Merge branch 'stackhpc/2025.1' into ansible-directories

Author: MoteHue

.automation

@@ -17,7 +17,6 @@ class OSRelease:
 @dataclass
 class OpenStackRelease:
     version: str
-    previous_version: str
     os_releases: t.List[OSRelease]
 
 
@@ -34,11 +33,12 @@ class Scenario:
 UBUNTU_NOBLE = OSRelease("ubuntu", "noble", "ubuntu")
 # NOTE(upgrade): Add supported releases here.
 OPENSTACK_RELEASES = [
-    OpenStackRelease("2023.1", "zed", [ROCKY_9, UBUNTU_JAMMY]),
-    OpenStackRelease("2024.1", "2023.1", [ROCKY_9, UBUNTU_JAMMY]),
-    OpenStackRelease("2025.1", "2024.1", [ROCKY_9, UBUNTU_NOBLE]),
+    OpenStackRelease("2023.1", [ROCKY_9, UBUNTU_JAMMY]),
+    OpenStackRelease("2024.1", [ROCKY_9, UBUNTU_JAMMY]),
+    OpenStackRelease("2025.1", [ROCKY_9, UBUNTU_NOBLE]),
 ]
 NEUTRON_PLUGINS = ["ovs", "ovn"]
+VERSION_HIERARCHY = ["zed", "2023.1", "2024.1", "2025.1"]
 
 
 def main() -> None:
@@ -52,13 +52,20 @@ def random_scenario() -> Scenario:
     openstack_release = random.choice(OPENSTACK_RELEASES)
     os_release = random.choice(openstack_release.os_releases)
     neutron_plugin = random.choice(NEUTRON_PLUGINS)
-    upgrade = 'major' if random.random() > 0.6 else 'none'
+    upgrade = "major" if random.random() > 0.6 else "none"
     return Scenario(openstack_release, os_release, neutron_plugin, upgrade)
 
 
 def generate_inputs(scenario: Scenario) -> t.Dict[str, str]:
     branch = get_branch(scenario.openstack_release.version)
-    previous_branch = get_branch(scenario.openstack_release.previous_version)
+    previous_branch = get_branch(
+        VERSION_HIERARCHY[
+            VERSION_HIERARCHY.index(scenario.openstack_release.version) - 1
+        ]
+    )
+    terraform_kayobe_multinode_version = get_tkm_version(
+        scenario.openstack_release.version
+    )
     inputs = {
         "os_distribution": scenario.os_release.distribution,
         "os_release": scenario.os_release.release,
@@ -67,6 +74,7 @@ def generate_inputs(scenario: Scenario) -> t.Dict[str, str]:
         "upgrade": scenario.upgrade,
         "stackhpc_kayobe_config_version": branch,
         "stackhpc_kayobe_config_previous_version": previous_branch,
+        "terraform_kayobe_multinode_version": terraform_kayobe_multinode_version,
     }
     return inputs
 
@@ -75,6 +83,13 @@ def get_branch(version: str) -> str:
     return f"stackhpc/{version}"
 
 
+def get_tkm_version(version: str) -> str:
+    if version in ["zed", "2023.1"]:
+        return "ea61ea1730e179e05e8f0e58b759267664c555e7"
+    else:
+        return "main"
+
+
 def write_output(name: str, value: str) -> None:
     print(f"{name}={value}")
 

.github/workflows/multinode-inputs.py

@@ -19,6 +19,7 @@ jobs:
       upgrade: ${{ steps.generate-inputs.outputs.upgrade }}
       stackhpc_kayobe_config_version: ${{ steps.generate-inputs.outputs.stackhpc_kayobe_config_version }}
       stackhpc_kayobe_config_previous_version: ${{ steps.generate-inputs.outputs.stackhpc_kayobe_config_previous_version }}
+      terraform_kayobe_multinode_version: ${{ steps.generate-inputs.outputs.terraform_kayobe_multinode_version }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -45,6 +46,7 @@ jobs:
       upgrade: ${{ needs.generate-inputs.outputs.upgrade }}
       stackhpc_kayobe_config_version: ${{ needs.generate-inputs.outputs.stackhpc_kayobe_config_version }}
       stackhpc_kayobe_config_previous_version: ${{ needs.generate-inputs.outputs.stackhpc_kayobe_config_previous_version }}
+      terraform_kayobe_multinode_version: ${{ needs.generate-inputs.outputs.terraform_kayobe_multinode_version }}
       enable_slack_alert: true
     secrets: inherit
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'

.github/workflows/stackhpc-multinode-periodic.yml

@@ -22,18 +22,13 @@ storage backend. Set the following in ``kolla.yml``:
   kolla_enable_influxdb: false
 
 Set Prometheus as the backend for both the collector and fetcher, and
-Elasticsearch as the storage backend. Note that our fork of CloudKitty is
-patched so that the CloudKitty Elasticsearch V2 storage backend will also work
-with an OpenSearch cluster. Proper support for the V2 OpenSearch storage
-backend is still pending in Kolla-Ansible `here
-<https://review.opendev.org/c/openstack/kolla-ansible/+/898555>`__. Set the
-following in ``kolla/globals.yml``:
+OpenSearch as the storage backend. Set the following in ``kolla/globals.yml``:
 
 .. code-block:: yaml
 
   cloudkitty_collector_backend: prometheus
   cloudkitty_fetcher_backend: prometheus
-  cloudkitty_storage_backend: elasticsearch
+  cloudkitty_storage_backend: opensearch
 
