# ============================================================
# Caracal 2024.1 -- VR0 DC0 Omega Cloud testcloud rebuild bundle
# ============================================================
# Generated: 2026-05-22 (rebuild revision 2026-06-01, bundle-cleanup change-set)
# Replaces: bundle-pre-destroy.yaml (Bobcat 2023.2)
# Charm channels: verified against Charmhub 2026-05-22 (see Caracal_Rebuild handoff D-002)
# Bindings: public:provider, else:metal for API charms; all-metal for backend charms.
# Ceph data nets via public/cluster BINDINGS on ceph-mon/ceph-osd (these provision the
# container/host NICs; ceph-*-network config would NOT). Ceph CLIENTS bind ceph->storage,
# and each subordinate's storage/data binding is mirrored on its PRINCIPAL (subset rule). (C2)
# Endpoints: IP-ONLY -- os-public-hostname dropped on all API charms; the dual VIPs ARE the
# catalog endpoints (public 10.12.4.N / internal+admin 10.12.8.N). Vault issues
# per-VIP IP-SAN certs. No control-plane DNS dependency. (B5)
# HA chain: hacluster subordinates + dual VIPs + :ha relations ACTIVE for 11 API charms
# (10 prior + ceph-radosgw, un-deferred). VIPs front-loaded into the MAAS-reserved
# /26: provider 10.12.4.2-.63, metal 10.12.8.2-.63 (supersedes .224-.254). (B1)
# Vault: single unit, MYSQL storage backend (via vault-mysql-router). etcd + easyrsa
# REMOVED -- the etcd backend was never used (live storage = mysql) and is moot at
# 1 unit; HA backend (Raft vs etcd) is a Roosevelt rehearsal item. (C1; revises D-006)
# Ceph networks: FULL separation via network-space BINDINGS -- ceph-mon/ceph-osd public->storage
# (10.12.16.0/22), ceph-osd cluster->replication (10.12.20.0/22). Bindings, NOT
# ceph-*-network config, so the LXD-contained mon actually gets a storage NIC.
# Clients bind ceph->storage; container principals carry it too (subset rule). (C2)
# Magnum: Layer A only -- CAPI driver graft is Layer B (runbooks/phase-06..08)
# Octavia: lb-mgmt PKI options supplied via overlays/octavia-pki.yaml (gitignored).
# Amphora-pipeline options baked (use-internal-endpoints etc.). (B4)
# OVN tunnels: geneve overlay on the DATA space (10.12.12.0/22) -- ovn-chassis + ovn-chassis-octavia
# 'data' binding; their principals also carry data (nova-compute:neutron-plugin bare-metal,
# octavia:ovsdb-cms provisions the container NIC) per the subset rule. Prereq: enp8s0
# link-subnet to 10.12.12.4N (rebuild-prep, machines Ready).
# Resources: omitted -- let charms use latest available resource revisions
# ============================================================
name: vr0-dc0-omega-caracal-testcloud
description: |
Charmed OpenStack Caracal (2024.1) on Ubuntu 22.04 LTS (Jammy) deployed via Juju 3.6 bundle
against MAAS-managed VMs (openstack0-3, virsh).
Decisions referenced (see Caracal_Rebuild handoff + 2026-06-01 bundle-cleanup change-set):
D-001 Path 2A (Juju-bundle paradigm)
D-002 channel matrix
D-003 Option B (provider /22 carries FIPs + API VIPs)
D-005 Ceph Squid
D-006 Vault HA backend -- REVISED: etcd/easyrsa dropped for testcloud; Raft-vs-etcd is a Roosevelt item (C1)
D-007 Magnum Layer A + Layer B graft
D-019 (supersedes D-008) Designate deferred to v2
D-009 hacluster subordinates (decorative on testcloud)
D-016 IPv4-only v1
D-018 MAAS-release-direct teardown
Bundle-cleanup (2026-06-01): B5 IP-only endpoints; C1 vault-on-mysql (etcd/easyrsa removed);
C2 full Ceph network separation; B1 VIP front-load + radosgw HA un-defer; B2 ovn prefer-chassis-as-gw;
B3 nova Ceph-RBD ephemeral; B4 octavia amphora-pipeline options. C3 radosgw unchanged (already correct).
