This article should aid in installing openstack-octavia, which is a multi-step approach as octavia have multiple complex prerequirements.
Prerequirements
For octavia to work there needs to be a routed openstack network in place where octavia can place the management-interface of its VM's (amphora). It also needs a keypair to give to these VM's in case an admin needs to log in. The VM's needs an image to boot from, and there need to be a couple of CA's in place to sign certificates authenticating octavia-servers and octavia-amphora.
Network
The octavia amphora uses a dedicated network to its amphora for administration. This network needs to be available for nova to put VM's on, and is realized in one of two ways:
...
The ID of the created network should be places into hiera at the key ntnuopenstack::octavia::network::id and the network CIDR should be placed at ntnuopenstack::octavia::management::ipv4::network
SSH Keypair
The amphora needs a keypair if an admin should be able to log into the machine and see whats going on.
- Create a regular ssh keypair
- Upload the public-key to openstack using the octavia keystone user.
- Add the name of this keypair in hiera as ntnuopenstack::octavia::ssh::keypair::name
Security-group
A security-group limiting access to the octavia management ports needs to be created in the services project. This security-group needs to permit the following:
...
Add the ID of the security-group created to hiera at the key ntnuopenstack::octavia::secgroup::id
Flavor
A suitable flavor for octavia needs to be created, or an existing one should be selected, and its ID should be placed in hiera at the key ntnuopenstack::octavia::flavor::id.
CA's
Octavia utilizes certificates for mutual authentication of the amphora and the octavia controllers. These certificates is signed by one of two CA's:
- Controllers gets certificates manually created by an admin, which is signed by one CA. (client-cert, as the octavia controller is client contacting the amphora api)
- Controllers have the root cert for a second CA which it uses to sign amphora's client CA when the amphora is created. (a server-cert, as the amphora is hosting an api)
To create these CA's, follow the guide from openstack:
Create client-certificates for all the octavia-controllers you plan to install.
Amphora
The octavia amphora needs an image, and these images needs to be created. Creating these images is simplest to do in a fresh nova-VM to avoid convoulting your local environment. The steps to create an image is generally:
- Clone the following two git-repositories:
- Check out the branch of the octavia-repo to match your environment
- Install the python dependencies listed in octavia/diskimage-create/requirements.txt
- Install qemu
- Try to build an image:
- octavia/diskimage-create/diskimage-create.sh -a amd64 -d bionic -o filnavn -s 4 -t raw
The created image should be uploaded to glance, and have the tag 'amphora' set to it to make it active.