feat(openstack): add dedicated OpenStack deployment assets#71
Open
anchapin wants to merge 2 commits into
Open
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
anchapin
force-pushed
the
split/openstack-platform
branch
from
2f2ca28 to
ba8b7e1
Compare
- Trim values-openstack.yaml, values-openstack-nfs.yaml, values-openstack-nfs-small.yaml to delta-only overrides; remove fields duplicated from base values.yaml - Add values-prod.local.yaml for production-specific overrides - Fix storageClass name: cinder-csi -> csi-cinder across all overlays and docs - Update README, QUICKSTART, TROUBLESHOOTING with corrected storageClass references and improved NFS sizing guidance - Remove allowVolumeExpansion: false from primary overlay (blocks Cinder expansion) - Add global.provider.name: openstack to all overlay files now that base values.yaml requires explicit provider selection - Update deploy-openstudio-cluster.sh with corrected storageClass default Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
anchapin
force-pushed
the
split/openstack-platform
branch
from
ba8b7e1 to
69d18be
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds a dedicated openstack/ directory containing OpenStack-specific onboarding assets (OpenTofu/Terraform infra, Kubespray inventory defaults, deployment helper scripts, Helm values overlays, and operator documentation) to keep OpenStack platform setup isolated from the main chart work.
Changes:
- Added OpenTofu/Terraform configuration to provision OpenStack instances, networking, security groups, and outputs for Kubespray.
- Added shell automation scripts for infra bring-up, bootstrap checks, and kubectl configuration.
- Added OpenStack-focused Helm values overlays and extensive OpenStack deployment/troubleshooting documentation.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 39 comments.
Show a summary per file
| File | Description |
|---|---|
| openstack/versions.tf | Provider/version constraints for the OpenStack OpenTofu/Terraform module. |
| openstack/variables.tf | Variables for OpenStack credentials, sizing, images, and access CIDRs. |
| openstack/main.tf | Core OpenStack infrastructure resources (networking, SG rules, instances, volumes, FIPs). |
| openstack/outputs.tf | Outputs used for access and Kubespray inventory generation. |
| openstack/openstudio-small.tfvars | Example “small” cluster tfvars. |
| openstack/openstudio-micro.tfvars | Example “micro” cluster tfvars. |
| openstack/openstudio-large.tfvars | Example “large” cluster tfvars. |
| openstack/tofu-with-env.sh | Wrapper to load env vars and run OpenTofu commands. |
| openstack/deploy.sh | Infra-focused deployment automation entrypoint. |
| openstack/deploy-openstudio-cluster.sh | End-to-end infra + Kubespray + Helm automation script. |
| openstack/deploy-k8s-cluster.sh | Orchestration script focused on infra/bootstrap/kubectl setup. |
| openstack/bootstrap-k8s.sh | Post-provision bootstrap, NFS setup, readiness checks. |
| openstack/setup-kubectl.sh | Helper to configure local kubectl access to the cluster. |
| openstack/k8s-cloud-init.yaml | Cloud-init payload (firewall detection/workarounds, tooling). |
| openstack/kubespray/inventory/sample/group_vars/all.yml | Kubespray global cluster defaults (versions, CIDRs, runtime, CNI). |
| openstack/kubespray/inventory/sample/group_vars/k8s_cluster.yml | Kubespray OpenStack-specific settings (CCM/CSI, storage, taints). |
| openstack/storage-classes.yaml | Kubernetes StorageClass manifests for Cinder CSI variants. |
| openstack/cinder-csi-storageclass.yaml | Minimal Cinder CSI StorageClass manifest. |
| openstack/values-openstack.yaml | OpenStack overlay values for the Helm chart. |
| openstack/values-openstack-nfs.yaml | OpenStack NFS overlay values (external NFS-class intent). |
| openstack/values-openstack-nfs-small.yaml | Smaller OpenStack NFS overlay values. |
| openstack/values-prod.local.yaml | Local production override values for OpenStack. |
| openstack/README.md | Primary OpenStack operator guide and workflow documentation. |