default-base: ubuntu@22.04/stable
variables:
# ----- UCA pocket + Ceph source ----------------------------------------------
openstack-origin: &openstack-origin cloud:jammy-caracal
ceph-source: &ceph-source cloud:jammy-caracal
# ----- Bindings for external-API-facing charms (public on provider) ----------
machines:
"8":
constraints: arch=amd64 tags=openstack
"9":
constraints: arch=amd64 tags=openstack
"10":
constraints: arch=amd64 tags=openstack
"11":
constraints: arch=amd64 tags=openstack
# =====================================================================
# Network-space bindings (D-052): EXPLICIT per-application blocks, no anchors.
# "" -> metal-admin (operator/MAAS/monitoring; admin API; default)
# internal/shared-db/amqp/certificates/cluster/identity/ovsdb -> metal-internal
# public -> provider-public (public API + floating IPs)
# ceph public -> storage ; ceph cluster -> replication
# geneve overlay -> data-tenant (nova-compute:neutron-plugin, ovn-chassis:data,
# ovn-chassis-octavia:data, octavia:ovsdb-cms)
# Subordinate subset rule: a subordinate's spaces are a subset of its principal's;
# nova-compute keeps data-tenant (via neutron-plugin) for the ovn-chassis geneve.
# Re-IP is MAAS-side only (no CIDR options here). See docs/design-decisions.md D-052.
# =====================================================================
applications:
# =====================================================================
# Datastores: MySQL InnoDB Cluster, RabbitMQ, Vault
# =====================================================================
# C1: etcd + easyrsa REMOVED. Vault is single-unit and uses the MySQL storage backend via
# vault-mysql-router (matches the live deploy; the etcd HA backend was never exercised and is
# moot at one unit). Vault HA backend (Raft vs etcd) is a Roosevelt rehearsal item.
mysql-innodb-cluster:
charm: mysql-innodb-cluster
channel: 8.0/stable
num_units: 3
to: [lxd:8, lxd:9, lxd:10]
bindings:
'': metal-admin
certificates: metal-internal
cluster: metal-internal
coordinator: metal-internal
db-router: metal-internal
shared-db: metal-internal
constraints: arch=amd64
rabbitmq-server:
charm: rabbitmq-server
channel: 3.9/stable
num_units: 1
to: [lxd:10]
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
cluster: metal-internal
ha: metal-internal
constraints: arch=amd64
vault:
charm: vault
channel: 1.8/stable
num_units: 1 # 3 on Roosevelt (D-009); HA backend decided there (C1)
to: [lxd:11]
bindings:
'': metal-admin
access: metal-internal
certificates: metal-internal
cluster: metal-internal
ha: metal-internal
secrets: metal-internal
shared-db: metal-internal
constraints: arch=amd64
vault-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
# =====================================================================
# Identity: Keystone
# =====================================================================
keystone:
charm: keystone
channel: 2024.1/stable
num_units: 1 # 3 on Roosevelt (D-009)
to: [lxd:8]
options:
vip: "10.12.4.50 10.12.8.50 10.12.12.50" # B1 front-loaded VIP; IS the catalog endpoint (B5, no os-public-hostname)
use-policyd-override: true # as-built reconcile 2026-06-09 (origin untraced -- Review-later)
bindings:
'': metal-admin
certificates: metal-internal
cluster: metal-internal
domain-backend: metal-internal
ha: metal-internal
identity-admin: metal-internal
identity-credentials: metal-internal
identity-notifications: metal-internal
identity-service: metal-internal
internal: metal-internal
keystone-fid-service-provider: metal-internal
keystone-middleware: metal-internal
public: provider-public
shared-db: metal-internal
websso-trusted-dashboard: metal-internal
constraints: arch=amd64
keystone-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
# =====================================================================
# Image: Glance + simplestreams-sync
# =====================================================================
glance:
charm: glance
channel: 2024.1/stable
num_units: 1
to: [lxd:11]
options:
