Skip to content

Deploy Magnum

OpenStack Magnum is the container orchestration service within the OpenStack ecosystem, designed to provide an easy-to-use interface for deploying and managing container clusters, such as Kubernetes. Magnum enables cloud users to harness the power of containerization by allowing them to create and manage container clusters as first-class resources within the OpenStack environment. This service integrates seamlessly with other OpenStack components, enabling containers to take full advantage of OpenStack’s networking, storage, and compute capabilities. In this document, we will outline the deployment of OpenStack Magnum using Genestac. By utilizing Genestack, the deployment of Magnum is streamlined, allowing organizations to efficiently manage and scale containerized applications alongside traditional virtual machine workloads within their cloud infrastructure.

Note

Before Magnum can be deployed, you must setup and deploy Barbican first.

Create secrets

Information about the secretes used

Manual secret generation is only required if you haven't run the create-secrets.sh script located in /opt/genestack/bin.

Example secret generation 
kubectl --namespace openstack \
        create secret generic magnum-rabbitmq-password \
        --type Opaque \
        --from-literal=username="magnum" \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
        create secret generic magnum-db-password \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
        create secret generic magnum-admin \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"

Run the package deployment

cd /opt/genestack/submodules/openstack-helm

helm upgrade --install magnum ./magnum \
    --namespace=openstack \
    --timeout 120m \
    -f /opt/genestack/base-helm-configs/magnum/magnum-helm-overrides.yaml \
    --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
    --set endpoints.identity.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-admin -o jsonpath='{.data.password}' | base64 -d)" \
    --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
    --set endpoints.oslo_db.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-db-password -o jsonpath='{.data.password}' | base64 -d)" \
    --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \
    --set endpoints.oslo_messaging.auth.magnum.password="$(kubectl --namespace openstack get secret magnum-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
    --post-renderer /opt/genestack/base-kustomize/kustomize.sh \
    --post-renderer-args magnum/base

Tip

You may need to provide custom values to configure your openstack services, for a simple single region or lab deployment you can supply an additional overrides flag using the example found at base-helm-configs/aio-example-openstack-overrides.yaml. In other cases such as a multi-region deployment you may want to view the Multi-Region Support guide to for a workflow solution.

Custom Listeners

This step is not needed if all listeners were applied when the Gateway API was deployed

Example listener patch file found in /opt/genestack/etc/gateway-api/listeners 
[
    {
        "op": "add",
        "path": "/spec/listeners/-",
        "value": {
            "name": "magnum-https",
            "port": 443,
            "protocol": "HTTPS",
            "hostname": "magnum.your.domain.tld",
            "allowedRoutes": {
                "namespaces": {
                    "from": "All"
                }
            },
            "tls": {
                "certificateRefs": [
                    {
                        "group": "",
                        "kind": "Secret",
                        "name": "magnum-gw-tls-secret"
                    }
                ],
                "mode": "Terminate"
            }
        }
    }
]

Modify the Listener Patch

This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway documentation for more information on listener types.

mkdir -p /etc/genestack/gateway-api/listeners
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
    /opt/genestack/etc/gateway-api/listeners/magnum-https.json \
    > /etc/genestack/gateway-api/listeners/magnum-https.json

Apply the Listener Patch

kubectl patch -n nginx-gateway gateway flex-gateway \
              --type='json' \
              --patch-file /etc/genestack/gateway-api/listeners/magnum-https.json

Custom Routes

This step is not needed if all routes were applied when the Gateway API was deployed

A custom gateway route can be used when setting up the service. The custom route make it possible to for a domain like your.domain.tld to be used for the service.

Example routes file found in /opt/genestack/etc/gateway-api/routes 
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: custom-magnum-gateway-route
  namespace: openstack
spec:
  parentRefs:
  - name: flex-gateway
    sectionName: magnum-https
    namespace: nginx-gateway
  hostnames:
  - "magnum.your.domain.tld"
  rules:
    - backendRefs:
      - name: magnum-api
        port: 9511

Modify the Route

This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway route documentation for more information on route types.

mkdir -p /etc/genestack/gateway-api/routes
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
    /opt/genestack/etc/gateway-api/routes/custom-magnum-gateway-route.yaml \
    > /etc/genestack/gateway-api/routes/custom-magnum-gateway-route.yaml

Apply the Route

kubectl --namespace openstack apply -f /etc/genestack/gateway-api/routes/custom-magnum-gateway-route.yaml