Skip to content

Deploy Octavia

OpenStack Octavia is the load balancing service within the OpenStack ecosystem, providing scalable and automated load balancing for cloud applications. Octavia is designed to ensure high availability and reliability by distributing incoming network traffic across multiple instances of an application, preventing any single instance from becoming a bottleneck or point of failure. It supports various load balancing algorithms, health monitoring, and SSL termination, making it a versatile tool for managing traffic within cloud environments. In this document, we will explore the deployment of OpenStack Octavia using Genestack. By leveraging Genestack, the deployment of Octavia is streamlined, ensuring that load balancing is seamlessly incorporated into both private and public cloud environments, enhancing the performance and resilience of cloud applications.

Create secrets

Information about the secretes used

Manual secret generation is only required if you haven't run the create-secrets.sh script located in /opt/genestack/bin.

Example secret generation 
kubectl --namespace openstack \
        create secret generic octavia-rabbitmq-password \
        --type Opaque \
        --from-literal=username="octavia" \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
        create secret generic octavia-db-password \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
        create secret generic octavia-admin \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
        create secret generic octavia-certificates \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"

Run the package deployment

Run the Octavia deployment Script bin/install-octavia.sh

#!/bin/bash
pushd /opt/genestack/submodules/openstack-helm || exit
    helm upgrade --install octavia ./octavia \
        --namespace=openstack \
        --timeout 120m \
        -f /opt/genestack/base-helm-configs/octavia/octavia-helm-overrides.yaml \
        -f /etc/genestack/helm-configs/octavia/octavia-helm-overrides.yaml \
        --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.identity.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-admin -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
        --set endpoints.oslo_db.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.oslo_messaging.auth.octavia.password="$(kubectl --namespace openstack get secret octavia-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
        --set conf.octavia.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
        --set conf.octavia.database.slave_connection="mysql+pymysql://octavia:$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/octavia" \
        --set conf.octavia.certificates.ca_private_key_passphrase="$(kubectl --namespace openstack get secret octavia-certificates -o jsonpath='{.data.password}' | base64 -d)" \
        --set conf.octavia.ovn.ovn_nb_connection="tcp:$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \
        --set conf.octavia.ovn.ovn_sb_connection="tcp:$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')" \
        --post-renderer /etc/genestack/kustomize/kustomize.sh \
        --post-renderer-args octavia/overlay "$@"
popd || exit

Tip

You may need to provide custom values to configure your openstack services, for a simple single region or lab deployment you can supply an additional overrides flag using the example found at base-helm-configs/aio-example-openstack-overrides.yaml. In other cases such as a multi-region deployment you may want to view the Multi-Region Support guide to for a workflow solution.

Custom Listeners

This step is not needed if all listeners were applied when the Gateway API was deployed

Example listener patch file found in /opt/genestack/etc/gateway-api/listeners 
[
    {
        "op": "add",
        "path": "/spec/listeners/-",
        "value": {
            "name": "octavia-https",
            "port": 443,
            "protocol": "HTTPS",
            "hostname": "octavia.your.domain.tld",
            "allowedRoutes": {
                "namespaces": {
                    "from": "All"
                }
            },
            "tls": {
                "certificateRefs": [
                    {
                        "group": "",
                        "kind": "Secret",
                        "name": "octavia-gw-tls-secret"
                    }
                ],
                "mode": "Terminate"
            }
        }
    }
]

Modify the Listener Patch

This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway documentation for more information on listener types.

mkdir -p /etc/genestack/gateway-api/listeners
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
    /opt/genestack/etc/gateway-api/listeners/octavia-https.json \
    > /etc/genestack/gateway-api/listeners/octavia-https.json

Apply the Listener Patch

kubectl patch -n nginx-gateway gateway flex-gateway \
              --type='json' \
              --patch-file /etc/genestack/gateway-api/listeners/octavia-https.json

Custom Routes

This step is not needed if all routes were applied when the Gateway API was deployed

A custom gateway route can be used when setting up the service. The custom route make it possible to for a domain like your.domain.tld to be used for the service.

Example routes file found in /opt/genestack/etc/gateway-api/routes 
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: custom-octavia-gateway-route
  namespace: openstack
  labels:
    application: gateway-api
    service: HTTPRoute
    route: octavia
spec:
  parentRefs:
  - name: flex-gateway
    sectionName: octavia-https
    namespace: nginx-gateway
  hostnames:
  - "octavia.your.domain.tld"
  rules:
    - filters:
      - type: RequestRedirect
        requestRedirect:
          scheme: https
          statusCode: 301
    - backendRefs:
      - name: octavia-api
        port: 9876

Modify the Route

This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway route documentation for more information on route types.

mkdir -p /etc/genestack/gateway-api/routes
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
    /opt/genestack/etc/gateway-api/routes/custom-octavia-gateway-route.yaml \
    > /etc/genestack/gateway-api/routes/custom-octavia-gateway-route.yaml

Apply the Route

kubectl --namespace openstack apply -f /etc/genestack/gateway-api/routes/custom-octavia-gateway-route.yaml

Demo

asciicast