This article should aid in installing openstack-octavia, which is a multi-step approach as octavia have multiple complex prerequirements.

Prerequirements

For octavia to work there needs to be a routed openstack network in place where octavia can place the management-interface of its VM's (amphora). It also needs a keypair to give to these VM's in case an admin needs to log in. The VM's needs an image to boot from, and there need to be a couple of CA's in place to sign certificates authenticating octavia-servers and octavia-amphora.

Network

The octavia amphora uses a dedicated network to its amphora for administration. This network needs to be available for nova to put VM's on, and is realized in one of two ways:

...

The ID of the created network should be places into hiera at the key ntnuopenstack::octavia::network::id and the network CIDR should be placed at ntnuopenstack::octavia::management::ipv4::network

SSH Keypair

The amphora needs a keypair if an admin should be able to log into the machine and see whats going on.

• Create a regular ssh keypair
• Upload the public-key to openstack using the octavia keystone user.
• Add the name of this keypair in hiera as ntnuopenstack::octavia::ssh::keypair::name

Security-group

A security-group limiting access to the octavia management ports needs to be created in the services project. This security-group needs to permit the following:

...

Add the ID of the security-group created to hiera at the key ntnuopenstack::octavia::secgroup::id

Flavor

A suitable flavor for octavia needs to be created, or an existing one should be selected, and its ID should be placed in hiera at the key ntnuopenstack::octavia::flavor::id.

CA's

Octavia utilizes certificates for mutual authentication of the amphora and the octavia controllers. These certificates is signed by one of two CA's:

• Controllers gets certificates manually created by an admin, which is signed by one CA. (client-cert, as the octavia controller is client contacting the amphora api)
• Controllers have the root cert for a second CA which it uses to sign amphora's client CA when the amphora is created. (a server-cert, as the amphora is hosting an api)

To create these CA's, follow the guide from openstack:

• https://docs.openstack.org/octavia/stein/admin/guides/certificates.html

Create client-certificates for all the octavia-controllers you plan to install.

Amphora

The octavia amphora needs an image, and these images needs to be created. Creating these images is simplest to do in a fresh nova-VM to avoid convoulting your local environment. The steps to create an image is generally:

• Clone the following two git-repositories:
  • https://github.com/openstack/octavia.git
  • https://github.com/openstack/diskimage-builder.git
• Check out the branch of the octavia-repo to match your environment
• Install the python dependencies listed in octavia/diskimage-create/requirements.txt
• Install qemu
• Try to build an image:
  • octavia/diskimage-create/diskimage-create.sh -a amd64 -d bionic -o filnavn -s 4 -t raw

The created image should be uploaded to glance, and have the tag 'amphora' set to it to make it active.