openstack/charm-deployment-guide
Code Issues Proposed changes

Add OVN sub-section to the Octavia appendix

Browse Source 
Fix up style: headings, alignment of blocks, etc.

Change-Id: Ibae6a2b54345ba913dc984c6107ee9ab790c3c60
This commit is contained in:
Frode Nordahl 2020-05-12 14:20:31 +02:00
parent 62f861541c
commit b4cec4df1b
No known key found for this signature in database
GPG Key ID: 6A5D59A3BA48373F
1 changed files with 131 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
deploy-guide/source/app-octavia.rst
View File

@ -1,8 +1,9 @@
=========================
Appendix H: Octavia LBaaS Appendix H: Octavia LBaaS
========================= =========================
Overview Overview
++++++++ --------
As of the 18.11 charm release, with OpenStack Rocky and later, OpenStack As of the 18.11 charm release, with OpenStack Rocky and later, OpenStack
Octavia can be deployed to provide Load-balancing services as part of an Octavia can be deployed to provide Load-balancing services as part of an
@ -30,15 +31,15 @@ placed haproxy instances on neutron-gateway units.
moved prior to deletion of existing LBaaS based balancers. moved prior to deletion of existing LBaaS based balancers.
Deployment Deployment
++++++++++ ----------
Octavia makes use of OpenStack Barbican for storage of certificates for Octavia makes use of OpenStack Barbican for storage of certificates for
TLS termination on load balancers; Barbican makes use of Vault for secure TLS termination on load balancers; Barbican makes use of Vault for secure
storage of this data. Follow the instructions for deployment and storage of this data. Follow the instructions for deployment and
configuration of Vault in `Appendix C <./app-vault.html>`_ and then configuration of Vault in the `Vault`_ and `Certificate Lifecycle Management`_
deploy Barbican: appendices and then deploy Barbican:
.. code:: .. code-block:: none
juju deploy barbican --config openstack-origin=cloud:bionic-rocky juju deploy barbican --config openstack-origin=cloud:bionic-rocky
juju deploy barbican-vault juju deploy barbican-vault
@ -50,7 +51,10 @@ deploy Barbican:
Octavia can then be deployed: Octavia can then be deployed:
.. code:: Neutron ML2+OVS
~~~~~~~~~~~~~~~
.. code-block:: none
juju deploy octavia --config openstack-origin=cloud:bionic-rocky juju deploy octavia --config openstack-origin=cloud:bionic-rocky
juju add-relation octavia rabbitmq-server juju add-relation octavia rabbitmq-server
@ -62,6 +66,22 @@ Octavia can then be deployed:
juju deploy octavia-dashboard juju deploy octavia-dashboard
juju add-relation octavia-dashboard openstack-dashboard juju add-relation octavia-dashboard openstack-dashboard
Neutron ML2+OVN
~~~~~~~~~~~~~~~
.. code-block:: none
juju deploy octavia --config openstack-origin=cloud:bionic-ussuri
juju add-relation octavia rabbitmq-server
juju add-relation octavia mysql
juju add-relation octavia keystone
juju add-relation octavia ovn-chassis
juju add-relation octavia neutron-api
juju deploy octavia-dashboard
juju add-relation octavia-dashboard openstack-dashboard
.. note:: .. note::
Octavia uses a Neutron network for communication between Octavia uses a Neutron network for communication between
@ -70,10 +90,10 @@ Octavia can then be deployed:
are executed. are executed.
Configuration Configuration
+++++++++++++ -------------
Generate Certificates Generate Certificates
--------------------- ~~~~~~~~~~~~~~~~~~~~~
Octavia uses client certificates for authentication and security of Octavia uses client certificates for authentication and security of
communication between Amphorae (load balancers) and the Octavia communication between Amphorae (load balancers) and the Octavia
@ -84,7 +104,7 @@ as configuration.
The script below generates example certificates and keys with a 365 The script below generates example certificates and keys with a 365
day expiry period: day expiry period:
.. code:: .. code-block:: none
mkdir -p demoCA/newcerts mkdir -p demoCA/newcerts
touch demoCA/index.txt touch demoCA/index.txt
@ -116,7 +136,7 @@ day expiry period:
The generated certs and keys must then be provided to the octavia charm: The generated certs and keys must then be provided to the octavia charm:
.. code:: .. code-block:: none
juju config octavia \ juju config octavia \
lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \ lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
@ -131,13 +151,13 @@ The generated certs and keys must then be provided to the octavia charm:
Certification Authority required to operate Octavia. Certification Authority required to operate Octavia.
