stackhpc · Alex-Welsh · Apr 23, 2026 · Feb 2, 2026 · Apr 8, 2026 · Mar 27, 2026
@@ -2,6 +2,7 @@
 - import_playbook: "ssh-known-host.yml"
 - import_playbook: "kayobe-ansible-user.yml"
 - import_playbook: "logging.yml"
+- import_playbook: "trust-store.yml"
 - import_playbook: "proxy.yml"
 - import_playbook: "apt.yml"
 - import_playbook: "dnf.yml"

@@ -2,6 +2,7 @@
 - import_playbook: "ssh-known-host.yml"
 - import_playbook: "kayobe-ansible-user.yml"
 - import_playbook: "logging.yml"
+- import_playbook: "trust-store.yml"
 - import_playbook: "proxy.yml"
 - import_playbook: "apt.yml"
 - import_playbook: "dnf.yml"

@@ -339,6 +339,16 @@ kolla_seed_inventory_pass_through_host_vars_map: >-
 # hosts.
 kolla_overcloud_inventory_custom_top_level:
 
+# Flag indicating whether host will be included in the generated kolla
+# inventory.  True if inventory_hostname is in any of the groups defined in
+# kolla_overcloud_inventory_top_level_group_map, false otherwise.
+kolla_overcloud_inventory_pass_through_enabled: >-
+  {{ kolla_overcloud_inventory_top_level_group_map.values() |
+       map(attribute='groups') |
+       flatten |
+       intersect(group_names) is truthy
+  }}
+
 # Custom overcloud inventory containing a mapping from components to top level
 # groups.
 kolla_overcloud_inventory_custom_components:

@@ -0,0 +1,26 @@
+---
+###############################################################################
+# Trust store configuration.
+
+# List of CA certificate file paths discovered in
+# $KAYOBE_CONFIG_PATH/trust-store/ and in trust-store/ subdirectories of
+# kayobe_env_search_paths.
+trust_store_ca_certificates_default: >-
+  {{ query(
+    'ansible.builtin.fileglob',
+    *((([kayobe_config_path] +
+     (kayobe_env_search_paths | default([]) | list))
+    | unique
+    | map('regex_replace', '$', '/trust-store/*')
+    | list)))
+  | unique | list }}
+
+# List of additional CA certificate file paths to install on the current host.
+# This can be set in inventory group_vars to add host class-specific CAs.
+trust_store_ca_certificates_extra: []
+
+# List of CA certificate file paths to install on the current host.
+trust_store_ca_certificates: >-
+  {{ (trust_store_ca_certificates_default +
+      (trust_store_ca_certificates_extra | default([]) | list))
+     | unique | list }}
@@ -1,4 +1,15 @@
 ---
+- name: Collect hosts to map through to kolla-ansible
+  hosts: overcloud
+  gather_facts: false
+  tags:
+    - always
+  tasks:
+    - name: Group by kolla_overcloud_inventory_pass_through_enabled
+      ansible.builtin.group_by:
+        key: "kolla_mapped_overcloud_host_{{ kolla_overcloud_inventory_pass_through_enabled }}"
+      changed_when: false
+
 - name: Gather facts for localhost
   hosts: localhost
   gather_facts: true
@@ -68,6 +79,7 @@
       when:
         - groups[controller_loadbalancer_group] | length > 0
         - item.required | bool
+        - groups['kolla_mapped_overcloud_host_True'] | length > 0
       with_items:
         - var_name: "kolla_internal_vip_address"
           description: "Internal API VIP address"
@@ -140,7 +152,7 @@
         kolla_ansible_inventory_path: "{{ kolla_config_path }}/inventory/seed"
 
 - name: Generate Kolla Ansible host vars for overcloud hosts
-  hosts: overcloud
+  hosts: kolla_mapped_overcloud_host_True
   tags:
     - config
     - config-validation
@@ -175,11 +187,11 @@
           - var_name: "kolla_network_interface"
             description: "Default network"
             network: "{{ internal_net_name }}"
-            required: True
+            required: "{{ kolla_overcloud_inventory_pass_through_enabled | bool }}"
           - var_name: "kolla_api_interface"
             description: "API network"
             network: "{{ internal_net_name }}"
-            required: True
+            required: "{{ kolla_overcloud_inventory_pass_through_enabled | bool }}"
           - var_name: "kolla_storage_interface"
             description: "Storage network"
             network: "{{ storage_net_name }}"

@@ -2,6 +2,7 @@
 - import_playbook: "ssh-known-host.yml"
 - import_playbook: "kayobe-ansible-user.yml"
 - import_playbook: "logging.yml"
+- import_playbook: "trust-store.yml"
 - import_playbook: "proxy.yml"
 - import_playbook: "apt.yml"
 - import_playbook: "dnf.yml"

