Merge branch 'stackhpc/2024.1' into rated-dwpd-alerts

dougszumski · web-flow · commit f0c5c02f8236 · 2025-06-13T12:16:01.000+01:00
diff --git a/.github/workflows/upstream-sync.yml b/.github/workflows/upstream-sync.yml
@@ -14,21 +14,25 @@ jobs:
     uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
     with:
       release_series: 2023.1
+      upstream: openstack/kayobe-config
   synchronise-2024-1:
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
     name: Synchronise 2024.1
     uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
     with:
       release_series: 2024.1
+      upstream: openstack/kayobe-config
   synchronise-2025-1:
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
     name: Synchronise 2025.1
     uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
     with:
       release_series: 2025.1
+      upstream: openstack/kayobe-config
   synchronise-master:
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
     name: Synchronise master
     uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
     with:
       release_series: master
+      upstream: openstack/kayobe-config
diff --git a/doc/source/configuration/ipa.rst b/doc/source/configuration/ipa.rst
@@ -11,7 +11,7 @@ StackHPC provides prebuilt Ironic Python Agent (IPA) images in Release Train
 through Ark.
 
 These images are built in CI using a GitHub workflow and are configured in this
-repository. See  :kayobe-doc: `Kayobe documentation
+repository. See :kayobe-doc:`Kayobe documentation
 <configuration/reference/ironic-python-agent.html>` for more details on IPA.
 
 Release Train IPA images are used by Bifrost and Overcloud Ironic by default in
diff --git a/doc/source/configuration/monitoring.rst b/doc/source/configuration/monitoring.rst
@@ -169,12 +169,18 @@ for the exporter.
 If you are deploying in a cloud with internal TLS, you may be required
 to provide a CA certificate for the OpenStack Capacity exporter if your
 certificate is not signed by a trusted CA. For example, to use a CA certificate
-named ``vault.crt`` that is also added to the Kolla containers:
+named ``vault.crt`` or ``openbao.crt`` that is also added to the Kolla containers:
 
 .. code-block:: yaml
 
     stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"
 
+or
+
+.. code-block:: yaml
+
+    stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt"
+
 Alternatively, to disable certificate verification for the OpenStack Capacity
 exporter:
 
diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst
@@ -52,16 +52,29 @@ The Pulp container is deployed on the seed by default, but may be disabled by
 setting ``seed_pulp_container_enabled`` to ``false`` in
 ``etc/kayobe/seed.yml``.
 
-The URL and credentials of the local Pulp server are configured in
-``etc/kayobe/pulp.yml`` via ``pulp_url``, ``pulp_username`` and
-``pulp_password``. In most cases, the default values should be sufficient.
-An admin password must be generated and set as the value of a
-``secrets_pulp_password`` variable, typically in an Ansible Vault encrypted
-``etc/kayobe/secrets.yml`` file. This password will be automatically set on
-Pulp startup.
-
-If a proxy is required to access the Internet from the seed, ``pulp_proxy_url``
-may be used.
+The URL for the local Pulp server is configured by ``pulp_url`` within
+``etc/kayobe/pulp.yml``.
+
+The Pulp service can be configured with two sets of credentials; one for
+administrator operations and another read-only for overcloud hosts
+to use.
+The administrator credentials can be configured ``pulp_username``,
+``pulp_password``
+The basic user account credentials can be configured with ``pulp_stack_username``
+and ``pulp_stack_password``.
+Both sets of credentials can be found within ``etc/kayobe/pulp.yml``.
+
+Both the ``pulp_password`` and ``pulp_stack_password`` are intended to be
+configured via their ``secrets_*`` counterparts, i.e.
+``secrets_pulp_password`` and ``secrets_pulp_stack_password``. These variables
+are expected to be set in an Ansible Vault encrypted
+``etc/kayobe/secrets.yml`` file.
+
+Passwords can be generated using ``OpenSSL``
+
+.. code-block:: console
+
+  openssl rand -base64 32
 
