Nova

# NOTE: This file serves as an example only!
# It demonstrates a subset of the API features which are available and
# is NOT FIT FOR PRODUCTIVE USE. You need to adapt them to your
# specific environment, needs and scale.
# DO NOT DEPLOY THIS FILE WITH THE EXPECTATION THAT YOU WILL GET A
# YAOOK DEPLOYMENT FIT FOR ANY USE EXCEPT LOOKING AT IT.
apiVersion: yaook.cloud/v1
kind: NovaDeployment
metadata:
  name: nova
spec:
  keystoneRef:
    name: keystone
  database:
    api:
      replicas: 1
      proxy: {}
      mysqlConfig:
        mysqld:
          max_connections: 1337
          max_heap_table_size: 64M
      backup:
        schedule: "0 * * * *"
    placement:
      replicas: 1
      proxy: {}
      mysqlConfig:
        mysqld:
          max_connections: 1337
          max_heap_table_size: 64M
      backup:
        schedule: "0 * * * *"
    cell0:
      replicas: 1
      proxy: {}
      mysqlConfig:
        galera:
          wsrep_slave_threads: 3
      backup:
        schedule: "0 * * * *"
    cell1:
      replicas: 1
      proxy: {}
      backup:
        schedule: "0 * * * *"
  eviction:
    volumeLockDurationSeconds: 30
    ironicNodeShutdown:
      credentialsSecretRef:
        name: "<ironicNodeShutdownSecret>"
  messageQueue:
    cell1:
      replicas: 1
  memcached: {}
  api:
    replicas: 1
    ingress:
      fqdn: "nova.yaook.cloud"
      port: 32443
  conductor:
    replicas: 1
  placement:
    replicas: 1
    ingress:
      fqdn: "placement.yaook.cloud"
      port: 32443
  scheduler:
    replicas: 1
  consoleauth:
    replicas: 1
  vnc:
    ingress:
      fqdn: vnc.yaook.cloud
      port: 32443
    replicas: 1
  metadata:
    replicas: 1
  targetRelease: queens
  novaConfig:
    DEFAULT:
      debug: True
  policy:
    "context_is_admin": "role:admin"
  compute:
    configTemplates:
    - nodeSelectors:
      - matchLabels: {}
      novaComputeConfig:
        DEFAULT:
          debug: True
        keystone_authtoken:
          os_region_name: MyRegion
      volumeBackends:
        ceph:
          enabled: True
          keyringSecretName: cinder-client-key
          user: cinder
          uuid: "b3ab713d-912b-49ed-adaf-bd74368e567a"
          cephConfig: {}
    - nodeSelectors:
      - matchLabels:
          "compute.yaook.cloud/hypervisor-type": "qemu"
      novaComputeConfig:
        libvirt:
          virt_type: qemu
    - nodeSelectors:
      - matchLabels:
          "aggregate": "azandsomeproperties"
      hostAggregates:
        - aggregate-az-and-property
        - aggregate-dual-property
  issuerRef:
    name: ca-issuer
  region:
    name: MyRegion
  databaseCleanup:
    schedule: "0 0 * * *"
    deletionTimeRange: 60

Ceph Config

Note

To use ceph you need to specify the same uuid and the same secret name as it is in use for cinder. The usage of different keys/users is not supported by openstack.

Add vTPM to instance

To add a vTPM, the following prequisites are to be fullfilled.

1. Enable the swtpm settings in the nova-compute config for the nodes which are to provide the vTPM to the instance .. literalinclude:: nova-compute-vtpm.yaml As we specify the same user/group within the qemu config for swtpm we highly recommend to use nova:libvirt within the novacompute config.

2. Set the image or flavor specs to provide a vTPM if an instance is created with either of those. openstack flavor set $FLAVOR -property hw:tpm_version=2.0 –property hw:tpm_model=tpm-crb or openstack image set $IMAGE -property hw_tpm_version=2.0 –property hw_tpm_model=tpm-crb (reference https://docs.openstack.org/nova/latest/admin/emulated-tpm.html)

  1. Have barbican as secret manager present

  2. Nova (and compute) of atleast Victoria Release

  3. Make sure the novacompute keystone user has permissions to create(store) barbican secrets (and read them).

Eviction

the eviction part is mandatory. it contains two parameter.

  • ironicNodeShutdown (optional): It is used to power off the node via ironic when it is not available. It contains a secret with ironic openrc credentials.

  • volumeLockDurationSeconds (optional): wait for releasing the volume lock during the eviction. If NodeShutdown is not set, it is not needed to wait for the volume release. For this reason you can set it to 0. If ironicNodeShutdown is enabled, please set this parameter to the volume release time of your storage backend. This is especially needed for NetApp. If Ceph is used, the exclusive locks feature will handle the volume release, so please leave this setting at the default value.

apiVersion: v1
kind: Secret
metadata:
  name: ironic_creds
  namespace: yaook
type: Opaque
data:
  OS_AUTH_URL: <os_auth_url>
  OS_USERNAME: <os_username>
  OS_PASSWORD: <os_password>
  OS_PROJECT_NAME: <os_project_name>
  OS_REGION_NAME: <os_region_name>
  OS_INTERFACE: <os_infterface>
  OS_USER_DOMAIN_NAME: <os_user_domain_name>
  OS_PROJECT_DOMAIN_NAME: <os_project_domain_name>

NovaHostAggregate

Availability-Zone and Properties are both optional. A computenode can only reside in a single Availability-Zone. If there is a mapping for aggregates with conflicting Availability-Zone values, no mapping will take place. (there will be an Exception for that)

Example of a NovaHostAggregate

# NOTE: This file serves as an example only!
# It demonstrates a subset of the API features which are available and
# is NOT FIT FOR PRODUCTIVE USE. You need to adapt them to your
# specific environment, needs and scale.
# DO NOT DEPLOY THIS FILE WITH THE EXPECTATION THAT YOU WILL GET A
# YAOOK DEPLOYMENT FIT FOR ANY USE EXCEPT LOOKING AT IT.
apiVersion: compute.yaook.cloud/v1
kind: NovaHostAggregate
metadata:
  name: aggregate-az-and-property
  namespace: yaook
spec:
  novaRef:
    name: nova
  keystoneRef:
    name: keystone
  zone: southeast-asia-42
  properties:
    cake: lie
    foo: bar