Enable Octavia on an existing OpenStack environment

Enable Octavia on an existing OpenStack environmentΒΆ

You can enable Octavia on an operational OpenStack environment with Neutron OVS as a networking solution deployed by MCP.

To enable Octavia on an existing OpenStack environment:

  1. Log in to the Salt Master node.

  2. Add the following class to cluster/<cluster_name>/openstack/database.yml:

    - system.galera.server.database.octavia
    
  3. Add the following classes to cluster/<cluster_name>/openstack/control/init.yml:

    - system.keystone.client.service.octavia
    - system.glance.client.image.octavia
    - system.nova.client.service.octavia
    - system.octavia.client
    
  4. Select from the following options:

    • To run Octavia worker services in a cluster, add the following class to cluster/<cluster_name>/openstack/control/init.yml:

      - system.neutron.client.service.octavia
      
    • To run a single instance of Octavia worker services, add the following class to cluster/<cluster_name>/openstack/control/init.yml:

      - system.neutron.client.service.octavia.single
      
  5. If Barbican support is required, add the following classes to cluster/<cluster_name>/openstack/control/init.yml:

    - system.barbican.client.v1.octavia
    - system.barbican.client.v1.signed_images.octavia
    - system.salt.minion.cert.octavia.image_sign
    

    Caution

    If signing of images is disabled for Nova, do not add the images-related classes.

  6. Add the following classes to cluster/<cluster_name>/openstack/control.yml:

    - system.neutron.control.openvswitch.octavia
    - system.octavia.api.cluster
    

    Note

    Starting the OpenStack Queens release, the system.neutron.control.openvswitch.octavia class is not required.

    The system.octavia.api.cluster class configures an Octavia API cluster to run on the OpenStack controller nodes. Alternatively, if you want to run a single instance of Octavia API, add the following class instead:

    - system.octavia.api.single
    
  7. In cluster/<cluster_name>/infra/config.yml, configure the Octavia Manager services (Controller Worker, Health Manager, and Housekeeping) to run on one of the gateway nodes that is gtw01 by default:

    • Add the following classes:

      - system.salt.minion.ca.octavia_amphora_ca
      - system.salt.minion.cert.octavia.amphora_cluster_client
      
    • If you run the OpenStack gateway services in a cluster, add the following class:

      - system.reclass.storage.system.openstack_gateway_single_octavia
      

      before

      - system.reclass.storage.system.openstack_gateway_cluster
      
    • If you run the OpenStack gateway services in a single mode, add the following class:

      - system.reclass.storage.system.openstack_gateway_single_octavia
      

      before

      - system.reclass.storage.system.openstack_gateway_single
      
    • TECHNICAL PREVIEW If you want to add Octavia Cluster Manager, also add the following class:

      - system.reclass.storage.system.openstack_gateway_cluster_octavia
      
  8. Verify the classes and parameters:

    1. Verify that the cluster/<cluster_name>/openstack/octavia_manager.yml file exists and contains import of the following classes as well as a private key that will be used to log in to amphorae. For example:

