions Bot removed the Ready For Review label Apr 8, 2026

vakwetu force-pushed the skmo-skupper-keystone branch from f87154f to 64dea66 Compare April 8, 2026 20:37

github-actions Bot added the Ready For Review label Apr 8, 2026

vakwetu force-pushed the skmo-skupper-keystone branch from 64dea66 to d3f6a8e Compare April 9, 2026 18:56

github-actions Bot removed the Ready For Review label Apr 9, 2026

openshift-ci Bot removed the do-not-merge/work-in-progress label Apr 9, 2026

vakwetu mentioned this pull request Apr 9, 2026

[skmo] Add Skupper for cross-region RabbitMQ and Keystone openstack-k8s-operators/architecture#734

Merged

vakwetu requested a review from dmendiza April 9, 2026 19:25

github-actions Bot added the Ready For Review label Apr 9, 2026

vakwetu force-pushed the skmo-skupper-keystone branch from d3f6a8e to 6368ac0 Compare April 10, 2026 17:55

github-actions Bot removed the Ready For Review label Apr 10, 2026

vakwetu added the do-not-merge/work-in-progress label Apr 10, 2026

vakwetu force-pushed the skmo-skupper-keystone branch 4 times, most recently from 3502950 to c88378c Compare April 15, 2026 00:24

vakwetu added Ready For Review and removed do-not-merge/work-in-progress labels Apr 15, 2026

vakwetu requested review from abays, evallesp and fultonj April 15, 2026 18:49

evallesp reviewed Apr 16, 2026

View reviewed changes

vakwetu force-pushed the skmo-skupper-keystone branch from c88378c to 89a9ef9 Compare April 16, 2026 18:07

github-actions Bot removed the Ready For Review label Apr 16, 2026

vakwetu added the do-not-merge/work-in-progress label Apr 16, 2026

vakwetu force-pushed the skmo-skupper-keystone branch 2 times, most recently from 52c399b to 7b01c17 Compare April 16, 2026 19:04

vakwetu added Ready For Review and removed do-not-merge/work-in-progress labels Apr 17, 2026

vakwetu force-pushed the skmo-skupper-keystone branch from 7b01c17 to 82dfda1 Compare April 17, 2026 01:56

danpawlik reviewed Apr 17, 2026

View reviewed changes

Comment thread hooks/playbooks/skmo/configure-leaf-keystone-internal.yaml Outdated

vakwetu force-pushed the skmo-skupper-keystone branch from 82dfda1 to 2190966 Compare April 17, 2026 15:36

vakwetu force-pushed the skmo-skupper-keystone branch from 2190966 to dc41cd9 Compare April 21, 2026 22:02

github-actions Bot removed the Ready For Review label Apr 21, 2026

vakwetu added the Ready For Review label Apr 21, 2026

github-actions Bot removed the Ready For Review label Apr 21, 2026

michburk approved these changes Apr 22, 2026

View reviewed changes

openshift-ci Bot assigned michburk Apr 22, 2026

openshift-ci Bot added the lgtm label Apr 22, 2026

abays reviewed Apr 23, 2026

View reviewed changes

Comment thread hooks/playbooks/skmo/configure-leaf-keystone-internal.yaml

abays approved these changes Apr 23, 2026

View reviewed changes

openshift-ci Bot assigned abays Apr 23, 2026

openshift-ci Bot added the approved label Apr 23, 2026

openshift-merge-bot Bot merged commit 0c53ca8 into openstack-k8s-operators:main Apr 23, 2026
10 checks passed

fultonj mentioned this pull request Apr 23, 2026

Skmo appcred openstack-k8s-operators/architecture#736

Open

Conversation

vakwetu commented Apr 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Apr 10, 2026

Uh oh!

evallesp left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Apr 17, 2026

Uh oh!

Uh oh!

vakwetu commented Apr 17, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Apr 21, 2026

Uh oh!

danpawlik commented Apr 22, 2026

Uh oh!

michburk left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

abays left a comment

Choose a reason for hiding this comment

Uh oh!

michburk commented Apr 23, 2026

Uh oh!

openshift-ci Bot commented Apr 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

vakwetu commented Apr 7, 2026 •

edited

Loading