 The default collection period is one hour, which is likely too long for most
 systems as CloudKitty charges by the **entire** collection period if any usage

doc/source/configuration/cloudkitty.rst

@@ -78,13 +78,13 @@ Setup OpenBao on the seed node
 
 1. Run secret-store-deploy-seed.yml custom playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-deploy-seed.yml
 
 2. Encrypt generated certs/keys with ansible-vault (use proper location of vault password file)
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/OS-TLS-INT.pem
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/seed-openbao-keys.json
@@ -97,7 +97,7 @@ Setup OpenBao on the seed node
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/OS-TLS-INT.pem
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/seed-openbao-keys.json
@@ -111,24 +111,38 @@ Setup OpenBao on the seed node
 Setup OpenBao HA on the overcloud hosts
 ---------------------------------------
 
-1. Run secret-store-deploy-overcloud.yml custom playbook
+1. If using a walled garden, ensure ``no_proxy`` is configured to include the first controller's internal network IP. Append it to the list if necessary.
 
-   .. code-block::bash
+   .. code-block:: yaml
+      :caption: ``inventory/group_vars/overcloud/proxy.yml``
+
+      ---
+      no_proxy:
+        - "{{ lookup('vars', internal_net_name ~ '_ips')[groups.controllers.0] }}"
+
+   .. code-block:: bash
+
+      kayobe overcloud host configure -t proxy
+
+2. Run secret-store-deploy-overcloud.yml custom playbook
+
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-deploy-overcloud.yml
 
-2. Encrypt overcloud openbao keys (use proper location of vault password file)
+3. Encrypt overcloud openbao keys (use proper location of vault password file)
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/overcloud-openbao-keys.json
 
       # For Hashicorp Vault
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/vault/overcloud-vault-keys.json
 
+
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/overcloud-openbao-keys.json
 
@@ -145,7 +159,7 @@ cannot be unsealed with an expired certificate.
 
 1. Delete the old certificate:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       rm $KAYOBE_CONFIG_PATH/openbao/overcloud.crt
 
@@ -154,7 +168,7 @@ cannot be unsealed with an expired certificate.
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       rm $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/overcloud.crt
 
@@ -163,13 +177,13 @@ cannot be unsealed with an expired certificate.
 
 2. Generate a new certificate (and key):
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-deploy-seed.yml
 
 3. Encrypt generated key with ansible-vault (use proper location of vault password file)
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/overcloud.key
 
@@ -178,7 +192,7 @@ cannot be unsealed with an expired certificate.
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/overcloud.key
 
@@ -188,13 +202,13 @@ cannot be unsealed with an expired certificate.
 4. Copy the new certificate to the overcloud hosts. Note, if the old
    certificate has expired this will fail on the unseal step.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-deploy-overcloud.yml
 
 5. Restart the containers to use the new certificate:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud host command run --command "docker restart openbao" -l controllers
 
@@ -203,7 +217,7 @@ cannot be unsealed with an expired certificate.
 
 6. If sealed, unseal OpenBao:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-unseal-overcloud.yml
 
@@ -230,19 +244,19 @@ For test and development purposes it is possible to use OpenBao as a CA for the
 
 1. Run the playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-generate-test-external-tls.yml
 
 2. Use ansible-vault to encrypt the PEM bundle in $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy.pem. Commit the PEM bundle to the kayobe configuration.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy.pem
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem
 
@@ -251,19 +265,19 @@ Create the internal TLS certificates
 
 1. Run the playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-generate-internal-tls.yml
 
 2. Use ansible-vault to encrypt the PEM bundle in $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy-internal.pem. Commit the PEM bundle and root CA to the kayobe configuration.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy-internal.pem
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy-internal.pem
 
@@ -272,19 +286,19 @@ Create the backend TLS and RabbitMQ TLS certificates
 
 1. Run the playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-generate-backend-tls.yml
 
 2. Use ansible-vault to encrypt the keys in $KAYOBE_CONFIG_PATH/kolla/certificates/<controller>-key.pem. Commit the certificates and keys to the kayobe configuration.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/kolla/certificates/<controller>-key.pem
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/<controller>-key.pem
 
@@ -425,12 +439,12 @@ Enable the required TLS variables in kayobe and kolla
       It is important that you are only using admin endpoints for keystone. If
       any admin endpoints exist for other services, they must be deleted e.g.
 
-      .. code-block::bash
+      .. code-block:: bash
 
          openstack endpoint list --interface admin -f value | \
          awk '!/keystone/ {print $1}' | xargs openstack endpoint delete
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud service deploy
 
@@ -442,7 +456,7 @@ Enable the required TLS variables in kayobe and kolla
 
    Restart the nova-compute container on all hypervisors:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud host command run --command "systemctl restart kolla-nova_compute-container.service" --become --show-output -l compute
 
@@ -475,7 +489,7 @@ Create required configuration in OpenBao
 
 1. Run secret-store-deploy-barbican.yml custom playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store/secret-store-deploy-barbican.yml
 
@@ -513,6 +527,6 @@ Configure Barbican
 Deploy Barbican
 ---------------
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud service deploy -kt barbican

doc/source/configuration/openbao.rst

@@ -79,6 +79,7 @@ proxy:
      - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}"
      - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}"
      - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[inventory_hostname] }}"
+     - "{{ lookup('vars', internal_net_name ~ '_ips')[groups.controllers.0] }}"
      - "{{ kolla_external_fqdn }}"
      - "{{ kolla_internal_fqdn }}"
 

doc/source/configuration/walled-garden.rst

@@ -22,3 +22,4 @@ This guide is for operators of the StackHPC Kayobe configuration project.
    tempest
    upgrading-openstack
    upgrading-ceph
+   ubuntu-noble