 Host images are not synchronised to the local Pulp server, since they should
 only be pulled to the seed node once. More information on host images can be
diff --git a/etc/kayobe/ansible/cephadm-gather-keys.yml b/etc/kayobe/ansible/cephadm-gather-keys.yml
@@ -68,6 +68,7 @@
         # Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf.
         content: |
           {{ cephadm_ceph_conf.stdout | regex_replace('\t') }}
+          {{ kolla_ceph_conf_append if kolla_ceph_conf_append is defined }}
         dest: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_conf_dir[item.0.name] }}/ceph.conf"
       loop: "{{ query('subelements', kolla_ceph_services | selectattr('required'), 'keys') }}"
       loop_control:
diff --git a/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml
@@ -114,7 +114,7 @@
               ADMIN_ENTRY: admin
               ACCESS_KEY: "{{ ec2.Access }}"
               SECRET_KEY: "{{ ec2.Secret }}"
-              VIRTUAL_PORT: "{{ stackhpc_radosgw_usage_exporter_port | string }}"
+              VIRTUAL_PORT: "{{ stackhpc_radosgw_usage_exporter_backend_port | string }}"
               REQUESTS_CA_BUNDLE: "/etc/ssl/certs/ca-certificates.crt"
             entrypoint: "{{ ['python', '-u', './radosgw_usage_exporter.py', '--insecure'] if not stackhpc_radosgw_usage_exporter_verify else omit }}"
           vars:
diff --git a/etc/kayobe/ansible/openbao-deploy-overcloud.yml b/etc/kayobe/ansible/openbao-deploy-overcloud.yml
@@ -21,7 +21,12 @@
   gather_facts: true
   hosts: controllers
   vars:
-    openbao_bind_address: "{{ internal_net_name | net_ip }}"
+    openbao_bind_addr: "{{ internal_net_name | net_ip }}"
+    # This is the IP address of the first controller and therefore the leader within
+    # OpenBao. This could be replaced with the VIP address of the internal network if
+    # HAProxy has been configured to load balance the OpenBao API.
+    openbao_raft_leaders:
+      - "{{ internal_net_name | net_ip(inventory_hostname=groups['controllers'][0]) }}"
   tasks:
     - name: Set a fact about the virtualenv on the remote system
       ansible.builtin.set_fact:
@@ -46,7 +51,7 @@
 
     - name: Template out TLS key and cert
       ansible.builtin.copy:
-        # Within the OpenBao container these uids & gids map to the vault user
+        # Within the OpenBao container these uids & gids map to the openbao user
         src: "{{ kayobe_env_config_path }}/openbao/{{ item }}"
         dest: /opt/kayobe/openbao/{{ item }}
         owner: 100
@@ -55,6 +60,7 @@
       loop:
         - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
+        - "OS-TLS-INT.crt"
       become: true
 
     - name: Apply OpenBao role
@@ -71,6 +77,7 @@
         openbao_docker_tag: "{{ overcloud_openbao_docker_tag }}"
         openbao_tls_cert: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         openbao_tls_key: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
+        openbao_tls_ca: "OS-TLS-INT.crt"
         copy_self_signed_ca: true
         openbao_api_addr: https://{{ internal_net_name | net_ip }}:8200
         openbao_write_keys_file: true
@@ -91,6 +98,28 @@
         vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
       environment:
         https_proxy: ""
+      run_once: true
+
+      # As the first instance is now unsealed the other instances will now need some
+      # time to connect before we can proceed.
+    - name: Wait for OpenBao Raft peers to connect
+      ansible.builtin.wait_for:
+        timeout: 30
+      delegate_to: localhost
+
+      # Raft peers take few seconds before they report an unsealed state therefore
+      # we must wait.
+    - name: Unseal OpenBao
+      ansible.builtin.import_role:
+        name: stackhpc.hashicorp.vault_unseal
+      vars:
+        vault_api_addr: https://{{ internal_net_name | net_ip }}:8200
+        vault_unseal_token: "{{ openbao_keys.root_token }}"
+        vault_unseal_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
+        vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
+        vault_unseal_timeout: 10
+      environment:
+        https_proxy: ""
 
