Deploy Magnum
OpenStack Magnum is the container orchestration service within the OpenStack ecosystem, designed to provide an easy-to-use interface for deploying and managing container clusters, such as Kubernetes. Magnum enables cloud users to harness the power of containerization by allowing them to create and manage container clusters as first-class resources within the OpenStack environment. This service integrates seamlessly with other OpenStack components, enabling containers to take full advantage of OpenStack’s networking, storage, and compute capabilities. In this document, we will outline the deployment of OpenStack Magnum using Genestac. By utilizing Genestack, the deployment of Magnum is streamlined, allowing organizations to efficiently manage and scale containerized applications alongside traditional virtual machine workloads within their cloud infrastructure.
Note
Before Magnum can be deployed, you must setup and deploy Barbican first.
Create secrets
Information about the secretes used
Manual secret generation is only required if you haven't run the create-secrets.sh script located in /opt/genestack/bin.
Example secret generation
kubectl --namespace openstack \
create secret generic magnum-rabbitmq-password \
--type Opaque \
--from-literal=username="magnum" \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
create secret generic magnum-db-password \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
create secret generic magnum-admin \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
Run the package deployment
Run the Magnum deployment Script bin/install-magnum.sh
#!/bin/bash
pushd /opt/genestack/submodules/openstack-helm || exit
helm upgrade --install magnum ./magnum \
--namespace=openstack \
--timeout 120m \
-f /opt/genestack/base-helm-configs/magnum/magnum-helm-overrides.yaml \
-f /etc/genestack/helm-configs/magnum/magnum-helm-overrides.yaml \
--set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.identity.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
--set endpoints.oslo_db.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-db-password -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_messaging.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
--set conf.magnum.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
--post-renderer /etc/genestack/kustomize/kustomize.sh \
--post-renderer-args magnum/overlay "$@"
popd || exit
Tip
You may need to provide custom values to configure your openstack services, for a simple single region or lab deployment you can supply an additional overrides flag using the example found at base-helm-configs/aio-example-openstack-overrides.yaml.
In other cases such as a multi-region deployment you may want to view the Multi-Region Support guide to for a workflow solution.
Custom Listeners
This step is not needed if all listeners were applied when the Gateway API was deployed
Example listener patch file found in /opt/genestack/etc/gateway-api/listeners
[
{
"op": "add",
"path": "/spec/listeners/-",
"value": {
"name": "magnum-https",
"port": 443,
"protocol": "HTTPS",
"hostname": "magnum.your.domain.tld",
"allowedRoutes": {
"namespaces": {
"from": "All"
}
},
"tls": {
"certificateRefs": [
{
"group": "",
"kind": "Secret",
"name": "magnum-gw-tls-secret"
}
],
"mode": "Terminate"
}
}
}
]
Modify the Listener Patch
This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway documentation
for more information on listener types.
mkdir -p /etc/genestack/gateway-api/listeners
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
/opt/genestack/etc/gateway-api/listeners/magnum-https.json \
> /etc/genestack/gateway-api/listeners/magnum-https.json
Apply the Listener Patch
kubectl patch -n nginx-gateway gateway flex-gateway \
--type='json' \
--patch-file /etc/genestack/gateway-api/listeners/magnum-https.json
Custom Routes
This step is not needed if all routes were applied when the Gateway API was deployed
A custom gateway route can be used when setting up the service. The custom route make it possible to for a domain like your.domain.tld to be used for the service.
Example routes file found in /opt/genestack/etc/gateway-api/routes
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: custom-magnum-gateway-route
namespace: openstack
spec:
parentRefs:
- name: flex-gateway
sectionName: magnum-https
namespace: nginx-gateway
hostnames:
- "magnum.your.domain.tld"
rules:
- backendRefs:
- name: magnum-api
port: 9511
Modify the Route
This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway route documentation
for more information on route types.
mkdir -p /etc/genestack/gateway-api/routes
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
/opt/genestack/etc/gateway-api/routes/custom-magnum-gateway-route.yaml \
> /etc/genestack/gateway-api/routes/custom-magnum-gateway-route.yaml