Add skupper for BKL and keystone to SKMO job#3836
Add skupper for BKL and keystone to SKMO job#3836vakwetu wants to merge 2 commits intoopenstack-k8s-operators:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
e91b57c to
74abdbd
Compare
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
74abdbd to
f87154f
Compare
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
f87154f to
64dea66
Compare
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
64dea66 to
d3f6a8e
Compare
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
d3f6a8e to
6368ac0
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/451747df4e864222b9ec4411ae75617d ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 42m 53s |
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
4 times, most recently
from
3502950 to
c88378c
Compare
| until: | ||
| - _rabbitmq_cluster.resources | length > 0 | ||
| - _rabbitmq_cluster.resources[0].spec.tls is defined | ||
| - _rabbitmq_cluster.resources[0].spec.tls.secretName is defined |
There was a problem hiding this comment.
(blocking) suggestion: I think we should add: _rabbitmq_cluster.resources[0].spec.tls.secretName | length > 0. So now we're checking it's actually populated.
There was a problem hiding this comment.
Done in latest commit
| cifmw_skupper_upstream_install_url: "https://skupper.io/v2/install.yaml" | ||
| cifmw_skupper_downstream_install_file: "" | ||
| tasks: | ||
| - name: Check if Skupper CRD is already present |
There was a problem hiding this comment.
praise: I like this: can we add this in others playbook? like in listener and connector?
There was a problem hiding this comment.
Done in latest commit.
| transport_url = rabbit://{{ _username }}:{{ _password }}@{{ cifmw_skupper_listener_host }}:{{ cifmw_skupper_rabbitmq_port }}/?ssl=1 | ||
| [keystone_notifications] | ||
| pool_name = barbican-listener-regionTwo | ||
| pool_name = barbican-listener-regiontwo |
There was a problem hiding this comment.
(non-blocking) concern: Is this camelCase removal required?
There was a problem hiding this comment.
the name doesn't matter as long as its unique. This parameter isn't referenced anywhere else. Non-camelcase is more consistent across the playbook.
| - _skupper_crd.resources | length == 0 | ||
| - cifmw_skupper_install_source == 'upstream' | ||
| ansible.builtin.command: | ||
| cmd: "oc apply -f {{ cifmw_skupper_upstream_install_url }}" |
There was a problem hiding this comment.
(blocking) question: I'd like to see kubernetes.core.k8s. Probably in two tasks: one with ansible.builtin.uri to fetch the content and save in a var, and then one of kubernets.core.k8s with the variable.content and state as present.
There was a problem hiding this comment.
Done in latest commit
| - _skupper_crd.resources | length == 0 | ||
| - cifmw_skupper_install_source == 'downstream' | ||
| - cifmw_skupper_downstream_install_file | length > 0 | ||
| ansible.builtin.command: |
There was a problem hiding this comment.
(blocking) question: I'd like to see kubernetes.core.k8s.
There was a problem hiding this comment.
Done in latest commit
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
c88378c to
89a9ef9
Compare
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
2 times, most recently
from
52c399b to
7b01c17
Compare
The existing hook_controlplane_config.yml assumed the OpenStackControlPlane (OSCP) was not yet present, which is correct for the component / CRC pipeline. The SKMO integration pipeline runs after kustomize_deploy has already brought up the OSCP, so it needs a different hook that reads the live OSCP, preserves existing CA bundle data, and patches the resource in place. Split into two task files: - hook_controlplane_config.yml (pre-deploy / component pipeline, unchanged) - hook_controlplane_config_postdeploy.yml (post-deploy / SKMO pipeline) Add a new playbook federation-controlplane-config-postdeploy.yml that wraps the new post-deploy task file. The architecture/automation/vars/multi-namespace-skmo.yaml is updated separately to call the new post-deploy playbook. Fix variable names in both task files to use the required cifmw_ prefix so they pass the var-naming[pattern] rule enforced by ansible-lint. Relates-To: OSPCIX-1321 Signed-off-by: Ade Lee <alee@redhat.com> Co-authored-by: Claude Sonnet 4.6 <no-reply@anthropic.com> Made-with: Cursor
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
7b01c17 to
82dfda1
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/faf40921ee674e6c9ef0143267a03148 ✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 17m 33s |
| # MetalLB address-pool name for the leaf internalapi network. An IP is | ||
| # auto-assigned from this pool; no static address is required. | ||
| - name: Configure leaf region to use Skupper Keystone internal endpoint | ||
| hosts: localhost |
There was a problem hiding this comment.
we used yo use hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
…uting Add hook playbooks and configuration to establish Skupper virtual services for RabbitMQ and Keystone internal endpoints, enabling cross-region connectivity in the multi-namespace SKMO scenario. skupper-connector.yaml: query the RabbitMQ TLS secret from the correct CRD - rabbitmq.openstack.org/v1beta1 (RabbitMq) as used by the OpenStack infra-operator, not the community rabbitmq.com/v1beta1 (RabbitmqCluster). Add retries to wait for spec.tls.secretName to be populated before creating the Skupper Connector. skupper-keystone-connector.yaml: add retries to the KeystoneAPI CR lookup to wait for spec.tls.api.internal.secretName to be available, since that field is not populated until Keystone completes TLS setup. configure-leaf-keystone-internal.yaml: after patching the leaf OSCP to use the Skupper Keystone virtual service, also create a MetalLB LoadBalancer Service (keystone-regionone-lb) and a DNSData CR (keystone-skupper) so that EDPM compute nodes outside the OCP cluster can resolve and connect to the Keystone auth_url. The Skupper Listener creates a ClusterIP-only Service that is unreachable from EDPM nodes; the LoadBalancer Service obtains a MetalLB IP on the leaf internalapi network and the DNSData entry registers both the short (.svc) and fully-qualified (.svc.cluster.local) names in the dnsmasq instance serving those nodes. Signed-off-by: Ade Lee <alee@redhat.com> Co-authored-by: Claude <noreply@anthropic.com> Made-with: Cursor
vakwetu
force-pushed
the
skmo-skupper-keystone
branch
from
82dfda1 to
2190966
Compare
|
Note: the prefix check is failing because the earliest commit contains [federation] changes. Once #3847 is merged, then I will rebase and federation role changes will no longer be in this or subsequent PRs. |
3 participants
[skmo] Add Skupper for cross-region RabbitMQ and Keystone internal routing
Add hook playbooks and configuration to establish Skupper virtual
services for RabbitMQ and Keystone internal endpoints, enabling
cross-region connectivity in the multi-namespace SKMO scenario.
skupper-connector.yaml: query the RabbitMQ TLS secret from the correct
CRD - rabbitmq.openstack.org/v1beta1 (RabbitMq) as used by the
OpenStack infra-operator, not the community rabbitmq.com/v1beta1
(RabbitmqCluster). Add retries to wait for spec.tls.secretName to
be populated before creating the Skupper Connector.
skupper-keystone-connector.yaml: add retries to the KeystoneAPI CR
lookup to wait for spec.tls.api.internal.secretName to be available,
since that field is not populated until Keystone completes TLS setup.
configure-leaf-keystone-internal.yaml: after patching the leaf OSCP
to use the Skupper Keystone virtual service, also create a MetalLB
LoadBalancer Service (keystone-regionone-lb) and a DNSData CR
(keystone-skupper) so that EDPM compute nodes outside the OCP cluster
can resolve and connect to the Keystone auth_url. The Skupper Listener
creates a ClusterIP-only Service that is unreachable from EDPM nodes;
the LoadBalancer Service obtains a MetalLB IP on the leaf internalapi
network and the DNSData entry registers both the short (.svc) and
fully-qualified (.svc.cluster.local) names in the dnsmasq instance
serving those nodes.