|
| 1 | +================================== |
| 2 | +Magnum - Container cluster service |
| 3 | +================================== |
| 4 | + |
| 5 | +Magnum is an OpenStack service that provides support for deployment and |
| 6 | +management of container clusters such as Kubernetes. See the |
| 7 | +:magnum-doc:`Magnum documentation </>` for information on using Magnum. |
| 8 | + |
| 9 | +Configuration |
| 10 | +============= |
| 11 | + |
| 12 | +Enable Magnum, in ``globals.yml``: |
| 13 | + |
| 14 | +.. code-block:: yaml |
| 15 | +
|
| 16 | + enable_magnum: true |
| 17 | +
|
| 18 | +Optional: enable cluster user trust |
| 19 | +----------------------------------- |
| 20 | + |
| 21 | +This allows the cluster to communicate with OpenStack on behalf of the user |
| 22 | +that created it, and is necessary for the auto-scaler and auto-healer to work. |
| 23 | +Note that this is disabled by default since it exposes the cluster to |
| 24 | +`CVE-2016-7404 <https://nvd.nist.gov/vuln/detail/CVE-2016-7404>`__. Ensure that |
| 25 | +you understand the consequences before enabling this option. In |
| 26 | +``globals.yml``: |
| 27 | + |
| 28 | +.. code-block:: yaml |
| 29 | +
|
| 30 | + enable_cluster_user_trust: true |
| 31 | +
|
| 32 | +Optional: private CA |
| 33 | +-------------------- |
| 34 | + |
| 35 | +If using TLS with a private CA for OpenStack public APIs, the cluster will need |
| 36 | +to add the CA certificate to its trust store in order to communicate with |
| 37 | +OpenStack. The certificate must be available in the magnum conductor container. |
| 38 | +It is copied to the cluster via user-data, so it is better to include only the |
| 39 | +necessary certificates to avoid exceeding the max Nova API request body size |
| 40 | +(this may be set via ``[oslo_middleware] max_request_body_size`` in |
| 41 | +``nova.conf`` if necessary). In ``/etc/kolla/config/magnum.conf``: |
| 42 | + |
| 43 | +.. code-block:: ini |
| 44 | +
|
| 45 | + [drivers] |
| 46 | + openstack_ca_file = <path to CA file> |
| 47 | +
|
| 48 | +If using Kolla Ansible to :ref:`copy CA certificates into containers |
| 49 | +<admin-tls-ca-in-containers>`, the certificates are located at |
| 50 | +``/etc/pki/ca-trust/source/anchors/kolla-customca-*.crt``. |
| 51 | + |
| 52 | +Deployment |
| 53 | +========== |
| 54 | + |
| 55 | +To deploy magnum and its dashboard in an existing OpenStack cluster: |
| 56 | + |
| 57 | +.. code-block:: console |
| 58 | +
|
| 59 | + kolla-ansible -i <inventory> deploy --tags common,horizon,magnum |
0 commit comments