From d0ae8d787f9bc0c8ea674d6e9b8115cc0d39387b Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 4 Sep 2025 14:49:19 -0500 Subject: [PATCH] chore(openstack): create schema and document configuration Created a schema for the current chart and validated samples we have against it. Updated a few fields from JSON to YAML to make it consistent and let my validation test pass. Symlink the schema so that it is able to be fetched. Added documentation around how to configure this part of a deployment. --- .../templates/mariadb-instance.yaml.tpl | 6 +- components/openstack/values.schema.json | 144 +++++++++++++++ docs/deploy-guide/config-openstack.md | 171 ++++++++++++++++++ docs/schema/component-openstack.schema.json | 1 + mkdocs.yml | 1 + 5 files changed, 321 insertions(+), 2 deletions(-) create mode 100644 components/openstack/values.schema.json create mode 100644 docs/deploy-guide/config-openstack.md create mode 120000 docs/schema/component-openstack.schema.json diff --git a/components/openstack/templates/mariadb-instance.yaml.tpl b/components/openstack/templates/mariadb-instance.yaml.tpl index 5e6d4ed39..e904e35ca 100644 --- a/components/openstack/templates/mariadb-instance.yaml.tpl +++ b/components/openstack/templates/mariadb-instance.yaml.tpl @@ -7,14 +7,16 @@ metadata: # do not allow ArgoCD to delete our DB argocd.argoproj.io/sync-options: Delete=false spec: - rootPasswordSecretKeyRef: {{ .Values.mariadb.rootPasswordSecretKeyRef | toJson }} + rootPasswordSecretKeyRef: +{{ toYaml .Values.mariadb.rootPasswordSecretKeyRef | indent 4 }} # renovate: datasource=docker image: docker-registry1.mariadb.com/library/mariadb:11.4.4 imagePullPolicy: IfNotPresent port: 3306 - storage: {{ .Values.mariadb.storage | toJson }} + storage: +{{ toYaml .Values.mariadb.storage | indent 4 }} replicas: {{ .Values.mariadb.replicas }} service: type: ClusterIP diff --git a/components/openstack/values.schema.json b/components/openstack/values.schema.json new file mode 100644 index 000000000..8ca4fb7a0 --- /dev/null +++ b/components/openstack/values.schema.json @@ -0,0 +1,144 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "OpenStack Helm Chart Values", + "description": "Schema for OpenStack component values.yaml configuration", + "type": "object", + "properties": { + "mariadb": { + "type": "object", + "description": "OpenStack mariadb instance settings", + "properties": { + "rootPasswordSecretKeyRef": { + "type": "object", + "description": "Root password settings", + "properties": { + "name": { + "type": "string", + "description": "Secret name containing the root password" + }, + "key": { + "type": "string", + "description": "Key within the secret containing the password" + }, + "generate": { + "type": "boolean", + "description": "Whether to generate the password if it doesn't exist" + } + }, + "required": ["name", "key"], + "additionalProperties": false + }, + "storage": { + "type": "object", + "description": "Storage settings", + "properties": { + "size": { + "type": "string", + "pattern": "^[0-9]+(Gi|G|Mi|M|Ki|K)$", + "description": "Storage size (e.g., 10Gi)" + }, + "resizeInUseVolumes": { + "type": "boolean", + "description": "Enable resizing volumes while in use" + }, + "waitForVolumeResize": { + "type": "boolean", + "description": "Wait for volume resize to complete" + }, + "volumeClaimTemplate": { + "type": "object", + "description": "Volume claim template configuration", + "properties": { + "storageClassName": { + "type": "string", + "description": "Storage class name for the volume" + }, + "accessModes": { + "type": "array", + "items": { + "type": "string", + "enum": ["ReadWriteOnce", "ReadOnlyMany", "ReadWriteMany"] + }, + "description": "Access modes for the volume" + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "storage": { + "type": "string", + "pattern": "^[0-9]+(Gi|G|Mi|M|Ki|K)$", + "description": "Storage request size" + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "replicas": { + "type": "integer", + "minimum": 1, + "description": "Number of MariaDB replicas (Galera cluster size)" + } + }, + "additionalProperties": false + }, + "rabbitmq": { + "type": "object", + "description": "OpenStack RabbitMQ instance settings", + "properties": { + "persistence": { + "type": "object", + "description": "Storage persistence settings", + "additionalProperties": true + } + }, + "additionalProperties": false + }, + "extraObjects": { + "type": "array", + "description": "Array of extra Kubernetes manifests to deploy", + "items": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "description": "Kubernetes API version" + }, + "kind": { + "type": "string", + "description": "Kubernetes resource kind" + }, + "metadata": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + }, + "additionalProperties": true + }, + "spec": { + "type": "object", + "additionalProperties": true + } + }, + "required": ["apiVersion", "kind"], + "additionalProperties": true + } + } + }, + "additionalProperties": false +} diff --git a/docs/deploy-guide/config-openstack.md b/docs/deploy-guide/config-openstack.md new file mode 100644 index 000000000..c448a37fa --- /dev/null +++ b/docs/deploy-guide/config-openstack.md @@ -0,0 +1,171 @@ +# Configuring OpenStack (Shared) + +The `openstack` component provides shared infrastructure and prerequisites for all OpenStack services