Merge branch 'main' into renovate/github.com-google-go-github-v55-74.x

Author: abhimanyu003

components/keystone/kustomization.yaml

@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - secret-keystone-keys.yaml
   - keystone-mariadb-db.yaml
   - keystone-rabbitmq-queue.yaml
   - external-secret-keystone-sso.yaml

components/keystone/secret-keystone-keys.yaml

@@ -0,0 +1,17 @@
+# Explicitly define this secret as empty so that OpenStack Helm does not
+# create it for us because it will put helm hook annotations on the one
+# it generates. This causes the secret to get re-generated by subsequent
+# helm runs. Specifically ArgoCD cleans up anything with a helm hook
+# before applying the chart again. We do not want this to go away and
+# instead allow other jobs to update it so it should persist.
+# TODO: remove after https://review.opendev.org/c/openstack/openstack-helm/+/959251 is released.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-fernet-keys
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-credential-keys

components/keystone/values.yaml

@@ -306,6 +306,9 @@ manifests:
   secret_db: false
   secret_keystone: true
   service_ingress_api: false
+  # these next two we create ourselves to avoid helm hooks issues
+  secret_credential_keys: false
+  secret_fernet_keys: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm

components/openstack/templates/mariadb-instance.yaml.tpl

@@ -7,14 +7,16 @@ metadata:
     # do not allow ArgoCD to delete our DB
     argocd.argoproj.io/sync-options: Delete=false
 spec:
-  rootPasswordSecretKeyRef: {{ .Values.mariadb.rootPasswordSecretKeyRef | toJson }}
+  rootPasswordSecretKeyRef:
+{{ toYaml .Values.mariadb.rootPasswordSecretKeyRef | indent 4 }}
 
   # renovate: datasource=docker
   image: docker-registry1.mariadb.com/library/mariadb:11.4.4
   imagePullPolicy: IfNotPresent
 
   port: 3306
-  storage: {{ .Values.mariadb.storage | toJson }}
+  storage:
+{{ toYaml .Values.mariadb.storage | indent 4 }}
   replicas: {{ .Values.mariadb.replicas }}
   service:
     type: ClusterIP

components/openstack/values.schema.json

@@ -0,0 +1,144 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "OpenStack Helm Chart Values",
+  "description": "Schema for OpenStack component values.yaml configuration",
+  "type": "object",
+  "properties": {
+    "mariadb": {
+      "type": "object",
+      "description": "OpenStack mariadb instance settings",
+      "properties": {
+        "rootPasswordSecretKeyRef": {
+          "type": "object",
+          "description": "Root password settings",
+          "properties": {
+            "name": {
+              "type": "string",
+              "description": "Secret name containing the root password"
+            },
+            "key": {
+              "type": "string",
+              "description": "Key within the secret containing the password"
+            },
+            "generate": {
+              "type": "boolean",
+              "description": "Whether to generate the password if it doesn't exist"
+            }
+          },
+          "required": ["name", "key"],
+          "additionalProperties": false
+        },
+        "storage": {
+          "type": "object",
+          "description": "Storage settings",
+          "properties": {
+            "size": {
+              "type": "string",
+              "pattern": "^[0-9]+(Gi|G|Mi|M|Ki|K)$",
+              "description": "Storage size (e.g., 10Gi)"
+            },
+            "resizeInUseVolumes": {
+              "type": "boolean",
+              "description": "Enable resizing volumes while in use"
+            },
+            "waitForVolumeResize": {
+              "type": "boolean",
+              "description": "Wait for volume resize to complete"
+            },
+            "volumeClaimTemplate": {
+              "type": "object",
+              "description": "Volume claim template configuration",
+              "properties": {
+                "storageClassName": {
+                  "type": "string",
+                  "description": "Storage class name for the volume"
+                },
+                "accessModes": {
+                  "type": "array",
+                  "items": {
+                    "type": "string",
+                    "enum": ["ReadWriteOnce", "ReadOnlyMany", "ReadWriteMany"]
+                  },
+                  "description": "Access modes for the volume"
+                },
+                "resources": {
+                  "type": "object",
+                  "properties": {
+                    "requests": {
+                      "type": "object",
+                      "properties": {
+                        "storage": {
+                          "type": "string",
+                          "pattern": "^[0-9]+(Gi|G|Mi|M|Ki|K)$",
+                          "description": "Storage request size"
+                        }
+                      },
+                      "additionalProperties": false
+                    }
+                  },
+                  "additionalProperties": false
+                }
+              },
+              "additionalProperties": false
+            }
+          },
+          "additionalProperties": false
+        },
+        "replicas": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Number of MariaDB replicas (Galera cluster size)"
+        }
+      },
+      "additionalProperties": false
+    },
+    "rabbitmq": {
+      "type": "object",
+      "description": "OpenStack RabbitMQ instance settings",
+      "properties": {
+        "persistence": {
+          "type": "object",
+          "description": "Storage persistence settings",
+          "additionalProperties": true
+        }
+      },
+      "additionalProperties": false
+    },
+    "extraObjects": {
+      "type": "array",
+      "description": "Array of extra Kubernetes manifests to deploy",
+      "items": {
+        "type": "object",
+        "properties": {
+          "apiVersion": {
+            "type": "string",
+            "description": "Kubernetes API version"
+          },
+          "kind": {
+            "type": "string",
+            "description": "Kubernetes resource kind"
+          },
+          "metadata": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              },
+              "namespace": {
+                "type": "string"
+              }
+            },
+            "additionalProperties": true
+          },
+          "spec": {
+            "type": "object",
+            "additionalProperties": true
+          }
+        },
+        "required": ["apiVersion", "kind"],
+        "additionalProperties": true
+      }
+    }
+  },
+  "additionalProperties": false
+}

