|
| 1 | +DISCLAIMER: This guide was initially written for a specific client and then retro-fitted as a generic template. To adapt this template to form the basis of a site-specific admin guide, replace all instance of `cloud-name` with the name of the actual cloud that the guide is intended for (then read through the whole document carefully to make sure nothing has been missed) and then remove this note. |
| 2 | + |
| 3 | +# Admin Guide |
| 4 | + |
| 5 | +This guide is intended to serve administrators of the cloud-name Magnum service. |
| 6 | + |
| 7 | +## Background |
| 8 | + |
| 9 | +The OpenStack Magnum service on cloud-name uses the [Cluster API (CAPI) Helm driver](https://opendev.org/openstack/magnum-capi-helm) for Magnum. For general background on this driver and it's goals, see https://stackhpc.com/magnum-clusterapi.html. |
| 10 | + |
| 11 | +The core tenet of Cluster API is to use a separate Kubernetes 'management' cluster to manage the lifecycle of 1 or more Kubernetes 'workload' clusters (see [Cluster API Concepts](https://cluster-api.sigs.k8s.io/user/concepts)). The details of how this is achieve are non-essential but for more background see [this blog post](https://www.stackhpc.com/magnum-cluster-api-helm-deep-dive.html). |
| 12 | + |
| 13 | +The Magnum Cluster API Helm driver itself is decoupled from the Cluster API management cluster and Magnum simply expects to be provided a [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file for the target management cluster as part of the Magnum driver set up to allow it to talk to an existing management cluster. It will then use this management cluster to provision Magnum user clusters (otherwise known as 'workload' clusters in CAPI terminology). |
| 14 | + |
| 15 | +Since the management cluster provisioning is outside of Magnum's scope, the cloud-name deployment re-uses StackHPC's [Azimuth](https://azimuth-config.readthedocs.io/en/stable/) tooling for provisioning and maintaining a production-ready management cluster. The Magnum CAPI management cluster is effectively a stripped-down version of an Azimuth deployment with only the bare-minimum feature set required to manage CAPI workload clusters. As such, some (but not all) sections of the [Azimuth operator documentation](https://azimuth-config.readthedocs.io) are relevant to Magnum. The goal of this admin guide is to distill the relevant information from the Azimuth documentation into something more applicable to the cloud-name Magnum service. |
| 16 | + |
| 17 | +## Management Infrastructure |
| 18 | + |
| 19 | +### Infrastructure As Code |
| 20 | + |
| 21 | +The CAPI management cluster is provisioned using the [azimuth-ops](https://github.com/azimuth-cloud/ansible-collection-azimuth-ops?tab=readme-ov-file) Ansible collection, with this repo serving as the cloud-name-specific (i.e 'downstream') version of the generic upstream [azimuth-config](https://github.com/azimuth-cloud/azimuth-config) repository. This downstream repo still 'tracks' the upstream azimuth-config in the sense that updating the cloud-name CAPI management cluster involves syncing this downstream repo with the latest upstream config. (In practice, this should be done via a GitHub / GitLab [scheduled pipeline](https://azimuth-config.readthedocs.io/en/stable/deployment/automation/#automated-upgrades).) |
| 22 | + |
| 23 | +This repo defines a set of cloud-name-specific [config environments](https://azimuth-config.readthedocs.io/en/stable/environments/) which hold configuration overrides required for the cloud-name cloud (e.g. OpenStack network IDs, flavor names, etc). This config is organised into a `cloud-name-base` 'mixin' environment and one ore more 'concrete' environments, for the each CAPI management cluster deployed on the cloud-name system. |
| 24 | + |
| 25 | +In addition, the cloud-name config follows the recommended best practices for [managing secrets](https://azimuth-config.readthedocs.io/en/stable/repository/secrets/) and [storing infrastructure state](https://azimuth-config.readthedocs.io/en/stable/repository/opentofu/); therefore, both of these upstream documentation sections can be read as-is in relation to the cloud-name management cluster deployment. |
| 26 | + |
| 27 | +For a new admin to access the cloud-name CAPI management infrastructure, they must first be granted access to the config repository secrets. This is done by asking an existing admin who already has access to add the new admin's GPG key by following [these instructions](https://azimuth-config.readthedocs.io/en/stable/repository/secrets/#using-gpg-keys). |
| 28 | + |
| 29 | +Once access has been granted (by merging the commit with the new GPG key to the main branch) the new admin can now check out a local copy of the config repo and use it to access the CAPI management cluster and other supporting infrastructure. Before explaining how do to so, the next section provides a brief overview of the relevant OpenStack resources and how they interact with each other. |
| 30 | + |
| 31 | +### A cloud-name Admin's Architecture View |
| 32 | + |
| 33 | +From the perspective of an administrator, the architecture of the cloud-name Magnum service looks something like: |
| 34 | + |
| 35 | + |
| 36 | + |
| 37 | +The remainder of this document explains how to access and troubleshoot each of these components. |
| 38 | + |
| 39 | +### Accessing the Seed VM |
| 40 | + |
| 41 | +The seed VM is the admin's gateway into the CAPI management infrastructure. The seed VM's SSH key and IP address are stored in the GitLab-backed terraform state within the config repo. Therefore, by being granted access to the config repositories secrets, an admin can use the provided helper scripts to fetch this securely stored terraform state and use it to SSH into the seed. A more detailed explanation of this process can be found [here](https://azimuth-config.readthedocs.io/en/stable/debugging/access-k3s/) but the TL;DR is to run the following shell commands from the repo root: |