      classes:
      - system.octavia.manager.single
      - system.salt.minion.ca.octavia_ca
      - system.salt.minion.cert.octavia.amphora_client
      parameters:
        _param:
          cluster_local_address: ${_param:single_address}
          octavia_private_key: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIEpAIBAAKCAQEAtjnPDJsQToHBtoqIo15mdSYpfi8z6DFMi8Gbo0KCN33OUn5u
            OctbdtjUfeuhvI6px1SCnvyWi09Ft8eWwq+KwLCGKbUxLvqKltuJ7K3LIrGXkt+m
            qZN4O9XKeVKfZH+mQWkkxRWgX2r8RKNV3GkdNtd74VjhP+R6XSKJQ1Z8b7eHM10v
            6IjTY/jPczjK+eyCeEj4qbSnV8eKlqLhhquuSQRmUO2DRSjLVdpdf2BB4/BdWFsD
            YOmX7mb8kpEr9vQ+c1JKMXDwD6ehzyU8kE+1kVm5zOeEy4HdYIMpvUfN49P1anRV
            2ISQ1ZE+r22IAMKl0tekrGH0e/1NP1DF5rINMwIDAQABAoIBAQCkP/cgpaRNHyg8
            ISKIHs67SWqdEm73G3ijgB+JSKmW2w7dzJgN//6xYUAnP/zIuM7PnJ0gMQyBBTMS
            NBTv5spqZLKJZYivj6Tb1Ya8jupKm0jEWlMfBo2ZYVrfgFmrfGOfEebSvmuPlh9M
            vuzlftmWVSSUOkjODmM9D6QpzgrbpktBuA/WpX+6esMTwJpOcQ5xZWEnHXnVzuTc
            SncodVweE4gz6F1qorbqIJz8UAUQ5T0OZTdHzIS1IbamACHWaxQfixAO2s4+BoUK
            ANGGZWkfneCxx7lthvY8DiKn7M5cSRnqFyDToGqaLezdkMNlGC7v3U11FF5blSEW
            fL1o/HwBAoGBAOavhTr8eqezTchqZvarorFIq7HFWk/l0vguIotu6/wlh1V/KdF+
            aLLHgPgJ5j+RrCMvTBoKqMeeHfVGrS2udEy8L1mK6b3meG+tMxU05OA55abmhYn7
            7vF0q8XJmYIHIXmuCgF90R8Piscb0eaMlmHW9unKTKo8EOs5j+D8+AMJAoGBAMo4
            8WW+D3XiD7fsymsfXalf7VpAt/H834QTbNZJweUWhg11eLutyahyyfjjHV200nNZ
            cnU09DWKpBbLg7d1pyT69CNLXpNnxuWCt8oiUjhWCUpNqVm2nDJbUdlRFTzYb2fS
            ZC4r0oQaPD5kMLSipjcwzMWe0PniySxNvKXKInFbAoGBAKxW2qD7uKKKuQSOQUft
            aAksMmEIAHWKTDdvOA2VG6XvX5DHBLXmy08s7rPfqW06ZjCPCDq4Velzvgvc9koX
            d/lP6cvqlL9za+x6p5wjPQ4rEt/CfmdcmOE4eY+1EgLrUt314LHGjjG3ScWAiirE
            QyDrGOIGaYoQf89L3KqIMr0JAoGARYAklw8nSSCUvmXHe+Gf0yKA9M/haG28dCwo
            780RsqZ3FBEXmYk1EYvCFqQX56jJ25MWX2n/tJcdpifz8Q2ikHcfiTHSI187YI34
            lKQPFgWb08m1NnwoWrY//yx63BqWz1vjymqNQ5GwutC8XJi5/6Xp+tGGiRuEgJGH
            EIPUKpkCgYAjBIVMkpNiLCREZ6b+qjrPV96ed3iTUt7TqP7yGlFI/OkORFS38xqC
            hBP6Fk8iNWuOWQD+ohM/vMMnvIhk5jwlcwn+kF0ra04gi5KBFWSh/ddWMJxUtPC1
            2htvlEc6zQAR6QfqXHmwhg1hP81JcpqpicQzCMhkzLoR1DC6stXdLg==
            -----END RSA PRIVATE KEY-----
      

      The private key is saved to /etc/octavia/.ssh/octavia_ssh_key on the Octavia manager node.

      Note

      To generate an SSH key pair, run:

      ssh-keygen -b 2048 -t rsa -N "" -f ~/.ssh/octavia_ssh_key
      
    2. To use a spare amphorae pool for the Octavia load balancer, specify the spare_amphora_pool_size parameter as required.

      octavia:
        manager:
          house_keeping:
            spare_amphora_pool_size: 0
      
  9. Verify that the following Octavia parameters are configured in cluster/<cluster_name>/openstack/init.yml. For example:

    parameters:
      _param:
         octavia_version: ${_param:openstack_version}
         octavia_service_host: ${_param:openstack_control_address}
         mysql_octavia_password: <db_password>
         keystone_octavia_password: <keystone_password>
         amp_flavor_id: <amphora-flavor-id>
         octavia_health_manager_node01_address: 192.168.0.10
         # If clusterization enaled:
         # octavia_health_manager_node02_address: 192.168.0.11
         # octavia_health_manager_node03_address: 192.168.0.12
         octavia_loadbalancer_topology: "SINGLE"
         octavia_public_key: |
           ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2Oc8MmxBOgcG2ioijXmZ1J
           il+LzPoMUyLwZujQoI3fc5Sfm45y1t22NR966G8jqnHVIKe/JaLT0W3x5bCr4
           rAsIYptTEu+oqW24nsrcsisZeS36apk3g71cp5Up9kf6ZBaSTFFaBfavxEo1X
           caR0213vhWOE/5HpdIolDVnxvt4czXS/oiNNj+M9zOMr57IJ4SPiptKdXx4qW
           ouGGq65JBGZQ7YNFKMtV2l1/YEHj8F1YWwNg6ZfuZvySkSv29D5zUkoxcPAPp
           6HPJTyQT7WRWbnM54TLgd1ggym9R83j0/VqdFXYhJDVkT6vbYgAwqXS16SsYf
           R7/U0/UMXmsg0z root@cfg01
    