containers/nova/patches/ironic-attach-debug.patch

@@ -0,0 +1,22 @@
+diff --git a/nova/virt/ironic/driver.py b/nova/virt/ironic/driver.py
+index 64ccdaa50c..cf7cc872d8 100644
+--- a/nova/virt/ironic/driver.py
++++ b/nova/virt/ironic/driver.py
+@@ -2237,3 +2237,17 @@ class IronicDriver(virt_driver.ComputeDriver):
+         """IronicDriver manages port bindings for baremetal instances.
+         """
+         return True
++
++    def attach_volume(self, context, connection_info, instance, mountpoint,
++                      disk_bus=None, device_type=None, encryption=None):
++        """Attach the disk to the instance at mountpoint using info.
++
++        :raises TooManyDiskDevices: if the maximum allowed devices to attach
++                                    to a single instance is exceeded.
++        """
++        LOG.debug("attach_volume connection_info %s", connection_info, instance=instance)
++
++    def detach_volume(self, context, connection_info, instance, mountpoint,
++                      encryption=None):
++        """Detach the disk attached to the instance."""
++        LOG.debug("detach_volume connection_info %s", connection_info, instance=instance)

containers/nova/patches/series

@@ -1 +1,2 @@
 0001_trunk_details_metadata.patch
+ironic-attach-debug.patch

docs/deploy-guide/config-openstack.md

@@ -0,0 +1,171 @@
+# Configuring OpenStack (Shared)
+
+The `openstack` component provides shared infrastructure and prerequisites for all OpenStack services in UnderStack. This includes database, messaging, and common resources needed by individual OpenStack services like Keystone, Nova, Neutron, and Ironic.
+
+## Overview
+
+The OpenStack component is a Helm chart that creates:
+
+- **MariaDB cluster** - Primary database for OpenStack services
+- **RabbitMQ cluster** - Message broker for OpenStack communication
+- **Shared secrets and credentials** - Common authentication resources
+- **Kubernetes Service accounts** - Kubernetes RBAC for workflow automation
+- **External secret stores** - Integration with external secret management
+
+## Configuration
+
+Configure the OpenStack component by editing `$DEPLOY_NAME/helm-configs/openstack.yaml` in your deployment repository.
+
+### MariaDB Database Configuration
+
+The MariaDB cluster provides the primary database for OpenStack services:
+
+```yaml
+mariadb:
+  # Root password configuration
+  rootPasswordSecretKeyRef:
+    name: mariadb
+    key: root-password
+    generate: true  # Auto-generate if not provided
+
+  # Storage configuration
+  storage:
+    size: 10Gi
+    resizeInUseVolumes: true
+    waitForVolumeResize: true
+    volumeClaimTemplate:
+      storageClassName: ceph-block-single
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+
+  # Enable Galera cluster with 3 replicas for HA
+  replicas: 3
+```
+
+#### Storage Considerations
+
+- **Size**: Start with 10Gi minimum, scale based on your deployment size
+- **Storage Class**: Use your cluster's high-performance storage class
+- **Replicas**: 3 replicas provide high availability via Galera clustering
+- **Resize**: Enable volume resizing for future scaling needs
