From 2a049b43a0ebfe6aef2f2677082abff8b729cdda Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 27 Oct 2025 10:33:34 -0500 Subject: [PATCH 1/3] fix: correct octavia and neutron post-deploy mounts Mount the correct paths and inventory into the octavia and neutron post-deploy jobs. --- components/neutron/neutron-post-deployment-job.yaml | 2 -- components/octavia/octavia-post-deployment-job.yaml | 11 +---------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/components/neutron/neutron-post-deployment-job.yaml b/components/neutron/neutron-post-deployment-job.yaml index 64f4c7ca0..c617460a1 100644 --- a/components/neutron/neutron-post-deployment-job.yaml +++ b/components/neutron/neutron-post-deployment-job.yaml @@ -47,8 +47,6 @@ spec: mountPath: /etc/openstack readOnly: true volumes: - - name: runner-data - emptyDir: {} - name: ansible-inventory configMap: name: ansible-inventory diff --git a/components/octavia/octavia-post-deployment-job.yaml b/components/octavia/octavia-post-deployment-job.yaml index a414c82b0..bb5d17d26 100644 --- a/components/octavia/octavia-post-deployment-job.yaml +++ b/components/octavia/octavia-post-deployment-job.yaml @@ -40,25 +40,16 @@ spec: value: understack volumeMounts: - name: ansible-inventory - mountPath: /runner/inventory/hosts.yaml - subPath: hosts.yaml - - name: ansible-kubernetes-inventory - mountPath: /runner/inventory/inventory.yaml - subPath: inventory.yaml + mountPath: /runner/inventory/ - name: ansible-group-vars mountPath: /runner/inventory/group_vars/ - name: infrasetup mountPath: /etc/openstack readOnly: true volumes: - - name: runner-data - emptyDir: {} - name: ansible-inventory configMap: name: ansible-inventory - - name: ansible-kubernetes-inventory - configMap: - name: ansible-kubernetes-inventory - name: ansible-group-vars configMap: name: ansible-group-vars From 3694e0eaafb46edea8c638a1a14d6994ff3ef0e1 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 27 Oct 2025 10:38:59 -0500 Subject: [PATCH 2/3] fix(nautobot): split out the nautobot post-deploy job into its own yaml Like the OpenStack services, split the nautobot post-deploy job into its own yaml file. --- .../nautobot/job-nautobot-post-deploy.yaml | 66 +++++++++++++++++ components/nautobot/kustomization.yaml | 1 + components/nautobot/values.yaml | 71 ------------------- 3 files changed, 67 insertions(+), 71 deletions(-) create mode 100644 components/nautobot/job-nautobot-post-deploy.yaml diff --git a/components/nautobot/job-nautobot-post-deploy.yaml b/components/nautobot/job-nautobot-post-deploy.yaml new file mode 100644 index 000000000..23a21efc8 --- /dev/null +++ b/components/nautobot/job-nautobot-post-deploy.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: nautobot-post-deploy + labels: + app.kubernetes.io/name: nautobot + app.kubernetes.io/component: post-deploy + annotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded +spec: + backoffLimit: 2 + template: + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + containers: + - name: ansible + image: ghcr.io/rackerlabs/understack/ansible:latest + imagePullPolicy: Always + command: ["ansible-runner", "run", "/runner", "--playbook", "nautobot-initial-setup.yaml"] + resources: + requests: + cpu: "1000m" + memory: "512Mi" + limits: + cpu: "1000m" + memory: "512Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + env: + - name: NAUTOBOT_TOKEN + valueFrom: + secretKeyRef: + name: nautobot-superuser + key: apitoken + - name: NAUTOBOT_URL + value: http://nautobot-default.nautobot.svc.cluster.local + volumeMounts: + - name: ansible-inventory + mountPath: /runner/inventory/ + - name: ansible-group-vars + mountPath: /runner/inventory/group_vars/ + - name: device-types + mountPath: /runner/data/device-types/ + volumes: + - name: ansible-inventory + configMap: + name: ansible-inventory + - name: ansible-group-vars + configMap: + name: ansible-group-vars + - name: device-types + configMap: + name: device-types + restartPolicy: OnFailure diff --git a/components/nautobot/kustomization.yaml b/components/nautobot/kustomization.yaml index f67801f60..3ea8939f8 100644 --- a/components/nautobot/kustomization.yaml +++ b/components/nautobot/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization resources: - external-secret-nautobot-sso.yaml + - job-nautobot-post-deploy.yaml configMapGenerator: - name: nautobot-sso diff --git a/components/nautobot/values.yaml b/components/nautobot/values.yaml index fecc4dc96..f5b9ad4c2 100644 --- a/components/nautobot/values.yaml +++ b/components/nautobot/values.yaml @@ -100,74 +100,3 @@ metrics: enabled: true prometheusRule: enabled: true - -extraObjects: - - apiVersion: batch/v1 - kind: Job - metadata: - generateName: sync-nautobot-ansible- - namespace: nautobot - labels: - app.kubernetes.io/name: nautobot - app.kubernetes.io/component: sync-job - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - spec: - backoffLimit: 1 - template: - spec: - securityContext: - runAsNonRoot: true - runAsUser: 1000 - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault - containers: - - name: ansible-runner - image: ghcr.io/rackerlabs/understack/ansible:latest - imagePullPolicy: Always - command: ["ansible-runner", "run", "/runner", "--playbook", "nautobot-initial-setup.yaml"] - resources: - requests: - cpu: "1000m" - memory: "512Mi" - limits: - cpu: "1000m" - memory: "512Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - env: - - name: NAUTOBOT_TOKEN - valueFrom: - secretKeyRef: - name: nautobot-superuser - key: apitoken - - name: NAUTOBOT_URL - value: http://nautobot-default.nautobot.svc.cluster.local - volumeMounts: - - name: ansible-inventory - mountPath: /runner/inventory/ - - name: ansible-group-vars - mountPath: /runner/inventory/group_vars/ - - name: device-types - mountPath: /runner/data/device-types/ - restartPolicy: Never - volumes: - - name: runner-data - emptyDir: {} - - name: ansible-inventory - configMap: - name: ansible-inventory - - name: ansible-group-vars - configMap: - name: ansible-group-vars - - name: device-types - configMap: - name: device-types From 3ec5dfd39dc4432ff9bd5008b8255e77ed38b195 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 27 Oct 2025 10:48:46 -0500 Subject: [PATCH 3/3] fix: rename all post deploy playbooks and jobs to be standardized Standardize the naming of the post deploy playbooks and jobs to be: $service-post-post In all cases. --- ...utobot-initial-setup.yaml => nautobot-post-deploy.yaml} | 0 .../{openstack_network.yaml => neutron-post-deploy.yaml} | 0 ...openstack_nova_bootstrap.yaml => nova-post-deploy.yaml} | 0 .../{openstack_octavia.yaml => octavia-post-deploy.yaml} | 0 components/nautobot/job-nautobot-post-deploy.yaml | 2 +- ...st-deployment-job.yaml => job-neutron-post-deploy.yaml} | 7 +++++-- components/neutron/kustomization.yaml | 2 +- ...-post-deployment-job.yaml => job-nova-post-deploy.yaml} | 7 +++++-- components/nova/kustomization.yaml | 2 +- ...st-deployment-job.yaml => job-octavia-post-deploy.yaml} | 7 +++++-- components/octavia/kustomization.yaml | 2 +- 11 files changed, 19 insertions(+), 10 deletions(-) rename ansible/{nautobot-initial-setup.yaml => nautobot-post-deploy.yaml} (100%) rename ansible/{openstack_network.yaml => neutron-post-deploy.yaml} (100%) rename ansible/{openstack_nova_bootstrap.yaml => nova-post-deploy.yaml} (100%) rename ansible/{openstack_octavia.yaml => octavia-post-deploy.yaml} (100%) rename components/neutron/{neutron-post-deployment-job.yaml => job-neutron-post-deploy.yaml} (91%) rename components/nova/{nova-post-deployment-job.yaml => job-nova-post-deploy.yaml} (93%) rename components/octavia/{octavia-post-deployment-job.yaml => job-octavia-post-deploy.yaml} (91%) diff --git a/ansible/nautobot-initial-setup.yaml b/ansible/nautobot-post-deploy.yaml similarity index 100% rename from ansible/nautobot-initial-setup.yaml rename to ansible/nautobot-post-deploy.yaml diff --git a/ansible/openstack_network.yaml b/ansible/neutron-post-deploy.yaml similarity index 100% rename from ansible/openstack_network.yaml rename to ansible/neutron-post-deploy.yaml diff --git a/ansible/openstack_nova_bootstrap.yaml b/ansible/nova-post-deploy.yaml similarity index 100% rename from ansible/openstack_nova_bootstrap.yaml rename to ansible/nova-post-deploy.yaml diff --git a/ansible/openstack_octavia.yaml b/ansible/octavia-post-deploy.yaml similarity index 100% rename from ansible/openstack_octavia.yaml rename to ansible/octavia-post-deploy.yaml diff --git a/components/nautobot/job-nautobot-post-deploy.yaml b/components/nautobot/job-nautobot-post-deploy.yaml index 23a21efc8..13dcf6a5a 100644 --- a/components/nautobot/job-nautobot-post-deploy.yaml +++ b/components/nautobot/job-nautobot-post-deploy.yaml @@ -24,7 +24,7 @@ spec: - name: ansible image: ghcr.io/rackerlabs/understack/ansible:latest imagePullPolicy: Always - command: ["ansible-runner", "run", "/runner", "--playbook", "nautobot-initial-setup.yaml"] + command: ["ansible-runner", "run", "/runner", "--playbook", "nautobot-post-deploy.yaml"] resources: requests: cpu: "1000m" diff --git a/components/neutron/neutron-post-deployment-job.yaml b/components/neutron/job-neutron-post-deploy.yaml similarity index 91% rename from components/neutron/neutron-post-deployment-job.yaml rename to components/neutron/job-neutron-post-deploy.yaml index c617460a1..208730ddc 100644 --- a/components/neutron/neutron-post-deployment-job.yaml +++ b/components/neutron/job-neutron-post-deploy.yaml @@ -2,7 +2,10 @@ apiVersion: batch/v1 kind: Job metadata: - name: neutron-post-deployment-job + name: neutron-post-deploy + labels: + app.kubernetes.io/name: neutron + app.kubernetes.io/component: post-deploy annotations: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/sync-wave: "1" @@ -21,7 +24,7 @@ spec: - name: ansible image: ghcr.io/rackerlabs/understack/ansible:latest imagePullPolicy: Always - command: ["ansible-runner", "run", "/runner", "--playbook", "openstack_network.yaml"] + command: ["ansible-runner", "run", "/runner", "--playbook", "neutron-post-deploy.yaml"] resources: requests: cpu: "1000m" diff --git a/components/neutron/kustomization.yaml b/components/neutron/kustomization.yaml index 7f5158890..6c245829b 100644 --- a/components/neutron/kustomization.yaml +++ b/components/neutron/kustomization.yaml @@ -5,7 +5,7 @@ kind: Kustomization resources: - neutron-mariadb-db.yaml - neutron-rabbitmq-queue.yaml - - neutron-post-deployment-job.yaml + - job-neutron-post-deploy.yaml # less than ideal addition but necessary so that we can have the neutron.conf.d loading # working due to the way the chart hardcodes the config-file parameter which then # takes precedence over the directory diff --git a/components/nova/nova-post-deployment-job.yaml b/components/nova/job-nova-post-deploy.yaml similarity index 93% rename from components/nova/nova-post-deployment-job.yaml rename to components/nova/job-nova-post-deploy.yaml index 070aa41e7..c122f3d4d 100644 --- a/components/nova/nova-post-deployment-job.yaml +++ b/components/nova/job-nova-post-deploy.yaml @@ -2,7 +2,10 @@ apiVersion: batch/v1 kind: Job metadata: - name: nova-post-deployment-job + name: nova-post-deploy + labels: + app.kubernetes.io/name: nova + app.kubernetes.io/component: post-deploy annotations: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/sync-wave: "1" @@ -21,7 +24,7 @@ spec: - name: ansible image: ghcr.io/rackerlabs/understack/ansible:latest imagePullPolicy: Always - command: ["ansible-runner", "run", "/runner", "--playbook", "openstack_nova_bootstrap.yaml"] + command: ["ansible-runner", "run", "/runner", "--playbook", "nova-post-deploy.yaml"] resources: requests: cpu: "1000m" diff --git a/components/nova/kustomization.yaml b/components/nova/kustomization.yaml index 76a7df4aa..8a9f45dc4 100644 --- a/components/nova/kustomization.yaml +++ b/components/nova/kustomization.yaml @@ -9,4 +9,4 @@ resources: - nova-cell0-mariadb-db.yaml # creates 'nova_cell0' database - secret-nova-argo-token.yaml - roles-nova-argo-token.yaml - - nova-post-deployment-job.yaml + - job-nova-post-deploy.yaml diff --git a/components/octavia/octavia-post-deployment-job.yaml b/components/octavia/job-octavia-post-deploy.yaml similarity index 91% rename from components/octavia/octavia-post-deployment-job.yaml rename to components/octavia/job-octavia-post-deploy.yaml index bb5d17d26..114197891 100644 --- a/components/octavia/octavia-post-deployment-job.yaml +++ b/components/octavia/job-octavia-post-deploy.yaml @@ -2,7 +2,10 @@ apiVersion: batch/v1 kind: Job metadata: - name: octavia-post-deployment-job + name: octavia-post-deploy + labels: + app.kubernetes.io/name: octavia + app.kubernetes.io/component: post-deploy annotations: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/sync-wave: "1" @@ -21,7 +24,7 @@ spec: - name: ansible image: ghcr.io/rackerlabs/understack/ansible:latest imagePullPolicy: Always - command: ["ansible-runner", "run", "/runner", "-vvv", "--playbook", "openstack_octavia.yaml"] + command: ["ansible-runner", "run", "/runner", "-vvv", "--playbook", "octavia-post-deploy.yaml"] resources: requests: cpu: "1000m" diff --git a/components/octavia/kustomization.yaml b/components/octavia/kustomization.yaml index 5ca2f2578..f81d28e97 100644 --- a/components/octavia/kustomization.yaml +++ b/components/octavia/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization resources: - octavia-rabbitmq-queue.yaml - octavia-mariadb-db.yaml - - octavia-post-deployment-job.yaml + - job-octavia-post-deploy.yaml