Resource Configuration Resource Configuration
---------------------- ~~~~~~~~~~~~~~~~~~~~~~
The charm will automatically create and maintain the resources required for The charm will automatically create and maintain the resources required for
operation of the Octavia service by running the `configure-resources` action operation of the Octavia service by running the `configure-resources` action
on the lead octavia unit: on the lead octavia unit:
.. code:: .. code-block:: none
juju run-action --wait octavia/0 configure-resources juju run-action --wait octavia/0 configure-resources
@ -147,7 +167,7 @@ Access to the Octavia load-balancer API is guarded by policies and end users
must have specific roles to gain access to the service. The charm will request must have specific roles to gain access to the service. The charm will request
Keystone to pre-create these roles for you on deployment but you must assign the Keystone to pre-create these roles for you on deployment but you must assign the
roles to your end users as you see fit. Take a look at roles to your end users as you see fit. Take a look at
`Octavia Policies <https://docs.openstack.org/octavia/latest/configuration/policy.html>`_. `Octavia Policies`_.
The charm also allows the operator to pre-configure these resources to support The charm also allows the operator to pre-configure these resources to support
full custom configuration of the management network for Octavia. If you want full custom configuration of the management network for Octavia. If you want
@ -176,7 +196,7 @@ The UUID of the Nova flavor to use for Amphorae can be set using the
`custom-amp-flavor-id` configuration option. `custom-amp-flavor-id` configuration option.
Amphora image Amphora image
------------- ~~~~~~~~~~~~~
Octavia uses Amphorae (cloud instances running HAProxy) to provide LBaaS services; Octavia uses Amphorae (cloud instances running HAProxy) to provide LBaaS services;
an appropriate image must be uploaded to Glance with the tag `octavia-amphora`. an appropriate image must be uploaded to Glance with the tag `octavia-amphora`.
@ -190,7 +210,7 @@ image store.
Example usage: Example usage:
.. code:: .. code-block:: none
juju deploy glance-simplestreams-sync \ juju deploy glance-simplestreams-sync \
--config source=ppa:simplestreams-dev/trunk --config source=ppa:simplestreams-dev/trunk
@ -208,7 +228,7 @@ unit to initiate the Amphora image retrofitting process.
This is accomplished through running an action on one of the units. This is accomplished through running an action on one of the units.
.. code:: .. code-block:: none
juju run-action --wait octavia-diskimage-retrofit/leader retrofit-image juju run-action --wait octavia-diskimage-retrofit/leader retrofit-image
@ -220,14 +240,14 @@ Octavia will use this image for all Amphora instances.
LBaaS services remain secure; this process is not covered in this LBaaS services remain secure; this process is not covered in this
document. document.
See the Octavia `operators maintenance <https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html#rotating-the-amphora-images>`_ guide for more details. See the Octavia `operators maintenance`_ guide for more details.
Usage Usage
+++++ -----
To deploy a basic HTTP load balancer using a floating IP for access: To deploy a basic HTTP load balancer using a floating IP for access:
.. code:: .. code-block:: none
lb_vip_port_id=$(openstack loadbalancer create -f value -c vip_port_id --name lb1 --vip-subnet-id private_subnet) lb_vip_port_id=$(openstack loadbalancer create -f value -c vip_port_id --name lb1 --vip-subnet-id private_subnet)
@ -256,6 +276,12 @@ The example is also most applicable in cloud deployments which use overlay
networking for project networks and floating IP's for network ingress to project networking for project networks and floating IP's for network ingress to project
networks. networks.
For more information on creating and configuring load balancing services in Octavia For more information on creating and configuring load balancing services in
please refer to the Octavia please refer to the `Octavia cookbook`_.
`Octavia cookbook <https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html>`_.
.. LINKS
.. _Vault: app-vault
.. _Certificate Lifecycle Management: app-certificate-management
.. _Octavia Policies: https://docs.openstack.org/octavia/latest/configuration/policy.html
.. _Octavia cookbook: https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html
.. _operators maintenance: https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html#rotating-the-amphora-images