openstack integrator #12

Supports: bionic xenial

Add to new model

Description

This charm can grant select permissions to instances of applications
related to it which enable integration with OpenStack specific features,
such as firewalls, load balancing, block storage, object storage, etc.


Overview

This charm acts as a proxy to OpenStack and provides an interface to provide
a set of credentials for a somewhat limited project user to the applications that
are related to this charm.

Usage

When on OpenStack, this charm can be deployed, granted trust via Juju to access
OpenStack, and then related to an application that supports the interface.

For example, CDK has support for this, and can be deployed with the
following bundle overlay:

yaml applications: openstack-integrator: charm: cs:~containers/openstack-integrator num_units: 1 relations: - ['openstack-integrator', 'kubernetes-master'] - ['openstack-integrator', 'kubernetes-worker']

Using Juju 2.4-beta1 or later:

juju deploy cs:canonical-kubernetes --overlay ./k8s-openstack-overlay.yaml juju trust openstack-integrator

To deploy with earlier versions of Juju, you will need to provide the cloud
credentials via the credentials, charm config options.

Resource Usage Note

By relating to this charm, other charms can directly allocate resources, such
as PersistentDisk volumes and Load Balancers, which could lead to cloud charges
and count against quotas. Because these resources are not managed by Juju,
they will not be automatically deleted when the models or applications are
destroyed, nor will they show up in Juju's status or GUI. It is therefore up
to the operator to manually delete these resources when they are no longer
needed, using the OpenStack console or API.

Examples

Following are some examples using OpenStack integration with CDK.

Creating a pod with a PersistentDisk-backed volume

This script creates a busybox pod with a persistent volume claim backed by
OpenStack's PersistentDisk.

```sh

!/bin/bash

create a storage class using the kubernetes.io/cinder provisioner

kubectl create -f - <<EOY
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: openstack-standard provisioner: kubernetes.io/cinder
EOY

create a persistent volume claim using that storage class

kubectl create -f - <<EOY
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: testclaim spec:
accessModes: - ReadWriteOnce resources: requests: storage: 100Mi storageClassName: openstack-standard EOY

create the busybox pod with a volume using that PVC:

kubectl create -f - <<EOY
apiVersion: v1
kind: Pod
metadata:
name: busybox namespace: default spec:
containers: - image: busybox command: - sleep - "3600" imagePullPolicy: IfNotPresent name: busybox volumeMounts: - mountPath: "/pv" name: testvolume restartPolicy: Always volumes: - name: testvolume persistentVolumeClaim: claimName: testclaim EOY
```

Creating a service with a OpenStack load-balancer

The following script starts the hello-world pod behind a OpenStack-backed load-balancer.

```sh

!/bin/bash

kubectl run hello-world --replicas=5 --labels="run=load-balancer-example" --image=gcr.io/google-samples/node-hello:1.0 --port=8080
kubectl expose deployment hello-world --type=LoadBalancer --name=hello
watch kubectl get svc -o wide --selector=run=load-balancer-example
```


Configuration

auth-url
(string) The URL of the keystone API used to authenticate. On OpenStack control panels, this can be found at Access and Security > API Access > Credentials.
bs-version
(string) Used to override automatic version detection. Valid values are v1, v2, v3 and auto. When auto is specified automatic detection will select the highest supported version exposed by the underlying OpenStack cloud. If not set, will use the upstream default.
credentials
(string) The base64-encoded contents of a JSON file containing OpenStack credentials. The credentials must contain the following keys: auth-url, username, password, project-name, user-domain-name, and project-domain-name. It could also contain a base64-encoded CA certificate in endpoint-tls-ca key value. This can be used from bundles with 'include-base64://' (see https://jujucharms.com/docs/stable/charms-bundles#setting-charm-configurations-options-in-a-bundle), or from the command-line with 'juju config openstack credentials="$(base64 /path/to/file)"'. It is strongly recommended that you use 'juju trust' instead, if available.
endpoint-tls-ca
(string) A CA certificate that can be used to verify the target cloud API endpoints. Use 'include-base64://' in a bundle to include a certificate. Otherwise, pass a base64-encoded certificate (base64 of "-----BEGIN" to "-----END") as a config option in a Juju CLI invocation.
floating-network-id
(string) Floating IP network ID that should be used to set FIPs for load balancers.
ignore-volume-az
(boolean) Used to influence availability zone use when attaching Cinder volumes. When Nova and Cinder have different availability zones, this should be set to true. This is most commonly the case where there are many Nova availability zones but only one Cinder availability zone. If not set, will use the upstream default.
lb-method
(string) Specifies an algorithm load balancer, that should be one between ROUND_ROBIN, LEAST_CONNECTIONS, SOURCE_IP.
manage-security-groups
(boolean) Whether or not the Load Balancer should automatically manage security groups rule. In case it is set to false, Load Balancer rules will be added to project (tenant) default security-group. In case it is set to true, a new security-group will be created for each Load Balancer, as well as its corresponding rules. It is advised to set appropriate number of security-groups and rules.
password
(string) Password of a valid user set in keystone.
project-domain-name
(string) Name of the project domain where you want to create your resources.
project-name
(string) Name of project where you want to create your resources.
region
(string) Name of the region where you want to create your resources.
subnet-id
(string) Subnet ID from OpenStack that will be used to setup Load Balancers. Flag LoadBalancer becomes active on cloud.conf file only if this config is set.
trust-device-path
(boolean) In most scenarios the block device names provided by Cinder (e.g. /dev/vda) can not be trusted. This boolean toggles this behavior. Setting it to true results in trusting the block device names provided by Cinder. The value of false results in the discovery of the device path based on its serial number and /dev/disk/by-id mapping and is the recommended approach. If not set, will use the upstream default.
user-domain-name
(string) Name of the user domain where you want to create your resources.
username
(string) Username of a valid user set in keystone.