feat: update nautobot/neutron/octavia post deployment jobs to use an automation account

ansible/playbooks/keystone_bootstrap.yaml

@@ -18,13 +18,8 @@
   connection: local
 
   pre_tasks:
-    - name: Fail if ENV variables are not set
-      ansible.builtin.fail:
-        msg: "Environment variable {{ item }} is not set. Exiting playbook."
-      when: lookup('env', item) == ''
-      loop:
-        - OS_USERNAME
-        - OS_DEFAULT_DOMAIN
+    - name: Check OpenStack connectivity
+      ansible.builtin.import_tasks: ../tasks/check_openstack_auth.yml
 
   roles:
     - role: keystone_bootstrap

ansible/playbooks/openstack_network.yaml

@@ -18,12 +18,8 @@
   connection: local
 
   pre_tasks:
-    - name: Fail if ENV variables are not set
-      ansible.builtin.fail:
-        msg: "Environment variable {{ item }} is not set. Exiting playbook."
-      when: lookup('env', item) == ''
-      loop:
-        - OS_CLOUD
+    - name: Check OpenStack connectivity
+      ansible.builtin.import_tasks: ../tasks/check_openstack_auth.yml
 
   roles:
     - role: openstack_network

ansible/playbooks/openstack_octavia.yaml

@@ -18,12 +18,8 @@
   connection: local
 
   pre_tasks:
-    - name: Fail if ENV variables are not set
-      ansible.builtin.fail:
-        msg: "Environment variable {{ item }} is not set. Exiting playbook."
-      when: lookup('env', item) == ''
-      loop:
-        - OS_CLOUD
+    - name: Check OpenStack connectivity
+      ansible.builtin.import_tasks: ../tasks/check_openstack_auth.yml
 
   roles:
     - role: openstack_octavia

ansible/tasks/check_openstack_auth.yml

@@ -0,0 +1,12 @@
+- name: Authenticate to Keystone
+  openstack.cloud.auth:
+    timeout: 20
+  register: auth
+
+- name: Assert OpenStack authentication succeeded
+  ansible.builtin.assert:
+    that:
+      - auth.auth_token is defined
+      - auth.auth_token | length > 0
+    success_msg: "OpenStack authentication successful"
+    fail_msg: "OpenStack authentication failed."

components/nautobot/values.yaml

@@ -116,9 +116,6 @@ extraObjects:
         "helm.sh/hook-weight": "1"
         "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     spec:
-      ttlSecondsAfterFinished: 300
-      # allow the ansible container to run for 20 minutes
-      activeDeadlineSeconds: 1200
       backoffLimit: 1
       template:
         spec:
@@ -135,10 +132,10 @@ extraObjects:
               command: ["ansible-runner", "run", "/runner", "--playbook", "nautobot-initial-setup.yaml"]
               resources:
                 requests:
-                  cpu: "100m"
+                  cpu: "1000m"
                   memory: "512Mi"
                 limits:
-                  cpu: "500m"
+                  cpu: "1000m"
                   memory: "512Mi"
               securityContext:
                 allowPrivilegeEscalation: false

components/neutron/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 resources:
   - neutron-mariadb-db.yaml
   - neutron-rabbitmq-queue.yaml
-  - neutron-nautobot.yaml
+  - neutron-post-deployment-job.yaml
   # less than ideal addition but necessary so that we can have the neutron.conf.d loading
   # working due to the way the chart hardcodes the config-file parameter which then
   # takes precedence over the directory

components/neutron/neutron-post-deployment-job.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: neutron-post-deployment-job
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
+spec:
+  backoffLimit: 2
+  template:
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: ansible
+          image: ghcr.io/rackerlabs/understack/ansible:latest
+          imagePullPolicy: Always
+          command: ["ansible-runner", "run", "/runner", "--playbook", "openstack_network.yaml"]
+          resources:
+            requests:
+              cpu: "1000m"
+              memory: "512Mi"
+            limits:
+              cpu: "1000m"
+              memory: "512Mi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: false
+          env:
+            - name: OS_CLOUD
+              value: understack
+          volumeMounts:
+            - name: ansible-inventory
+              mountPath: /runner/inventory/
+            - name: ansible-group-vars
+              mountPath: /runner/inventory/group_vars/
+            - name: infrasetup
+              mountPath: /etc/openstack
+              readOnly: true
+      volumes:
+        - name: runner-data
+          emptyDir: {}
+        - name: ansible-inventory
+          configMap:
+            name: ansible-inventory
+        - name: ansible-group-vars
+          configMap:
+            name: ansible-group-vars
+        - name: infrasetup
+          secret:
+            secretName: infrasetup
+            items:
+              - key: clouds.yaml
+                path: clouds.yaml
+      restartPolicy: OnFailure

