feat: update nautobot/neutron/octavia post deployment jobs to use an automation account #1348
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cardoe
force-pushed
the
automation-accounts
branch
from
93127a0 to
0154e57
Compare
Rename from service accounts to automation accounts to avoid confusion with OpenStack service accounts.
This account has read/write permissions on the baremetal project so that we can use it to configure various services and load any data that is necessary for the site to work.
This task just checks that we can authenticate to OpenStack.
Add security contexts. Add hook config so that ArgoCD sees the job as completing and cleans it up. Add resource limits. Switch to using the infrasetup user and loading the keystone URL from the site metadata.
Instead of attempting to detect when a deployment happens of neutron, just run the post deployment job after we deploy neutron each time. This job should be idempotent so this should be successful each time.
Due to the way that ExternalSecrets can update the Secret, its possible this will trigger with an empty password set so we need to skip that.
The nautobot sync job is hitting the time limit so remove it for now and increase how much resources it gets.
cardoe
force-pushed
the
automation-accounts
branch
from
0154e57 to
95eba6c
Compare
nicholaskuechler
approved these changes
Oct 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Firstly this takes the OpenStack automation account docs and code renaming it to "automation account" from "service account" to avoid confusion as suggested by @nicholaskuechler. Then create an automation account "infrasetup" per site which can be used by each of the services as a post deployment. Then moved the octavia and neutron jobs into their respective kustomize and standardized their behavior. Created some checks in the ansible to ensure that we are able to communicate with the environment correctly. Set resource limits on the jobs so that they don't run away from us and set labels so that ArgoCD can track it successfully.