Skip to content

Deploy Magnum

OpenStack Magnum is the container orchestration service within the OpenStack ecosystem, designed to provide an easy-to-use interface for deploying and managing container clusters, such as Kubernetes. Magnum enables cloud users to harness the power of containerization by allowing them to create and manage container clusters as first-class resources within the OpenStack environment. This service integrates seamlessly with other OpenStack components, enabling containers to take full advantage of OpenStack’s networking, storage, and compute capabilities. In this document, we will outline the deployment of OpenStack Magnum using Genestac. By utilizing Genestack, the deployment of Magnum is streamlined, allowing organizations to efficiently manage and scale containerized applications alongside traditional virtual machine workloads within their cloud infrastructure.

Note

Before Magnum can be deployed, you must setup and deploy Barbican first.

Create secrets

Information about the secrets used

Manual secret generation is only required if you haven't run the create-secrets.sh script located in /opt/genestack/bin.

Example secret generation 
kubectl --namespace openstack \
        create secret generic magnum-rabbitmq-password \
        --type Opaque \
        --from-literal=username="magnum" \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
        create secret generic magnum-db-password \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
        create secret generic magnum-admin \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"

Run the package deployment

Run the Magnum deployment Script /opt/genestack/bin/install-magnum.sh

#!/bin/bash
GLOBAL_OVERRIDES_DIR="/etc/genestack/helm-configs/global_overrides"
SERVICE_CONFIG_DIR="/etc/genestack/helm-configs/magnum"
BASE_OVERRIDES="/opt/genestack/base-helm-configs/magnum/magnum-helm-overrides.yaml"

# Read magnum version from helm-chart-versions.yaml
VERSION_FILE="/etc/genestack/helm-chart-versions.yaml"
if [ ! -f "$VERSION_FILE" ]; then
    echo "Error: helm-chart-versions.yaml not found at $VERSION_FILE"
    exit 1
fi

# Extract magnum version using grep and sed
MAGNUM_VERSION=$(grep 'magnum:' "$VERSION_FILE" | sed 's/.*magnum: *//')

if [ -z "$MAGNUM_VERSION" ]; then
    echo "Error: Could not extract magnum version from $VERSION_FILE"
    exit 1
fi

HELM_CMD="helm upgrade --install magnum openstack-helm/magnum --version ${MAGNUM_VERSION} \
    --namespace=openstack \
    --timeout 120m"

HELM_CMD+=" -f ${BASE_OVERRIDES}"

for dir in "$GLOBAL_OVERRIDES_DIR" "$SERVICE_CONFIG_DIR"; do
    if compgen -G "${dir}/*.yaml" > /dev/null; then
        for yaml_file in "${dir}"/*.yaml; do
            # Avoid re-adding the base override file if it is found in the service directory
            if [ "${yaml_file}" != "${BASE_OVERRIDES}" ]; then
                HELM_CMD+=" -f ${yaml_file}"
            fi
        done
    fi
done

HELM_CMD+=" --set endpoints.identity.auth.admin.password=\"$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)\""
HELM_CMD+=" --set endpoints.identity.auth.magnum.password=\"$(kubectl --namespace openstack get secret magnum-admin -o jsonpath='{.data.password}' | base64 -d)\""
HELM_CMD+=" --set endpoints.oslo_db.auth.admin.password=\"$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)\""
HELM_CMD+=" --set endpoints.oslo_db.auth.magnum.password=\"$(kubectl --namespace openstack get secret magnum-db-password -o jsonpath='{.data.password}' | base64 -d)\""
HELM_CMD+=" --set endpoints.oslo_messaging.auth.admin.password=\"$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)\""
HELM_CMD+=" --set endpoints.oslo_messaging.auth.magnum.password=\"$(kubectl --namespace openstack get secret magnum-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)\""
HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\""
HELM_CMD+=" --set conf.magnum.keystone_authtoken.memcache_secret_key=\"$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\""
HELM_CMD+=" --post-renderer /etc/genestack/kustomize/kustomize.sh"
HELM_CMD+=" --post-renderer-args magnum/overlay"

helm repo add openstack-helm https://tarballs.opendev.org/openstack/openstack-helm
helm repo update

HELM_CMD+=" $@"

echo "Executing Helm command:"
echo "${HELM_CMD}"
eval "${HELM_CMD}"

Tip

You may need to provide custom values to configure your openstack services, for a simple single region or lab deployment you can supply an additional overrides flag using the example found at base-helm-configs/aio-example-openstack-overrides.yaml. In other cases such as a multi-region deployment you may want to view the Multi-Region Support guide to for a workflow solution.

Validate functionality

kubectl --namespace openstack exec -ti openstack-admin-client -- openstack coe cluster list

Create a Public ClusterTemplate

User must have the admin role to create the public ClusterTemplate. For instructions on creating and using it to deploy a new Kubernetes cluster, please refer to the ClusterTemplate section in the Magnum Kubernetes Cluster Setup Guide.

Deploying Magnum with Cluster API (CAPI) Driver

Magnum can use CAPI as the backend driver to spin up k8s clusters. Magnum CAPI Helm is one of the projects that provides an OpenStack Magnum driver which uses Helm to create the clustr with CAPI. The documentation below assume you are using magnum-capi-helm as your CAPI driver. Diver can be found here.

CAPI Architecture

Prerequisites

Before deploying magnum with the CAPI Driver:

  1. Ensure your magnum image has the magnum-capi-helm driver installed. See our Magnum Containerfile.
  2. Ensure your magnum image has helm installed. See our Magnum Containerfile.
  3. Ensure you are using magnum helm version 2025.1 or above, as CAPI functionality was added on openstack-helm during this release.
  4. You will need a management cluster for CAPI. See How CAPI Works with mgt cluster to spin up worker nodes.
  5. On your management cluster make sure you install cluster-addon. It is found here.

Magnum Helm Config

In order to switch to CAPI we need to make sure that magnum has the right config passed to it. Here is an example we can use:

conf:
  capi:
    enabled: true
    clusterName: k8s-managment-cluster
    apiServer: https://127.0.0.1:6443
    certificateAuthorityData: < k8s-managment-cluster CA Data > 
    contextName: k8s-management
    userName: admin@k8s-management
    clientCertificateData: < k8s-managment-cluster clientCert Data > 
    clientKeyData: < k8s-managment-cluster clientKey Data >
  magnum:
    capi_helm:
      kubeconfig_file: /etc/magnum/kubeconfig.conf
    barbican_client:
      endpoint_type: publicURL
      region_name: RegionOne
    cinder_client:
      endpoint_type: publicURL
      region_name: RegionOne
   ...

First, make sure the capi section has the management cluster kubeconfig file content. This will be used by magnum to talk to managment cluster. Next, under magnum add the capi_helm config to point to where we find the kubeconfig file. This is usually at /etc/magnum/kubeconfig.con. Additionally we can make the driver point to specific helm charts. This is useful if you have made changes specific to your environment to the chart and would like to use that. This can be done like so:

magnum:
    capi_helm:
      kubeconfig_file: /etc/magnum/kubeconfig.conf
      helm_chart_repo: https://rackerlabs.github.io/genestack-capi-helm-charts
      default_helm_chart_version: 0.1.0