 - name: Configure PKI
   any_errors_fatal: true
diff --git a/etc/kayobe/ansible/openbao-deploy-seed.yml b/etc/kayobe/ansible/openbao-deploy-seed.yml
@@ -4,8 +4,8 @@
   gather_facts: true
   hosts: seed
   vars:
-    openbao_bind_address: "{{ ansible_facts['lo'].ipv4.address }}"
-    openbao_api_addr: "http://{{ openbao_bind_address }}:8200"
+    openbao_bind_addr: "{{ ansible_facts['lo'].ipv4.address }}"
+    openbao_api_addr: "http://{{ openbao_bind_addr }}:8200"
   tasks:
     - name: Set a fact about the virtualenv on the remote system
       ansible.builtin.set_fact:
diff --git a/etc/kayobe/ansible/pulp-host-image-download.yml b/etc/kayobe/ansible/pulp-host-image-download.yml
@@ -7,18 +7,15 @@
     # password in the get_url task of this playbook
     stackhpc_overcloud_host_image_url_no_auth: "{{ stackhpc_release_pulp_content_url }}/kayobe-images/\
       {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\
-      {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\
       {{ stackhpc_overcloud_host_image_version }}/\
-      overcloud-{{ os_distribution }}-{{ os_release }}\
-      {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2"
+      overcloud-{{ os_distribution }}-{{ os_release }}.qcow2"
   tasks:
     - name: Print image information
       ansible.builtin.debug:
         msg: |
           OS Distribution: {{ os_distribution }}
           OS Release: {{ os_release }}
           Image tag: {{ stackhpc_overcloud_host_image_version }}
-          OFED: {{ stackhpc_overcloud_host_image_is_ofed }}
 
     # TODO: Add checksum support
     - name: Download image artifact
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
@@ -9,7 +9,7 @@ collections:
   - name: stackhpc.pulp
     version: 0.5.5
   - name: stackhpc.hashicorp
-    version: 2.6.1
+    version: 2.7.1
   - name: stackhpc.kayobe_workflows
     version: 1.1.0
 roles:
diff --git a/etc/kayobe/cephadm.yml b/etc/kayobe/cephadm.yml
@@ -136,3 +136,6 @@ kolla_ceph_manila_required: "{{ kolla_enable_manila | bool }}"
 
 # Whether to generate Ceph configuration for Nova.
 kolla_ceph_nova_required: "{{ kolla_enable_nova | bool }}"
+
+# A (multiline) string to append to all Ceph configuration files.
+#kolla_ceph_conf_append:
diff --git a/etc/kayobe/containers/pulp/post.yml b/etc/kayobe/containers/pulp/post.yml
@@ -4,7 +4,7 @@
     url: "{{ pulp_url }}/pulp/api/v3/status/"
   register: pulp_status
   until: pulp_status is success
-  retries: "{{ pulp_timeout_retries | default(30) }}"
+  retries: "{{ pulp_timeout_retries | default(120) }}"
   delay: "{{ pulp_timeout_delay | default(3) }}"
 
 - name: Set the Pulp admin password
@@ -28,6 +28,18 @@
     - stackhpc_pulp_sync_for_local_container_build | bool
     - pulp_settings.changed
 