@@ -28,6 +28,7 @@
       subnets:
         - name: "{{ kolla_ironic_inspection_network }}"
           cidr: "{{ inspection_net_name | net_cidr }}"
+          dns_nameservers: "{{ inspection_net_name | net_neutron_dns_servers | default(omit, True) }}"
           gateway_ip: "{{ inspection_net_name | net_neutron_gateway or provision_wl_net_name | net_gateway | default(omit, True) }}"
           allocation_pool_start: "{{ inspection_net_name | net_neutron_allocation_pool_start }}"
           allocation_pool_end: "{{ inspection_net_name | net_neutron_allocation_pool_end }}"
@@ -42,6 +43,7 @@
       subnets:
         - name: "{{ kolla_ironic_provisioning_network }}"
           cidr: "{{ provision_wl_net_name | net_cidr }}"
+          dns_nameservers: "{{ provision_wl_net_name | net_neutron_dns_servers | default(omit, True) }}"
           gateway_ip: "{{ provision_wl_net_name | net_neutron_gateway or provision_wl_net_name | net_gateway | default(omit, True) }}"
           allocation_pool_start: "{{ provision_wl_net_name | net_neutron_allocation_pool_start }}"
           allocation_pool_end: "{{ provision_wl_net_name | net_neutron_allocation_pool_end }}"
@@ -56,6 +58,7 @@
       subnets:
         - name: "{{ kolla_ironic_cleaning_network }}"
           cidr: "{{ cleaning_net_name | net_cidr }}"
+          dns_nameservers: "{{ cleaning_net_name | net_neutron_dns_servers | default(omit, True) }}"
           gateway_ip: "{{ cleaning_net_name | net_neutron_gateway or cleaning_net_name | net_gateway | default(omit, True) }}"
           allocation_pool_start: "{{ cleaning_net_name | net_neutron_allocation_pool_start }}"
           allocation_pool_end: "{{ cleaning_net_name | net_neutron_allocation_pool_end }}"

@@ -129,6 +129,9 @@ control
 compute
 network
 
+[neutron-ovn-vpn-agent:children]
+neutron
+
 # Cinder
 [cinder-api:children]
 cinder
@@ -410,6 +413,10 @@ monitoring
 [prometheus-libvirt-exporter:children]
 compute
 
+[prometheus-openstack-network-exporter:children]
+compute
+network
+
 [prometheus-valkey-exporter:children]
 valkey
 

@@ -9,7 +9,9 @@
 [{{ group }}]
 # These hostnames must be resolvable from your deployment host
 {% for host in groups.get(group, []) %}
+{%- if hostvars[host].kolla_overcloud_inventory_pass_through_enabled | default(true) | bool -%}
 {{ host }}
+{%- endif -%}
 {% endfor %}
 
 {% endfor %}

@@ -23,4 +23,13 @@
 
     - name: Force hardware clock synchronisation
       command: hwclock --systohc
+
+    - name: Wait for system clock to be synchronized (up to 10 minutes)
+      become: True
+      ansible.builtin.command: timedatectl show --property=NTPSynchronized --value
+      register: sync_check
+      until: sync_check.stdout | trim == "yes"
+      retries: 60
+      delay: 10
+      failed_when: sync_check.rc != 0
   when: ntp_force_sync | bool
@@ -0,0 +1,8 @@
+---
+trust_store_ca_certificates: []
+trust_store_ca_path_debian: /usr/local/share/ca-certificates
+trust_store_ca_path_redhat: /etc/pki/ca-trust/source/anchors
+trust_store_ca_path: "{{ lookup('vars', 'trust_store_ca_path_' ~ ansible_facts.os_family | lower) }}"
+trust_store_update_cmd_debian: update-ca-certificates
+trust_store_update_cmd_redhat: update-ca-trust
+trust_store_update_cmd: "{{ lookup('vars', 'trust_store_update_cmd_' ~ ansible_facts.os_family | lower) }}"
@@ -0,0 +1,16 @@
+---
+- name: Copy custom CA to system trust store ({{ trust_store_ca_path }})
+  copy:
+    src: "{{ item }}"
+    dest: "{{ trust_store_ca_path }}/{{ item | basename }}"
+    owner: root
+    group: root
+    mode: "0660"
+  loop: "{{ trust_store_ca_certificates }}"
+  register: trust_store_copy_result
+  become: true
+
+- name: Update system trust store
+  command: "{{ trust_store_update_cmd }}"
+  become: true
+  when: trust_store_copy_result is changed
@@ -2,6 +2,7 @@
 - import_playbook: "ssh-known-host.yml"
 - import_playbook: "kayobe-ansible-user.yml"
 - import_playbook: "logging.yml"
+- import_playbook: "trust-store.yml"
 - import_playbook: "proxy.yml"
 - import_playbook: "apt.yml"
 - import_playbook: "dnf.yml"

@@ -2,6 +2,7 @@
 - import_playbook: "ssh-known-host.yml"
 - import_playbook: "kayobe-ansible-user.yml"
 - import_playbook: "logging.yml"
+- import_playbook: "trust-store.yml"
 - import_playbook: "proxy.yml"
 - import_playbook: "apt.yml"
 - import_playbook: "dnf.yml"

@@ -0,0 +1,21 @@
+---
+- name: Add custom CAs to system trust store
+  hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control
+  gather_facts: true
+  max_fail_percentage: >-
+    {{ trust_store_max_fail_percentage |
+       default(host_configure_max_fail_percentage) |
+       default(kayobe_max_fail_percentage) |
+       default(100) }}
+  vars:
+    ansible_user: "{{ bootstrap_user }}"
+    # We can't assume that a virtualenv exists at this point, so use the
+    # system python interpreter.
+    ansible_python_interpreter: /usr/bin/python3
+  tags:
+    - config
+    - trust-store
+  tasks:
+    - name: Include trust-store role
+      include_role:
+        name: trust-store
@@ -63,6 +63,118 @@ For example::
 To execute the command with root privileges, add the ``--become`` argument.
 Adding the ``--verbose`` argument allows the output of the command to be seen.
 
+Provisioning Hosts Without Kolla Services
+==========================================
+
+Sometimes it may be necessary to provision hosts that are not included in the
+Kolla Ansible inventory - for example, external storage nodes such as Lustre
+fileservers, or other infrastructure nodes that require network configuration
+and system setup but should not run OpenStack services.
+
+By default, hosts in groups mapped by ``kolla_overcloud_inventory_top_level_group_map``
+are automatically included in the Kolla Ansible inventory. To exclude a group of
+hosts from the Kolla Ansible inventory, do not map that group in
+``kolla_overcloud_inventory_top_level_group_map``.
+
+When a group is excluded from the Kolla Ansible inventory, the following
+variables are not required for hosts in that group:
+
+- ``kolla_internal_vip_address``
+- ``kolla_internal_fqdn``
+- ``kolla_network_interface``
+- ``kolla_api_interface``
+
+The hosts can still be provisioned and configured via Kayobe playbooks, allowing
+you to use Kayobe for complete infrastructure provisioning while selectively
+excluding certain hosts from Kolla Ansible deployments.
+
+Example: Provision an external storage group
+----------------------------------------------
+
+If you are using bifrost, follow the regular process to enroll the servers.
+Configure ``overcloud_group_hosts_map`` to map the hosts into an appropriate
+group:
+
+.. code-block:: yaml
+   :caption: ``$KAYOBE_CONFIG_PATH/overcloud.yml``
+
+   overcloud_group_hosts_map:
+     lustre-servers:
+       - lustre-server-01
+       - lustre-server-02
+
+These hosts must also be configured to be members of the ``overcloud`` group:
+
+.. code-block:: ini
+   :caption: ``$KAYOBE_CONFIG_PATH/inventory/groups``
+
+   # Empty group declaration. kayobe overcloud inventory discover will
+   # populate this group from bifrost inventory.
+   [lustre-servers]
+
+   # The hosts must be members of the overcloud group
+   [overcloud:children]
+   lustre-servers
+
+You can then run  ``kayobe overcloud inventory discover`` to automatically
+populate the ``lustre-servers`` group.
+
+Alternatively, you can provision these hosts by some other means: either
+manually or by using an alternative provisioning tool. You would then manually
+add these to your inventory.
+
+.. code-block:: ini
+   :caption: ``$KAYOBE_CONFIG_PATH/inventory/groups``
+
+   # This example demonstrates how you can add hosts that are not provisioned
+   # by bifrost e.g deployed by some external provisioning tool.
+
+   [lustre-servers]
+   lustre-server-01
+   lustre-server-02
+
+   # The hosts must be members of the overcloud group
+   [overcloud:children]
+   lustre-servers
+
+Ensuring that the IPs used to access these servers are correctly set in
+``network-allocations.yml``.
+
+Ensure the hosts are not mapped through to the kolla inventory:
+
+  .. code-block:: yaml
+   :caption: ``$KAYOBE_CONFIG_PATH/kolla.yml``
+
+   # Define the Kolla group mapping without including lustre-servers
+   kolla_overcloud_inventory_top_level_group_map:
+     control:
+       groups:
+         - controllers
+     network:
+       groups:
+         - network
+     compute:
+       groups:
+         - compute
+     compute-vgpu:
+       groups:
+         - compute-vgpu
+     monitoring:
+       groups:
+         - monitoring
+     storage:
+       groups:
+         - storage
+     # lustre-servers group is intentionally not mapped
+
+The hosts can then be configured using::
+
+    (kayobe) $ kayobe overcloud host configure --limit lustre-servers
+
+This will apply host configuration and network setup. ``kayobe overcloud service
+deploy`` will be a no-op for these hosts as they will not be mapped to the
+Kolla Ansible inventory.
+
 .. _overcloud-administration-reconfigure:
 
 Reconfiguring Containerised Services