| openstack/QUICKSTART.md | Condensed quick start guide for OpenStack deployments. |
| openstack/TROUBLESHOOTING.md | Detailed troubleshooting guide for OpenStack + Kubernetes deployments. |
| openstack/.gitignore | Ignore patterns for OpenTofu state, plans, env files, and logs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+37
to
+40
| # Add default flavor variables if not set | ||
| export TF_VAR_master_flavor_name="${TF_VAR_master_flavor_name:-CS.Tiny}" | ||
| export TF_VAR_web_flavor_name="${TF_VAR_web_flavor_name:-CS.Wee}" | ||
| export TF_VAR_worker_flavor_name="${TF_VAR_worker_flavor_name:-CM.XLarge}" |
Comment on lines
+17
to
+20
| resource "openstack_networking_network_v2" "k8s_network" { | ||
| name = "${var.cluster_name}-network" | ||
| admin_state_up = "true" | ||
| } |
Comment on lines
+193
to
+202
| resource "openstack_networking_port_v2" "master_port" { | ||
| name = "${var.cluster_name}-master-port" | ||
| network_id = openstack_networking_network_v2.k8s_network.id | ||
| admin_state_up = "true" | ||
| security_group_ids = [openstack_networking_secgroup_v2.k8s_secgroup.id] | ||
|
|
||
| fixed_ip { | ||
| subnet_id = openstack_networking_subnet_v2.k8s_subnet.id | ||
| } | ||
| } |
Comment on lines
+204
to
+214
| resource "openstack_networking_port_v2" "worker_port" { | ||
| count = var.worker_count | ||
| name = "${var.cluster_name}-worker-${count.index + 1}-port" | ||
| network_id = openstack_networking_network_v2.k8s_network.id | ||
| admin_state_up = "true" | ||
| security_group_ids = [openstack_networking_secgroup_v2.k8s_secgroup.id] | ||
|
|
||
| fixed_ip { | ||
| subnet_id = openstack_networking_subnet_v2.k8s_subnet.id | ||
| } | ||
| } |
Comment on lines
+216
to
+226
| resource "openstack_networking_port_v2" "web_port" { | ||
| count = var.web_count | ||
| name = "${var.cluster_name}-web-${count.index + 1}-port" | ||
| network_id = openstack_networking_network_v2.k8s_network.id | ||
| admin_state_up = "true" | ||
| security_group_ids = [openstack_networking_secgroup_v2.k8s_secgroup.id] | ||
|
|
||
| fixed_ip { | ||
| subnet_id = openstack_networking_subnet_v2.k8s_subnet.id | ||
| } | ||
| } |
Comment on lines
+88
to
+97
| # Internal communication (all ports between cluster nodes) | ||
| resource "openstack_networking_secgroup_rule_v2" "internal_all" { | ||
| direction = "ingress" | ||
| ethertype = "IPv4" | ||
| protocol = "tcp" | ||
| port_range_min = 1 | ||
| port_range_max = 65535 | ||
| remote_ip_prefix = "10.0.1.0/24" | ||
| security_group_id = openstack_networking_secgroup_v2.k8s_secgroup.id | ||
| } |
Comment on lines
+99
to
+108
| # Pod network communication (allow pod network to access hosts) | ||
| resource "openstack_networking_secgroup_rule_v2" "pod_network_internal" { | ||
| direction = "ingress" | ||
| ethertype = "IPv4" | ||
| protocol = "tcp" | ||
| port_range_min = 1 | ||
| port_range_max = 65535 | ||
| remote_ip_prefix = "10.244.0.0/16" | ||
| security_group_id = openstack_networking_secgroup_v2.k8s_secgroup.id | ||
| } |
Comment on lines
+552
to
+558
| When running Calico with IPIP encapsulation on OpenStack: | ||
|
|
||
| - Allow IP-in-IP (protocol 4) ingress/egress between node subnet CIDR | ||
| - Allow BGP (TCP/179) ingress/egress between node subnet CIDR | ||
|
|
||
| These are implemented in `openstack/additional-security-rules.tf` and reference `openstack_networking_subnet_v2.k8s_subnet.cidr` dynamically. Without them, you may see: | ||
|
|
Comment on lines
+21
to
+24
| # Load environment variables | ||
| echo "📄 Loading environment variables from .env..." | ||
| source .env | ||
|
|
Comment on lines
+14
to
+17
| echo "Please create a .env file from the template:" | ||
| echo " cp .env.template .env" | ||
| echo " # Edit .env with your credentials" | ||
| echo "" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR isolates the OpenStack platform onboarding assets from the larger
openstackbranch.Scope
openstack/**deployment assets, Terraform/OpenTofu config, and operator docs.Why split
Separates infrastructure onboarding from chart/runtime hardening to keep review focused and lower-risk.