+- name: Ensure Pulp stack user exists
+  ansible.builtin.include_role:
+    name: stackhpc.pulp.pulp_user
+  vars:
+    pulp_users:
+      - username: "{{ pulp_stack_username }}"
+        password: "{{ pulp_stack_password }}"
+        is_staff: false
+  when:
+    - pulp_stack_username is defined and pulp_stack_username | length > 0
+    - pulp_stack_password is defined and pulp_stack_password | length > 0
+
 - name: Login to docker registry
   docker_login:
     registry_url: "{{ kolla_docker_registry or omit }}"
diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml
@@ -1,3 +1,3 @@
 ---
 # Path to a CA certificate file to trust in the OpenStack Capacity exporter.
-stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"
+stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt"
diff --git a/etc/kayobe/environments/ci-multinode/tempest.yml b/etc/kayobe/environments/ci-multinode/tempest.yml
@@ -3,4 +3,4 @@
 rally_no_sensitive_log: false
 
 # Add the Vault CA certificate to the rally container when running tempest.
-tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"
+tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt"
diff --git a/etc/kayobe/inventory/group_vars/all/openbao.yml b/etc/kayobe/inventory/group_vars/all/openbao.yml
@@ -77,3 +77,6 @@ seed_openbao_pki_certificate_subject:
     role: "{{ seed_openbao_pki_role_name }}"
     extra_params:
       ip_sans: "{% for host in groups['controllers'] %}{{ internal_net_name | net_ip(host) }}{% if not loop.last %},{% endif %}{% endfor %},{{ kolla_internal_vip_address }}"
+
+# Enable OpenBao UI
+openbao_enable_ui: true
diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
@@ -560,6 +560,8 @@ kolla_build_args: {}
 kolla_overcloud_inventory_pass_through_host_vars_extra:
   - stackhpc_gpu_data
   - gpu_group_map
+  - stackhpc_radosgw_usage_exporter_frontend_port
+  - stackhpc_radosgw_usage_exporter_backend_port
 
 # List of names of host variables to pass through from kayobe hosts to
 # kolla-ansible hosts, if set. See also
diff --git a/etc/kayobe/kolla/config/haproxy/services.d/radosgw_usage_exporter.cfg b/etc/kayobe/kolla/config/haproxy/services.d/radosgw_usage_exporter.cfg
@@ -0,0 +1,25 @@
+{% if stackhpc_enable_radosgw_usage_exporter | bool %}
+{% raw %}
+frontend radosgw_usage_exporter_frontend
+    mode http
+    http-request del-header X-Forwarded-Proto
+    option httplog
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+{% if kolla_enable_tls_internal | bool %}
+    bind {{ kolla_internal_vip_address }}:{{ stackhpc_radosgw_usage_exporter_frontend_port }} ssl crt /etc/haproxy/certificates/haproxy-internal.pem
+{% else %}
+    bind {{ kolla_internal_vip_address }}:{{ stackhpc_radosgw_usage_exporter_frontend_port }}
+{% endif %}
+    default_backend radosgw_usage_exporter_backend
+
+backend radosgw_usage_exporter_backend
+    mode http
+
+{% for host in groups['monitoring'] %}
+{% set host_name = hostvars[host].ansible_facts.hostname %}
+{% set host_ip = 'api' | kolla_address(host) %}
+    server {{ host_name }} {{ host_ip }}:{{ stackhpc_radosgw_usage_exporter_backend_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endraw %}
+{% endif %}
diff --git a/etc/kayobe/kolla/config/prometheus/prometheus.yml.d/80-radosgw-exporter.yml b/etc/kayobe/kolla/config/prometheus/prometheus.yml.d/80-radosgw-exporter.yml
@@ -14,8 +14,9 @@ scrape_configs:
       regex: (.+)
     static_configs:
       - targets:
-      {% for host in groups['monitoring'] %}
-        - "{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{% endraw %}{{ stackhpc_radosgw_usage_exporter_port }}{% raw %}"
-      {% endfor %}
+        - "{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ stackhpc_radosgw_usage_exporter_frontend_port }}"
+{% if kolla_enable_tls_internal | bool %}
+    scheme: https
+{% endif %}
 {% endraw %}
 {% endif %}
diff --git a/etc/kayobe/kolla/config/prometheus/rabbitmq.rules b/etc/kayobe/kolla/config/prometheus/rabbitmq.rules
@@ -20,7 +20,7 @@ groups:
     annotations:
       description: RabbitMQ consumers message consumption speed is low on {{ $labels.instance }}
   - alert: RabbitMQNodeNotDistributed
-    expr: erlang_vm_dist_node_state < 3
+    expr: erlang_vm_dist_node_state < {% endraw %}{{ alertmanager_number_of_rabbitmq_nodes }}{% raw %}
     for: 5m
     labels:
       severity: critical
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -26,6 +26,10 @@ pulp_enable_tls: false
 pulp_username: admin
 pulp_password: "{{ secrets_pulp_password }}"
 
