Deploy Gnocchi
Gnocchi is used by Ceilometer to aggregate and index metric data from various OpenStack services. It consists of several components: a HTTP REST API, an optional statsd-compatible daemon, and an asynchronous processing daemon (named gnocchi-metricd).
Create Secrets
Information about the secretes used
Manual secret generation is only required if you haven't run the create-secrets.sh script located in /opt/genestack/bin.
Example secret generation
kubectl --namespace openstack create secret generic gnocchi-admin \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack create secret generic gnocchi-db-password \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack create secret generic gnocchi-pgsql-password \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
Object Storage Options
Create ceph-etc configmap
While the below example should work fine for most environments, depending
on your use case it may be necessary to provide additional client
configuration options for ceph. The below simply creates the expected
ceph-etc ConfigMap for the ceph.conf needed by Gnocchi to establish a
connection to the mon host(s) via the rados client.
kubectl apply -n openstack -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-etc
namespace: openstack
data:
ceph.conf: |
[global]
mon_host = $(for pod in $(kubectl get pods -n rook-ceph | grep rook-ceph-mon | awk '{print $1}'); do \
echo -n "$(kubectl get pod $pod -n rook-ceph -o go-template --template='{{.status.podIP}}'):6789,"; done \
| sed 's/,$//')
EOF
Verify the ceph-etc configmap is sane
Below is an example of what you're looking for to verify the configmap was created as expected - a CSV of the mon hosts, colon seperated with default mon port, 6789.
Should yield output like:
Note
You will need the mon_host and client.admin keyring details for your external ceph cluster before proceeding.
Create ceph-etc configmap
Be sure to replace the mon_host value, REPLACE_ME below!
kubectl apply -n openstack -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-etc
namespace: openstack
data:
ceph.conf: |
[global]
cephx = true
cephx_cluster_require_signatures = true
cephx_require_signatures = false
cephx_service_require_signatures = false
debug_ms = 0/0
log_file = /dev/stdout
mon_cluster_log_file = /dev/stdout
mon_host = REPLACE_ME
[client.admin]
keyring = /etc/ceph/ceph.client.admin.keyring
EOF
Create the admin keyring secret
Be sure to replace the key value, REPLACE_ME below!
KEYRING=$(base64 -w0 <<EOF
[client.admin]
key = REPLACE_ME
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"
EOF
)
kubectl get ns rook-ceph &> /dev/null || kubectl create ns rook-ceph
kubectl apply -n rook-ceph -f - <<EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: rook-ceph-admin-keyring
namespace: rook-ceph
data:
keyring: ${KEYRING}
EOF
unset KEYRING
Check back later for more information.
Run the package deployment
Run the Gnocchi deployment Script bin/install-gnocchi.sh
#!/bin/bash
pushd /opt/genestack/submodules/openstack-helm-infra || exit
helm upgrade --install gnocchi ./gnocchi \
--namespace=openstack \
--timeout 10m \
-f /opt/genestack/base-helm-configs/gnocchi/gnocchi-helm-overrides.yaml \
-f /etc/genestack/helm-configs/gnocchi/gnocchi-helm-overrides.yaml \
--set conf.ceph.admin_keyring="$(kubectl get secret --namespace rook-ceph rook-ceph-admin-keyring -o jsonpath='{.data.keyring}' | base64 -d)" \
--set conf.gnocchi.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
--set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
--set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.identity.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
--set endpoints.oslo_db.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-db-password -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_db_postgresql.auth.admin.password="$(kubectl --namespace openstack get secret postgresql-db-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_db_postgresql.auth.gnocchi.password="$(kubectl --namespace openstack get secret gnocchi-pgsql-password -o jsonpath='{.data.password}' | base64 -d)" \
--post-renderer /etc/genestack/kustomize/kustomize.sh \
--post-renderer-args gnocchi/overlay "$@"
popd || exit
Tip
You may need to provide custom values to configure your openstack services, for a simple single region or lab deployment you can supply an additional overrides flag using the example found at base-helm-configs/aio-example-openstack-overrides.yaml.
In other cases such as a multi-region deployment you may want to view the Multi-Region Support guide to for a workflow solution.
Custom Listeners
This step is not needed if all listeners were applied when the Gateway API was deployed
Example listener patch file found in /opt/genestack/etc/gateway-api/listeners
[
{
"op": "add",
"path": "/spec/listeners/-",
"value": {
"name": "gnocchi-https",
"port": 443,
"protocol": "HTTPS",
"hostname": "gnocchi.your.domain.tld",
"allowedRoutes": {
"namespaces": {
"from": "All"
}
},
"tls": {
"certificateRefs": [
{
"group": "",
"kind": "Secret",
"name": "gnocchi-gw-tls-secret"
}
],
"mode": "Terminate"
}
}
}
]
Modify the Listener Patch
This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway documentation
for more information on listener types.
mkdir -p /etc/genestack/gateway-api/listeners
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
/opt/genestack/etc/gateway-api/listeners/gnocchi-https.json \
> /etc/genestack/gateway-api/listeners/gnocchi-https.json
Apply the Listener Patch
kubectl patch -n nginx-gateway gateway flex-gateway \
--type='json' \
--patch-file /etc/genestack/gateway-api/listeners/gnocchi-https.json
Custom Routes
This step is not needed if all routes were applied when the Gateway API was deployed
A custom gateway route can be used when setting up the service. The custom route make it possible to for a domain like your.domain.tld to be used for the service.
Example routes file found in /opt/genestack/etc/gateway-api/routes
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: custom-keystone-gateway-route
namespace: openstack
spec:
parentRefs:
- name: flex-gateway
sectionName: keystone-https
namespace: nginx-gateway
hostnames:
- "keystone.your.domain.tld"
rules:
- backendRefs:
- name: keystone-api
port: 5000
Modify the Route
This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway route documentation
for more information on route types.
mkdir -p /etc/genestack/gateway-api/routes
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
/opt/genestack/etc/gateway-api/routes/custom-gnocchi-gateway-route.yaml \
> /etc/genestack/gateway-api/routes/custom-gnocchi-gateway-route.yaml
Apply the Route
kubectl --namespace openstack apply -f /etc/genestack/gateway-api/routes/custom-gnocchi-gateway-route.yaml
Validate the metric endpoint
Pip install gnocchiclient and python-ceilometerclient
kubectl exec -it openstack-admin-client -n openstack -- /var/lib/openstack/bin/pip install python-ceilometerclient gnocchiclient
Confirm healthcheck response
HTTP/1.1 200 OK
Date: Fri, 09 Aug 2024 20:33:24 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Vary: Accept-Encoding
Content-Type: text/plain; charset=UTF-8