+
+### RabbitMQ Message Broker Configuration
+
+RabbitMQ handles inter-service communication for OpenStack:
+
+```yaml
+rabbitmq:
+  # Configure persistent storage for message queues
+  persistence:
+    enabled: true
+    size: 8Gi
+    storageClassName: ceph-block-single
+```
+
+### Additional Kubernetes Resources
+
+Use `extraObjects` to deploy additional Kubernetes manifests alongside the OpenStack component:
+
+```yaml
+extraObjects:
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: openstack-credentials
+    spec:
+      secretStoreRef:
+        kind: ClusterSecretStore
+        name: vault-backend
+      target:
+        name: openstack-admin-credentials
+      dataFrom:
+        - extract:
+            key: openstack/admin
+```
+
+## Integration with OpenStack Services
+
+Individual OpenStack services (Keystone, Nova, Neutron, etc.) depend on resources created by this component:
+
+- **Database**: Each service gets dedicated MariaDB databases
+- **Messaging**: Services connect to the shared RabbitMQ cluster
+- **Secrets**: Common credentials are managed centrally
+- **Kubernetes Service Accounts**: Argo Workflows automation uses shared service accounts
+
+## Security Considerations
+
+### Secret Management
+
+- Use External Secrets Operator for production deployments
+- Rotate database and RabbitMQ credentials regularly
+- Ensure proper RBAC for service accounts
+
+### Network Security
+
+- Configure network policies to restrict inter-pod communication
+- Use TLS for all database and message broker connections
+- Isolate OpenStack traffic using Kubernetes namespaces
+
+## Monitoring and Observability
+
+The OpenStack component integrates with cluster monitoring:
+
+```yaml
+# Enable monitoring for MariaDB
+mariadb:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+# Enable monitoring for RabbitMQ
+rabbitmq:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+```
+
+## Troubleshooting
+
+### Database Connection Issues
+
+If OpenStack services can't connect to MariaDB:
+
+1. Check MariaDB pod status: `kubectl get pods -l app=mariadb`
+2. Verify service endpoints: `kubectl get endpoints mariadb`
+3. Test connectivity from a service pod: `kubectl exec -it <pod> -- mysql -h mariadb -u root -p`
+
+### Message Queue Problems
+
+For RabbitMQ connectivity issues:
+
+1. Check RabbitMQ cluster status: `kubectl exec -it rabbitmq-0 -- rabbitmqctl cluster_status`
+2. Verify queue status: `kubectl exec -it rabbitmq-0 -- rabbitmqctl list_queues`
+3. Check service connectivity: `kubectl get svc rabbitmq`
+
+### Resource Scaling
+
+To scale the database cluster:
+
+```yaml
+mariadb:
+  replicas: 5  # Scale to 5 nodes
+  storage:
+    size: 50Gi  # Increase storage per node
+```
+
+Apply changes and monitor the scaling process:
+
+```bash
+kubectl get pods -l app=mariadb -w
+```
+
+## Related Documentation
+
+- [Component Configuration](./component-config.md) - General component configuration patterns
+- [Override OpenStack Service Config](./override-openstack-svc-config.md) - Service-specific configuration overrides
+- [Deploy Repo](./deploy-repo.md) - Deployment repository structure