+# Credentials for non-admin user within Pulp.
+pulp_stack_username: stack
+pulp_stack_password: "{{ secrets_pulp_stack_password | default('') }}"
+
 # Proxy to use when adding remotes.
 pulp_proxy_url: "{{ omit }}"
 
diff --git a/etc/kayobe/stackhpc-monitoring.yml b/etc/kayobe/stackhpc-monitoring.yml
@@ -74,8 +74,11 @@ stackhpc_prometheus_openstack_exporter_interval: 300
 # Prometheus scrape targets during deployment.
 stackhpc_enable_radosgw_usage_exporter: false
 
-# Port to expose RADOS gateway usage exporter. Default is 9242
-stackhpc_radosgw_usage_exporter_port: 9242
+# Port to expose RADOS gateway usage exporter backend. Default is 9242
+stackhpc_radosgw_usage_exporter_backend_port: 9242
+
+# Port to expose RADOS gateway usage exporter frontend (via HAProxy). Default is 9240
+stackhpc_radosgw_usage_exporter_frontend_port: 9240
 
 # Path to a certificate for internal TLS in the RADOS gateway usage exporter.
 stackhpc_radosgw_usage_exporter_cacert: ""
diff --git a/etc/kayobe/stackhpc-overcloud-host-images.yml b/etc/kayobe/stackhpc-overcloud-host-images.yml
@@ -5,19 +5,12 @@
 # Whether or not to download overcloud host images from Ark
 stackhpc_download_overcloud_host_images: false
 
-# Whether or not to use images with MLNX_OFED installed (for deployment using
-# mellanox/Nvidia NICs). Only available for Ubuntu Jammy and Rocky Linux 9
-# OFED images are currently WIP and this variable is a placeholder
-stackhpc_overcloud_host_image_is_ofed: false
-
 # The overcloud host image source, defined by os_distribution, os_release,
-# stackhpc_overcloud_host_image_is_ofed, and the current stable version.
+# and the current stable version.
 stackhpc_overcloud_host_image_url: "{{ stackhpc_release_pulp_content_url_with_auth }}/kayobe-images/\
                                     {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\
-                                    {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\
                                     {{ stackhpc_overcloud_host_image_version }}/\
-                                    overcloud-{{ os_distribution }}-{{ os_release }}\
-                                    {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2"
+                                    overcloud-{{ os_distribution }}-{{ os_release }}.qcow2"
 
 # Overcloud host image version tag selection
 stackhpc_overcloud_host_image_version: >-
diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml
diff --git a/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml b/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml
diff --git a/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml b/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml
diff --git a/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml b/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml
diff --git a/releasenotes/notes/increase-pulp-retries-79cc258da9aabb4f.yaml b/releasenotes/notes/increase-pulp-retries-79cc258da9aabb4f.yaml
diff --git a/releasenotes/notes/radosgw-usage-exporter-behind-haproxy-e4371d2732f2a081.yaml b/releasenotes/notes/radosgw-usage-exporter-behind-haproxy-e4371d2732f2a081.yaml
diff --git a/requirements.txt b/requirements.txt
