Add OVN sub-section to the Octavia appendix
Fix up style: headings, alignment of blocks, etc. Change-Id: Ibae6a2b54345ba913dc984c6107ee9ab790c3c60
This commit is contained in:
Frode Nordahl
parent
62f861541c
commit
b4cec4df1b
@ -1,8 +1,9 @@
|
||||
=========================
|
||||
Appendix H: Octavia LBaaS
|
||||
=========================
|
||||
|
||||
Overview
|
||||
++++++++
|
||||
--------
|
||||
|
||||
As of the 18.11 charm release, with OpenStack Rocky and later, OpenStack
|
||||
Octavia can be deployed to provide Load-balancing services as part of an
|
||||
@ -30,15 +31,15 @@ placed haproxy instances on neutron-gateway units.
|
||||
moved prior to deletion of existing LBaaS based balancers.
|
||||
|
||||
Deployment
|
||||
++++++++++
|
||||
----------
|
||||
|
||||
Octavia makes use of OpenStack Barbican for storage of certificates for
|
||||
TLS termination on load balancers; Barbican makes use of Vault for secure
|
||||
storage of this data. Follow the instructions for deployment and
|
||||
configuration of Vault in `Appendix C <./app-vault.html>`_ and then
|
||||
deploy Barbican:
|
||||
configuration of Vault in the `Vault`_ and `Certificate Lifecycle Management`_
|
||||
appendices and then deploy Barbican:
|
||||
|
||||
.. code::
|
||||
.. code-block:: none
|
||||
|
||||
juju deploy barbican --config openstack-origin=cloud:bionic-rocky
|
||||
juju deploy barbican-vault
|
||||
@ -50,7 +51,10 @@ deploy Barbican:
|
||||
|
||||
Octavia can then be deployed:
|
||||
|
||||
.. code::
|
||||
Neutron ML2+OVS
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
juju deploy octavia --config openstack-origin=cloud:bionic-rocky
|
||||
juju add-relation octavia rabbitmq-server
|
||||
@ -62,6 +66,22 @@ Octavia can then be deployed:
|
||||
juju deploy octavia-dashboard
|
||||
juju add-relation octavia-dashboard openstack-dashboard
|
||||
|
||||
Neutron ML2+OVN
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
juju deploy octavia --config openstack-origin=cloud:bionic-ussuri
|
||||
juju add-relation octavia rabbitmq-server
|
||||
juju add-relation octavia mysql
|
||||
juju add-relation octavia keystone
|
||||
juju add-relation octavia ovn-chassis
|
||||
juju add-relation octavia neutron-api
|
||||
|
||||
juju deploy octavia-dashboard
|
||||
juju add-relation octavia-dashboard openstack-dashboard
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
Octavia uses a Neutron network for communication between
|
||||
@ -70,10 +90,10 @@ Octavia can then be deployed:
|
||||
are executed.
|
||||
|
||||
Configuration
|
||||
+++++++++++++
|
||||
-------------
|
||||
|
||||
Generate Certificates
|
||||
---------------------
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Octavia uses client certificates for authentication and security of
|
||||
communication between Amphorae (load balancers) and the Octavia
|
||||
@ -84,7 +104,7 @@ as configuration.
|
||||
The script below generates example certificates and keys with a 365
|
||||
day expiry period:
|
||||
|
||||
.. code::
|
||||
.. code-block:: none
|
||||
|
||||
mkdir -p demoCA/newcerts
|
||||
touch demoCA/index.txt
|
||||
@ -116,7 +136,7 @@ day expiry period:
|
||||
|
||||
The generated certs and keys must then be provided to the octavia charm:
|
||||
|
||||
.. code::
|
||||
.. code-block:: none
|
||||
|
||||
juju config octavia \
|
||||
lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
|
||||
@ -131,13 +151,13 @@ The generated certs and keys must then be provided to the octavia charm:
|
||||
Certification Authority required to operate Octavia.
|
||||
|
||||
Resource Configuration
|
||||
----------------------
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The charm will automatically create and maintain the resources required for
|
||||
operation of the Octavia service by running the `configure-resources` action
|
||||
on the lead octavia unit:
|
||||
|
||||
.. code::
|
||||
.. code-block:: none
|
||||
|
||||
juju run-action --wait octavia/0 configure-resources
|
||||
|
||||
@ -147,7 +167,7 @@ Access to the Octavia load-balancer API is guarded by policies and end users
|
||||
must have specific roles to gain access to the service. The charm will request
|
||||
Keystone to pre-create these roles for you on deployment but you must assign the
|
||||
roles to your end users as you see fit. Take a look at
|
||||
`Octavia Policies <https://docs.openstack.org/octavia/latest/configuration/policy.html>`_.
|
||||
`Octavia Policies`_.
|
||||
|
||||
The charm also allows the operator to pre-configure these resources to support
|
||||
full custom configuration of the management network for Octavia. If you want
|
||||
@ -176,7 +196,7 @@ The UUID of the Nova flavor to use for Amphorae can be set using the
|
||||
`custom-amp-flavor-id` configuration option.
|
||||
|
||||
Amphora image
|
||||
-------------
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Octavia uses Amphorae (cloud instances running HAProxy) to provide LBaaS services;
|
||||
an appropriate image must be uploaded to Glance with the tag `octavia-amphora`.
|
||||
@ -190,7 +210,7 @@ image store.
|
||||
|
||||
Example usage:
|
||||
|
||||
.. code::
|
||||
.. code-block:: none
|
||||
|
||||
juju deploy glance-simplestreams-sync \
|
||||
--config source=ppa:simplestreams-dev/trunk
|
||||
@ -208,7 +228,7 @@ unit to initiate the Amphora image retrofitting process.
|
||||
|
||||
This is accomplished through running an action on one of the units.
|
||||
|
||||
.. code::
|
||||
.. code-block:: none
|
||||
|
||||
juju run-action --wait octavia-diskimage-retrofit/leader retrofit-image
|
||||
|
||||
@ -220,14 +240,14 @@ Octavia will use this image for all Amphora instances.
|
||||
LBaaS services remain secure; this process is not covered in this
|
||||
document.
|
||||
|
||||
See the Octavia `operators maintenance <https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html#rotating-the-amphora-images>`_ guide for more details.
|
||||
See the Octavia `operators maintenance`_ guide for more details.
|
||||
|
||||
Usage
|
||||
+++++
|
||||
-----
|
||||
|
||||
To deploy a basic HTTP load balancer using a floating IP for access:
|
||||
|
||||
.. code::
|
||||
.. code-block:: none
|
||||
|
||||
lb_vip_port_id=$(openstack loadbalancer create -f value -c vip_port_id --name lb1 --vip-subnet-id private_subnet)
|
||||
|
||||
@ -256,6 +276,12 @@ The example is also most applicable in cloud deployments which use overlay
|
||||
networking for project networks and floating IP's for network ingress to project
|
||||
networks.
|
||||
|
||||
For more information on creating and configuring load balancing services in Octavia
|
||||
please refer to the
|
||||
`Octavia cookbook <https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html>`_.
|
||||
For more information on creating and configuring load balancing services in
|
||||
Octavia please refer to the `Octavia cookbook`_.
|
||||
|
||||
.. LINKS
|
||||
.. _Vault: app-vault
|
||||
.. _Certificate Lifecycle Management: app-certificate-management
|
||||
.. _Octavia Policies: https://docs.openstack.org/octavia/latest/configuration/policy.html
|
||||
.. _Octavia cookbook: https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html
|
||||
.. _operators maintenance: https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html#rotating-the-amphora-images
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user