Deploy an OpenStack cluster

This section instructs you on how to deploy OpenStack on top of Kubernetes using the OpenStack Controller and (OsDpl) CR.

To deploy an OpenStack cluster:

  1. Verify that you have pre-configured the networking according to Networking.

  2. Verify that the TLS certificates that will be required for the OpenStack cluster deployment have been pre-generated.


    The Transport Layer Security (TLS) protocol is mandatory on public endpoints.


    To avoid certificates renewal with subsequent OpenStack updates during which additional services with new public endpoints may appear, we recommend using wildcard SSL certificates for public endpoints. For example, *, where is a cluster public domain.

    The sample code block below illustrates how to generate a self-signed certificate for the domain. The procedure presumes the cfssl and cfssljson tools are installed on the machine.

    mkdir cert && cd cert
    tee ca-config.json << EOF
      "signing": {
        "default": {
          "expiry": "8760h"
        "profiles": {
          "kubernetes": {
            "usages": [
              "key encipherment",
              "server auth",
              "client auth"
            "expiry": "8760h"
    tee ca-csr.json << EOF
      "CN": "kubernetes",
      "key": {
        "algo": "rsa",
        "size": 2048
        "C": "<country>",
        "ST": "<state>",
        "L": "<city>",
        "O": "<organization>",
        "OU": "<organization unit>"
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca
    tee server-csr.json << EOF
        "CN": "*",
        "hosts":     [
        "key":     {
            "algo": "rsa",
            "size": 2048
        "names": [    {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
  3. Create the openstackdeployment.yaml file that will include the OpenStack cluster deployment configuration.


    The resource of kind OpenStackDeployment (OsDpl) is a custom resource defined by a resource of kind CustomResourceDefinition. The resource is validated with the help of the OpenAPI v3 schema.

  4. Configure the OsDpl resource depending on the needs of your deployment. For the configuration details, refer to OpenStackDeployment custom resource.


    If you plan to deploy the Telemetry service, you have to specify the Telemetry mode through features:telemetry:mode as described in OpenStackDeployment custom resource. Otherwise, Telemetry will fail to deploy.

    Example of an OsDpl CR of minimum configuration:

    kind: OpenStackDeployment
      name: openstack-cluster
      namespace: openstack
      openstack_version: ussuri
      preset: compute
      size: tiny
      internal_domain_name: cluster.local
            api_cert: |-
              The public key certificate of the OpenStack public endpoints followed by
              the certificates of any intermediate certificate authorities which
              establishes a chain of trust up to the root CA certificate.
            api_key: |-
              The private key of the certificate for the OpenStack public endpoints.
              This key must match the public key used in the api_cert.
            ca_cert: |-
              The public key certificate of the root certificate authority.
              If you do not have one, use the top-most intermediate certificate instead.
          tunnel_interface: ens3
            - physnet: physnet1
              interface: veth-phy
              bridge: br-ex
               - flat
              vlan_ranges: null
              mtu: null
            enabled: False
          live_migration_interface: ens3
            backend: local
  5. If required, enable DPDK, huge pages, and other supported Telco features as described in Advanced OpenStack configuration (optional).

  6. To the openstackdeployment object, add information about the TLS certificates:

    • ssl:public_endpoints:ca_cert - CA certificate content (ca.pem)

    • ssl:public_endpoints:api_cert - server certificate content (server.pem)

    • ssl:public_endpoints:api_key - server private key (server-key.pem)

  7. Verify that the Load Balancer network does not overlap your corporate or internal Kubernetes networks, for example, Calico IP pools. Also, verify that the pool of Load Balancer network is big enough to provide IP addresses for all Amphora VMs (loadbalancers).

    If required, reconfigure the Octavia network settings using the following sample structure:

                  lbmgmt_cidr: ""
                  lbmgmt_subnet_start: ""
                  lbmgmt_subnet_end: ""
  8. Trigger the OpenStack deployment:

    kubectl apply -f openstackdeployment.yaml
  9. Monitor the status of your OpenStack deployment:

    kubectl -n openstack get pods
    kubectl -n openstack describe osdpl osh-dev
  10. Assess the current status of the OpenStack deployment using the status section output in the OsDpl resource:

    1. Get the OsDpl YAML file:

      kubectl -n openstack get osdpl osh-dev -o yaml
    2. Analyze the status output using the detailed description in OpenStackDeployment custom resource.

  11. Verify that the OpenStack cluster has been deployed:

    clinet_pod_name=$(kubectl -n openstack get pods -l application=keystone,component=client  | grep keystone-client | head -1 | awk '{print $1}')
    kubectl -n openstack exec -it $clinet_pod_name -- openstack service list

    Example of a positive system response:

    | ID                               | Name          | Type           |
    | 159f5c7e59784179b589f933bf9fc6b0 | cinderv3      | volumev3       |
    | 6ad762f04eb64a31a9567c1c3e5a53b4 | keystone      | identity       |
    | 7e265e0f37e34971959ce2dd9eafb5dc | heat          | orchestration  |
    | 8bc263babe9944cdb51e3b5981a0096b | nova          | compute        |
    | 9571a49d1fdd4a9f9e33972751125f3f | placement     | placement      |
    | a3f9b25b7447436b85158946ca1c15e2 | neutron       | network        |
    | af20129d67a14cadbe8d33ebe4b147a8 | heat-cfn      | cloudformation |
    | b00b5ad18c324ac9b1c83d7eb58c76f5 | radosgw-swift | object-store   |
    | b28217da1116498fa70e5b8d1b1457e5 | cinderv2      | volumev2       |
    | e601c0749ce5425c8efb789278656dd4 | glance        | image          |

See also