    Note

    • The parameter octavia_public_key should contain a public key generated in the previous step. In our example, it is taken from ~/.ssh/octavia_ssh_key.pub.
    • To use the amphora HA mode, set octavia_loadbalancer_topology to ACTIVE_STANDBY. By default, octavia_loadbalancer_topology is set to SINGLE to use the default load balancer topology.
  10. Optional. Override the default Octavia parameters in cluster/<cluster_name>/openstack/octavia_manager.yml. The default parameters are as follows:

    parameters:
      octavia:
        manager:
          certificates:
            ca_private_key: '/etc/octavia/certs/private/cakey.pem'
            ca_certificate: '/etc/octavia/certs/ca_01.pem'
          controller_worker:
            amp_flavor_id: ${_param:amp_flavor_id}
            amp_image_tag: amphora
            amp_ssh_key_name: octavia_ssh_key
            loadbalancer_topology: 'SINGLE'
          haproxy_amphora:
            client_cert: '/etc/octavia/certs/client.pem'
            client_cert_key: '/etc/octavia/certs/client.key'
            client_cert_all: '/etc/octavia/certs/client_all.pem'
            server_ca: '/etc/octavia/certs/ca_01.pem'
          health_manager:
            bind_ip: ${_param:octavia_hm_bind_ip}
            heartbeat_key: 'insecure'
          house_keeping:
            spare_amphora_pool_size: 0
    

    Note

    Starting from MCP 2019.2.7 maintenance update, haproxy_amphora includes the build_rate_limit parameter, set to 2 by default. Use the parameter to configure the build rate limit for the Octavia manager.

  11. Add the configured Octavia roles to the corresponding nodes:

    salt-call state.sls reclass.storage
    
  12. Refresh pillars:

    salt '*' saltutil.refresh_pillar
    
  13. Update the Salt Minion configuration:

    salt-call state.sls salt.minion.service
    
  14. Create the Octavia database:

    salt -C 'I@galera:master' state.sls galera
    salt -C 'I@galera:slave' state.sls galera -b 1
    
  15. Configure HAProxy for Octavia API:

    salt -C 'I@haproxy:proxy' state.sls haproxy
    
  16. Configure NGINX proxy for Octavia API:

    salt -C 'I@nginx:server' state.sls nginx
    
  17. Create an Octavia user and endpoints in Keystone:

    salt -C 'I@keystone:client' state.sls keystone.client
    
  18. Upload an amphora image to Glance:

    salt -C 'I@glance:client' state.sls glance.client
    
  19. Create an amphora flavor and a key pair in Nova:

    salt -C 'I@nova:client' state.sls nova.client
    

    This state expects you to provide an SSH key that is used to create a key pair.

  20. Create the Neutron resources for Octavia:

    salt -C 'I@neutron:client' state.sls neutron.client
    

    This state creates security groups and rules for amphora instances and Health Manager, a management network with a subnet for Octavia, and a port for Health Manager.

  21. If Barbican and signing of the images for Nova are enabled, apply the following states to create a certificate and sign the Octavia amphora image:

    salt -C 'I@barbican:client' state.sls salt.minion.cert
    salt -C 'I@barbican:client' state.sls barbican.client
    
  22. Update the Salt mine:

    salt '*' mine.update
    
  23. Deploy the Octavia services:

    salt -C 'I@octavia:api and *01*' state.sls octavia
    salt -C 'I@octavia:api' state.sls octavia
    salt -C 'I@octavia:manager' state.sls octavia
    
  24. Generate certificates for the Octavia controller-amphora communication:

    salt-call state.sls salt.minion.ca
    salt-call state.sls salt.minion.cert
    

    Note

    You may need to apply the above states twice before they succeed.

    If you added Octavia Cluster Manager in previous steps, also apply the following states:

    salt-call state.sls salt.minion.ca
    salt-call state.sls salt.minion.cert
    
  25. Set up the Octavia client:

    salt -C 'I@octavia:client' state.sls octavia.client