in UnderStack. This includes database, messaging, and common resources needed by individual OpenStack services like Keystone, Nova, Neutron, and Ironic. + +## Overview + +The OpenStack component is a Helm chart that creates: + +- **MariaDB cluster** - Primary database for OpenStack services +- **RabbitMQ cluster** - Message broker for OpenStack communication +- **Shared secrets and credentials** - Common authentication resources +- **Kubernetes Service accounts** - Kubernetes RBAC for workflow automation +- **External secret stores** - Integration with external secret management + +## Configuration + +Configure the OpenStack component by editing `$DEPLOY_NAME/helm-configs/openstack.yaml` in your deployment repository. + +### MariaDB Database Configuration + +The MariaDB cluster provides the primary database for OpenStack services: + +```yaml +mariadb: + # Root password configuration + rootPasswordSecretKeyRef: + name: mariadb + key: root-password + generate: true # Auto-generate if not provided + + # Storage configuration + storage: + size: 10Gi + resizeInUseVolumes: true + waitForVolumeResize: true + volumeClaimTemplate: + storageClassName: ceph-block-single + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + + # Enable Galera cluster with 3 replicas for HA + replicas: 3 +``` + +#### Storage Considerations + +- **Size**: Start with 10Gi minimum, scale based on your deployment size +- **Storage Class**: Use your cluster's high-performance storage class +- **Replicas**: 3 replicas provide high availability via Galera clustering +- **Resize**: Enable volume resizing for future scaling needs + +### RabbitMQ Message Broker Configuration + +RabbitMQ handles inter-service communication for OpenStack: + +```yaml +rabbitmq: + # Configure persistent storage for message queues + persistence: + enabled: true + size: 8Gi + storageClassName: ceph-block-single +``` + +### Additional Kubernetes Resources + +Use `extraObjects` to deploy additional Kubernetes manifests alongside the OpenStack component: + +```yaml +extraObjects: + - apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: openstack-credentials + spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: openstack-admin-credentials + dataFrom: + - extract: + key: openstack/admin +``` + +## Integration with OpenStack Services + +Individual OpenStack services (Keystone, Nova, Neutron, etc.) depend on resources created by this component: + +- **Database**: Each service gets dedicated MariaDB databases +- **Messaging**: Services connect to the shared RabbitMQ cluster +- **Secrets**: Common credentials are managed centrally +- **Kubernetes Service Accounts**: Argo Workflows automation uses shared service accounts + +## Security Considerations + +### Secret Management + +- Use External Secrets Operator for production deployments +- Rotate database and RabbitMQ credentials regularly +- Ensure proper RBAC for service accounts + +### Network Security + +- Configure network policies to restrict inter-pod communication +- Use TLS for all database and message broker connections +- Isolate OpenStack traffic using Kubernetes namespaces + +## Monitoring and Observability + +The OpenStack component integrates with cluster monitoring: + +```yaml +# Enable monitoring for MariaDB +mariadb: + metrics: + enabled: true + serviceMonitor: + enabled: true + +# Enable monitoring for RabbitMQ +rabbitmq: + metrics: + enabled: true + serviceMonitor: + enabled: true +``` + +## Troubleshooting + +### Database Connection Issues + +If OpenStack services can't connect to MariaDB: + +1. Check MariaDB pod status: `kubectl get pods -l app=mariadb` +2. Verify service endpoints: `kubectl get endpoints mariadb` +3. Test connectivity from a service pod: `kubectl exec -it -- mysql -h mariadb -u root -p` + +### Message Queue Problems + +For RabbitMQ connectivity issues: + +1. Check RabbitMQ cluster status: `kubectl exec -it rabbitmq-0 -- rabbitmqctl cluster_status` +2. Verify queue status: `kubectl exec -it rabbitmq-0 -- rabbitmqctl list_queues` +3. Check service connectivity: `kubectl get svc rabbitmq` + +### Resource Scaling + +To scale the database cluster: + +```yaml +mariadb: + replicas: 5 # Scale to 5 nodes + storage: + size: 50Gi # Increase storage per node +``` + +Apply changes and monitor the scaling process: + +```bash +kubectl get pods -l app=mariadb -w +``` + +## Related Documentation + +- [Component Configuration](./component-config.md) - General component configuration patterns +- [Override OpenStack Service Config](./override-openstack-svc-config.md) - Service-specific configuration overrides +- [Deploy Repo](./deploy-repo.md) - Deployment repository structure diff --git a/docs/schema/component-openstack.schema.json b/docs/schema/component-openstack.schema.json new file mode 120000 index 000000000..344b318b0 --- /dev/null +++ b/docs/schema/component-openstack.schema.json @@ -0,0 +1 @@ +../../components/openstack/values.schema.json \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index fc4d79398..686b2d21f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -130,6 +130,7 @@ nav: - deploy-guide/deploy-repo.md - deploy-guide/component-config.md - deploy-guide/config-dex.md + - deploy-guide/config-openstack.md - deploy-guide/auth.md - deploy-guide/config-argo-workflows.md - Starting the Deployment: