Add multi-namespace SKMO support for Barbican cross-region listener

Configure the multi-namespace SKMO scenario with:
- SKMO-specific control-plane kustomization for the central region
  with barbican-keystone-listener pool_name and RabbitMQ memory
  reduction (4Gi -> 2Gi) for compact clusters
- Barbican keystone listener pool_name configuration for both
  central (regionOne) and leaf (regionTwo) regions
- Automation stages updated to reference SKMO-specific paths
- Post-stage hook for populating cross-region transport URL
- Wait conditions adjusted for parallel deployment
- Correct keystone endpoint values for leaf region
- CA trust configuration between central and leaf regions

Author: vakwetu

.ci/validate-schema-paths.py

@@ -38,7 +38,8 @@ def __validate(self, scenario):
             print('[OK]')
             for val in stage['values']:
                 f = val['src_file']
-                _path = source / f
+                # Allow src_file paths to traverse outside the stage path
+                _path = (source / f).resolve()
                 print(f'    Checking source file: {_path}', end='  ')
                 assert _path.is_file(), f'!! {_path} does not exist'
                 print('[OK]')

automation/net-env/multi-namespace-skmo.yaml

@@ -0,0 +1 @@
+multi-namespace.yaml

automation/vars/multi-namespace-skmo.yaml

@@ -0,0 +1,188 @@
+---
+vas:
+  multi-namespace-skmo:
+    stages:
+      - name: namespace-configuration    # stage 0
+        path: examples/va/multi-namespace/namespace
+        wait_conditions:
+          - >-
+            oc -n default wait ns openstack2
+            --for jsonpath='{.status.phase}'=Active
+            --timeout=5m
+        values:
+          - name: namespace-values
+            src_file: values.yaml
+        build_output: namespace.yaml
+
+      - name: nncp-configuration    # stage 1
+        path: examples/va/multi-namespace/control-plane/networking/nncp
+        wait_conditions:
+          # We don't wait for these NNCPs at this stage, because we'll wait for
+          # both namespaces in the next stage so that they can deploy in parallel
+          # to save time
+          - >-
+            oc -n default wait ns openstack2
+            --for jsonpath='{.status.phase}'=Active
+            --timeout=5m
+        values:
+          - name: network-values
+            src_file: values.yaml
+        build_output: nncp.yaml
+
+      - name: nncp-configuration2    # stage 2
+        path: examples/va/multi-namespace/control-plane2/networking/nncp
+        wait_conditions:
+          - >-
+            oc -n openstack wait nncp
+            -l osp/nncm-config-type=standard
+            --for jsonpath='{.status.conditions[0].reason}'=SuccessfullyConfigured
+            --timeout=5m
+        values:
+          - name: network-values2
+            src_file: values.yaml
+        build_output: nncp2.yaml
+
+      - name: network-configuration    # stage 3
+        path: examples/va/multi-namespace/control-plane/networking
+        wait_conditions:
+          - >-
+            oc -n metallb-system wait pod
+            -l app=metallb -l component=speaker
+            --for condition=Ready
+            --timeout=5m
+        values:
+          - name: network-values
+            src_file: nncp/values.yaml
+        build_output: network.yaml
+
+      - name: network-configuration2    # stage 4
+        path: examples/va/multi-namespace/control-plane2/networking
+        wait_conditions:
+          - >-
+            oc -n metallb-system wait pod
+            -l app=metallb -l component=speaker
+            --for condition=Ready
+            --timeout=5m
+        values:
+          - name: network-values2
+            src_file: nncp/values.yaml
+        build_output: network2.yaml
+
+      - name: control-plane    # stage 5
+        path: examples/va/multi-namespace-skmo/control-plane
+        wait_conditions:
+          # Just confirm the central OSCP CR exists in the API server.
+          # The pre_stage_run of stage 6 (prepare-leaf.yaml) will use
+          # Ansible retry logic to wait for Keystone and openstackclient
+          # readiness before proceeding, allowing parallel deployment.
+          - >-
+            oc -n openstack wait osctlplane controlplane
+            --for jsonpath='{.metadata.name}'=controlplane
+            --timeout=5m
+        values:
+          - name: service-values
+            src_file: service-values.yaml
+          - name: network-values
+            src_file: ../../multi-namespace/control-plane/networking/nncp/values.yaml
+        build_output: ../control-plane.yaml
+
+      - pre_stage_run:    # stage 6
+          - name: Prepare SKMO leaf prerequisites in regionZero
+            type: playbook
+            source: "../../playbooks/skmo/prepare-leaf.yaml"
+            inventory: "${HOME}/ci-framework-data/artifacts/zuul_inventory.yml"
+        name: control-plane2    # stage 6
+        path: examples/va/multi-namespace-skmo/control-plane2
+        wait_conditions:
+          - >-
+            oc -n openstack wait osctlplane controlplane --for condition=Ready
+            --timeout=60m
+          - >-
+            oc -n openstack2 wait osctlplane controlplane --for condition=Ready
+            --timeout=60m
+        values:
+          - name: service-values
+            src_file: service-values.yaml
+          - name: network-values2
+            src_file: ../../multi-namespace/control-plane2/networking/nncp/values.yaml
+        build_output: ../control-plane2.yaml
+        post_stage_run:
+          - name: Trust leaf region CA in central region
+            type: playbook
+            source: "../../playbooks/skmo/trust-leaf-ca.yaml"
+            inventory: "${HOME}/ci-framework-data/artifacts/zuul_inventory.yml"
+          - name: Ensure central control plane uses custom CA bundle
+            type: playbook
+            source: "../../playbooks/skmo/ensure-central-ca-bundle.yaml"
+            inventory: "${HOME}/ci-framework-data/artifacts/zuul_inventory.yml"
+          - name: Configure barbican-keystone-listener transport URL for leaf region
+            type: playbook
+            source: "../../playbooks/skmo/configure-leaf-listener.yaml"
+            inventory: "${HOME}/ci-framework-data/artifacts/zuul_inventory.yml"
+
+      - name: edpm-nodeset    # stage 7
+        path: examples/va/multi-namespace/edpm/nodeset
+        wait_conditions:
+          # We don't wait for this namespace's OpenStackDataPlaneNodeSet at
+          # this stage, because we'll wait for both namespaces in the next
+          # stage so that they can deploy in parallel to save time
+          - >-
+            oc -n default wait ns openstack2
+            --for jsonpath='{.status.phase}'=Active
+            --timeout=5m
+        values:
+          - name: edpm-nodeset-values
+            src_file: values.yaml
+        build_output: nodeset.yaml
+
+      - pre_stage_run:    # stage 8
+          - name: Get OpenStackDataPlaneServices for openstack2 namespace
+            type: playbook
+            source: "../../playbooks/multi-namespace/ns2_osdp_services.yaml"
+            inventory: "${HOME}/ci-framework-data/artifacts/zuul_inventory.yml"
+        name: edpm-nodeset2
+        path: examples/va/multi-namespace/edpm2/nodeset
+        wait_conditions:
+          - >-
+            oc -n openstack wait
+            osdpns openstack-edpm --for condition=SetupReady
+            --timeout=10m
+          - >-
+            oc -n openstack2 wait
+            osdpns openstack-edpm --for condition=SetupReady
+            --timeout=10m
+        values:
+          - name: edpm-nodeset2-values
+            src_file: values.yaml
+        build_output: nodeset2.yaml
+
+      - name: edpm-deployment    # stage 9
+        path: examples/va/multi-namespace/edpm
+        wait_conditions:
+          # We don't wait for this namespace's OpenStackDataPlaneDeployment at
+          # this stage, because we'll wait for both namespaces in the next
+          # stage so that they can deploy in parallel to save time
+          - >-
+            oc -n default wait ns openstack2
+            --for jsonpath='{.status.phase}'=Active
+            --timeout=5m
+        values:
+          - name: edpm-deployment-values
+            src_file: values.yaml
+        build_output: deployment.yaml
+
+      - name: edpm-deployment2    # stage 10
+        path: examples/va/multi-namespace/edpm2
+        wait_conditions:
+          - >-
+            oc -n openstack wait
+            osdpns openstack-edpm --for condition=Ready
+            --timeout=60m
+          - >-
+            oc -n openstack2 wait
+            osdpns openstack-edpm --for condition=Ready
+            --timeout=60m
+        values:
+          - name: edpm-deployment2-values
+            src_file: values.yaml
+        build_output: deployment2.yaml

examples/va/multi-namespace-skmo/.gitignore

@@ -0,0 +1,11 @@
+namespace.yaml
+nncp.yaml
+nncp2.yaml
+networking.yaml
+networking2.yaml
+control-plane.yaml
+control-plane2.yaml
+nodeset.yaml
+nodeset2.yaml
+deployment.yaml
+deployment2.yaml

examples/va/multi-namespace-skmo/control-plane/kustomization.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+components:
+  - ../../multi-namespace/control-plane
+
+patches:
+  - target:
+      kind: ConfigMap
+      name: service-values
+    path: service-values.yaml
+  - target:
+      group: core.openstack.org
+      version: v1beta1
+      kind: OpenStackControlPlane
+      name: controlplane
+    patch: |-
+      - op: replace
+        path: /spec/rabbitmq/templates/rabbitmq/resources/requests/memory
+        value: 2Gi
+      - op: replace
+        path: /spec/rabbitmq/templates/rabbitmq/resources/limits/memory
+        value: 2Gi
+      - op: replace
+        path: /spec/rabbitmq/templates/rabbitmq-cell1/resources/requests/memory
+        value: 2Gi
+      - op: replace
+        path: /spec/rabbitmq/templates/rabbitmq-cell1/resources/limits/memory
+        value: 2Gi
+
+replacements:
+  - source:
+      kind: ConfigMap
+      name: service-values
+      fieldPath: data.barbican.barbicanKeystoneListener.customServiceConfig
+    targets:
+      - select:
+          kind: OpenStackControlPlane
+        fieldPaths:
+          - spec.barbican.template.barbicanKeystoneListener.customServiceConfig
+        options:
+          create: true

examples/va/multi-namespace-skmo/control-plane/service-values.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: service-values
+  annotations:
+    config.kubernetes.io/local-config: "true"
+data:
+  tls:
+    caBundleSecretName: custom-ca-certs
+  barbican:
+    barbicanKeystoneListener:
+      customServiceConfig: |
+        [keystone_notifications]
+        pool_name = barbican-listener-regionOne

examples/va/multi-namespace-skmo/control-plane2/.gitignore

@@ -0,0 +1,3 @@
+nncp2.yaml
+networking2.yaml
+control-plane2.yaml