| 42 | + |
| 43 | +``` |
| 44 | +# Ensure that the Python venv is set up |
| 45 | +./bin/ensure-venv |
| 46 | +
|
| 47 | +# Activate the target environment |
| 48 | +source ./bin/activate cloud-name-prod |
| 49 | +
|
| 50 | +# Install Ansible dependencies |
| 51 | +ansible-galaxy install -f -r requirements.yml |
| 52 | +
|
| 53 | +# Execute the seed-ssh script |
| 54 | +./bin/seed-ssh |
| 55 | +``` |
| 56 | + |
| 57 | +If successful, you should be able to access the seed node via SSH. |
| 58 | + |
| 59 | +### Accessing the Management Cluster |
| 60 | + |
| 61 | +As illustrated in the architecture diagram above, the seed VM has the `kubectl` binary pre-installed, which can be used to interact with both the lightweight k3s cluster and the Magnum management cluster. During the initial deployment, the `kubeconfig` file for the management cluster is written to `~/kubeconfig-capi-mgmt-<config-env-name>.yaml` on the seed. This allows us to use the `--kubeconfig` argument (or the equivalent `KUBECONFIG` environment variable) to authenticate and interact with the Magnum management cluster. |
| 62 | + |
| 63 | +In the Magnum CAPI Helm driver, every Magnum user cluster ends up as a [Helm Release](https://helm.sh/docs/intro/using_helm/#three-big-concepts) (i.e. an installed instance) of the [magnum-capi-helm/openstack-cluster](https://github.com/azimuth-cloud/capi-helm-charts/tree/main/charts/openstack-cluster) chart. Therefore, to obtain a list of all Magnum clusters from the management cluster, we can use: |
| 64 | + |
| 65 | +``` |
| 66 | +helm list --kubeconfig ~/kubeconfig-capi-mgmt-cloud-name-prod.yaml -Aa |
| 67 | +``` |
| 68 | + |
| 69 | +Note: The `-A` means include all namespaces and so this will also show other Helm releases which are installed on the CAPI management cluster to provide. Each Magnum user cluster corresponds to a Helm releases under one of the `magnum-<openstack-project-id>` namespaces. For more details on the various Kubernetes resources which are packaged as part of each Helm release, see https://www.stackhpc.com/magnum-cluster-api-helm-deep-dive.html. |
| 70 | + |
| 71 | +If a Magnum user cluster exists in OpenStack but does not have a corresponding Helm release on the management cluster then this likely means that the Magnum conductor has been unable to communicate with the management cluster for some reason. In such cases, the problem likely lies outside of Cluster API's purview and the starting point for debugging should instead be the Magnum logs on the OpenStack control plane. |
| 72 | + |
| 73 | +## Troubleshooting |
| 74 | + |
| 75 | +### Admin Logs, Monitoring and Alerting |
| 76 | + |
| 77 | +The management cluster has both [kube-prometheus-stack](https://github.com/prometheus-operator/kube-prometheus) (for monitoring various components of the management cluster) and [Loki](https://github.com/grafana/loki) for pod log aggregation. Currently, the monitoring tools on the management cluster are only accessible using an SSH port-forward. A helper script is provide at `./bin/port-forward` in the cloud-name config repository. Using this script, the web dashboards for the various monitoring services can be accessed by running one of |
| 78 | + |
| 79 | +``` |
| 80 | +# Port forward Grafana to localhost |
| 81 | +./bin/port-forward grafana <local-port> |
| 82 | +# Port forward Alertmanager to localhost |
| 83 | +./bin/port-forward alertmanager <local-port> |
| 84 | +# Port forward Prometheus to localhost |
| 85 | +./bin/port-forward prometheus <local-port> |
| 86 | +``` |
| 87 | + |
| 88 | +and then opening `http://localhost:<local-port>` in your web browser. |
| 89 | + |
| 90 | +The Grafana configuration is currently limited to a relatively standard set of Kubernetes monitoring dashboards, with no Cluster API or Magnum-specific dashboards, however; it can still be useful for seeing general management cluster health. Perhaps the most useful dashboard in the current set is the `Loki / Pod Logs` dashboard which allows for viewing, searching and filtering the aggregated logs for all management cluster pods. This can be particularly helpful for inspecting the `capo-controller-manager` pod logs in order to debugging user cluster issues (see next section). |
| 91 | + |
| 92 | +The pod logs dashboard looks something like: |
| 93 | + |
| 94 | + |
| 95 | + |
| 96 | +and is a valuable tool in debugging since most pod logs in Kubernetes are aggressively pruned and therefore the Loki aggregation is the only option for historic logs. |
| 97 | + |
| 98 | +Some other notable dashboards from the current monitoring collection include: |
| 99 | + |
| 100 | +- `Alertmanager / Overview` - for alert trends and timeseries |
| 101 | +- `Node Exporter / Nodes` - for health of management cluster nodes |
| 102 | +- `Velero Overview` - for management [backup and restore](https://azimuth-config.readthedocs.io/en/stable/configuration/15-disaster-recovery/) health and status |
| 103 | + |
| 104 | +### Diagnosing User Cluster Issues |
| 105 | + |
| 106 | +For cases where there is a Magnum user cluster which is not functioning correctly (e.g. it is stuck in the creating phase indefinitely) the best strategy is to trace through the CAPI cluster creation process one step at a time for the target cluster in order to understand which step the creation is stalled on. To do so, follow [this debugging guide](https://github.com/azimuth-cloud/capi-helm-charts/blob/main/charts/openstack-cluster/DEBUGGING.md). (The TL;DR is that 9 times out of 10 the answer can be found in the logs for the `capo-controller-manager` pod since this is the controller which interacts with the OpenStack APIs to actually create user resources.) |
0 commit comments