This article should aid in installing openstack-octavia, which is a multi-step approach as octavia have multiple complex prerequirements.
Prerequirements
For octavia to work there needs to be a routed openstack network in place where octavia can place the management-interface of its VM's (amphora). It also needs a keypair to give to these VM's in case an admin needs to log in. The VM's needs an image to boot from, and there need to be a couple of CA's in place to sign certificates authenticating octavia-servers and octavia-amphora.
Network
The octavia amphora uses a dedicated network to its amphora for administration. This network needs to be available for nova to put VM's on, and is realized in one of two ways:
...
The ID of the created network should be places into hiera at the key ntnuopenstack::octavia::network::id and the network CIDR should be placed at ntnuopenstack::octavia::management::ipv4::network
SSH Keypair
The amphora needs a keypair if an admin should be able to log into the machine and see whats going on.
- Create a regular ssh keypair
- Upload the public-key to openstack using the octavia keystone user.
- Add the name of this keypair in hiera as ntnuopenstack::octavia::ssh::keypair::name
Security-group
A security-group limiting access to the octavia management ports needs to be created in the services project. This security-group needs to permit the following:
...
Add the ID of the security-group created to hiera at the key ntnuopenstack::octavia::secgroup::id
Flavor
A suitable flavor for octavia needs to be created, or an existing one should be selected, and its ID should be placed in hiera at the key ntnuopenstack::octavia::flavor::id.
CA's
Octavia utilizes certificates for mutual authentication of the amphora and the octavia controllers. These certificates is signed by one of two CA's:
- Controllers gets certificates manually created by an admin, which is signed by one CA. (client-cert, as the octavia controller is client contacting the amphora api)
- Controllers have the root cert for a second CA which it uses to sign amphora's client CA when the amphora is created. (a server-cert, as the amphora is hosting an api)
To create these CA's, follow the guide from openstack:
Create client-certificates for all the octavia-controllers you plan to install.