components/octavia/octavia-post-deployment-job.yaml

@@ -3,18 +3,38 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: octavia-post-deployment-job
-  generateName: octavia-post-deployment-job-
   annotations:
     argocd.argoproj.io/hook: PostSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
 spec:
+  backoffLimit: 2
   template:
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
-        - name: octavia-post-deploy
+        - name: ansible
           image: ghcr.io/rackerlabs/understack/ansible:latest
           imagePullPolicy: Always
           command: ["ansible-runner", "run", "/runner", "-vvv", "--playbook", "openstack_octavia.yaml"]
+          resources:
+            requests:
+              cpu: "1000m"
+              memory: "512Mi"
+            limits:
+              cpu: "1000m"
+              memory: "512Mi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: false
           env:
             - name: OS_CLOUD
               value: understack
@@ -27,7 +47,7 @@ spec:
               subPath: inventory.yaml
             - name: ansible-group-vars
               mountPath: /runner/inventory/group_vars/
-            - name: openstack-svc-acct
+            - name: infrasetup
               mountPath: /etc/openstack
               readOnly: true
       volumes:
@@ -42,7 +62,10 @@ spec:
         - name: ansible-group-vars
           configMap:
             name: ansible-group-vars
-        - name: openstack-svc-acct
+        - name: infrasetup
           secret:
-            secretName: openstack-svc-acct
+            secretName: infrasetup
+            items:
+              - key: clouds.yaml
+                path: clouds.yaml
       restartPolicy: OnFailure

components/openstack/templates/automation-infrasetup.yaml.tpl

@@ -0,0 +1,46 @@
+---
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Password
+metadata:
+  name: "infrasetup-{{ .Values.regionName }}"
+spec:
+  length: 32
+  digits: 6
+  symbols: 6
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: "infrasetup-{{ .Values.regionName }}"
+spec:
+  refreshInterval: 20160m
+  target:
+    name: infrasetup
+    template:
+      engineVersion: v2
+      type: Opaque
+      metadata:
+        labels:
+          understack.rackspace.com/keystone-role: infra-readwrite
+          understack.rackspace.com/keystone-user: "infrasetup-{{ .Values.regionName }}"
+      data:
+        password: "{{ `{{ .password }}` }}"
+        clouds.yaml: |
+          clouds:
+            understack:
+              auth:
+                auth_url: "{{ .Values.keystoneUrl }}"
+                user_domain_name: "service"
+                username: "infrasetup-{{ .Values.regionName }}"
+                password: "{{ `{{ .password }}` }}"
+                project_domain_name: "infra"
+                project_name: "baremetal"
+              region_name: "{{ .Values.regionName }}"
+              interface: "public"
+              identity_api_version: 3
+  dataFrom:
+  - sourceRef:
+      generatorRef:
+        apiVersion: generators.external-secrets.io/v1alpha1
+        kind: Password
+        name: "infrasetup-{{ .Values.regionName }}"

components/site-workflows/eventsources/eventsource-k8s-openstack-secrets.yaml

@@ -8,7 +8,7 @@ spec:
     serviceAccountName: k8s-openstack-events-secrets
   # Kubernetes resource event sources
   resource:
-    keystone-integration-reader-add:
+    keystone-automation-user-upsert:
       # monitor deployment resources under openstack namespace
       namespace: openstack
       group: ""
@@ -24,7 +24,7 @@ spec:
             operation: exists
           - key: understack.rackspace.com/keystone-user
             operation: exists
-    keystone-integration-reader-delete:
+    keystone-automation-user-delete:
       # monitor deployment resources under openstack namespace
       namespace: openstack
       group: ""

components/site-workflows/kustomization.yaml

@@ -10,21 +10,17 @@ resources:
   - eventsources/rabbitmq-user-argo-ironic.yaml
   - eventsources/rabbitmq-user-argo-keystone.yaml
   - eventsources/rabbitmq-user-argo-neutron.yaml
-  - eventsources/eventsource-k8s-openstack-neutron.yaml
   - eventsources/eventsource-k8s-openstack-secrets.yaml
   - serviceaccounts/serviceaccount-sensor-submit-workflow.yaml
-  - serviceaccounts/serviceaccount-k8s-openstack-events.yaml
   - serviceaccounts/serviceaccount-k8s-openstack-events-secrets.yaml
   - sensors/sensor-ironic-node-update.yaml
   - sensors/sensor-keystone-event-project.yaml
   - sensors/sensor-keystone-oslo-event.yaml
-  - sensors/sensor-k8s-neutron-deployment.yaml
-  - sensors/sensor-keystone-integration-reader-add.yaml
-  - sensors/sensor-keystone-integration-reader-rm.yaml
+  - sensors/sensor-keystone-automation-user-upsert.yaml
+  - sensors/sensor-keystone-automation-user-delete.yaml
   - sensors/sensor-neutron-event-network-segment-range.yaml
   - sensors/sensor-neutron-olso-event.yaml
   - sensors/sensor-ironic-reclean.yaml
   - sensors/sensor-ironic-node-port.yaml
   - sensors/sensor-ironic-oslo-event.yaml
   - secrets/nautobot-token.yaml
-  - secrets/openstack-svc-acct.yaml