vip: "10.12.4.53 10.12.8.53 10.12.12.53" # B1
image-conversion: true # as-built; image conversion enabled (raw on Ceph-backed glance)
bindings:
'': metal-admin
amqp: metal-internal
ceph: storage
certificates: metal-internal
cinder-volume-service: metal-internal
cluster: metal-internal
ha: metal-internal
identity-service: metal-internal
image-service: metal-internal
internal: metal-internal
object-store: metal-internal
public: provider-public
shared-db: metal-internal
storage-backend: metal-internal
constraints: arch=amd64
glance-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
glance-simplestreams-sync:
charm: glance-simplestreams-sync
channel: 2024.1/stable
num_units: 1
to: [lxd:8]
options: # B4 amphora-pipeline
use-internal-endpoints: true # use internal (IP) catalog endpoints
use_swift: false # skip swift index; sidesteps radosgw object path for the amphora seed
bindings:
'': metal-admin
certificates: metal-internal
identity-service: metal-internal
image-modifier: metal-internal
simplestreams-image-service: metal-internal
constraints: arch=amd64
# =====================================================================
# Compute: Nova cloud-controller + compute + Placement
# =====================================================================
nova-cloud-controller:
charm: nova-cloud-controller
channel: 2024.1/stable
num_units: 1
to: [lxd:11]
options:
console-access-protocol: novnc
network-manager: Neutron
vip: "10.12.4.56 10.12.8.56 10.12.12.56" # B1
bindings:
'': metal-admin
amqp: metal-internal
amqp-cell: metal-internal
certificates: metal-internal
cinder-volume-service: metal-internal
cloud-compute: metal-internal
cloud-controller: metal-internal
cluster: metal-internal
dashboard: metal-internal
ha: metal-internal
identity-service: metal-internal
image-service: metal-internal
internal: metal-internal
memcache: metal-internal
neutron-api: metal-internal
nova-cell-api: metal-internal
placement: metal-internal
public: provider-public
shared-db: metal-internal
shared-db-cell: metal-internal
constraints: arch=amd64
nova-compute:
charm: nova-compute
channel: 2024.1/stable
num_units: 3
to: ["9", "10", "11"]
options:
config-flags: default_ephemeral_format=ext4
enable-live-migration: true # now genuinely usable -- shared Ceph storage = memory-only migrate (B3)
enable-resize: true
libvirt-image-backend: rbd # B3 Ceph-RBD ephemeral: DISK_GB from the Ceph pool, not local fs; unlocks Magnum
migration-auth-type: ssh
resume-guests-state-on-host-boot: true
virt-type: qemu # Testcloud nested-KVM; Roosevelt will use 'kvm'
reserved-host-memory: 8192 # ENV(testcloud 16GiB hosts) D-040 OOM fix; charm default 512 -- DO NOT drop
bindings:
'': metal-admin
amqp: metal-internal
ceph: storage
ceph-access: storage
cloud-compute: metal-internal
cloud-credentials: metal-internal
compute-peer: metal-internal
image-service: metal-internal
internal: metal-internal
migration: metal-internal
neutron-plugin: data-tenant
secrets-storage: metal-internal
storage-backend: metal-internal
constraints: arch=amd64
ncc-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
placement:
charm: placement
channel: 2024.1/stable
num_units: 1
to: [lxd:11]
options:
vip: "10.12.4.59 10.12.8.59 10.12.12.59" # B1
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
cluster: metal-internal
ha: metal-internal
identity-service: metal-internal
internal: metal-internal
placement: metal-internal
public: provider-public
shared-db: metal-internal
constraints: arch=amd64
placement-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
# =====================================================================
# Networking: Neutron + OVN
# =====================================================================
neutron-api:
charm: neutron-api
channel: 2024.1/stable
num_units: 1
to: [lxd:9]
options:
enable-ml2-port-security: true
flat-network-providers: physnet1
neutron-security-groups: true
vip: "10.12.4.55 10.12.8.55 10.12.12.55" # B1
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
cluster: metal-internal
ha: metal-internal
identity-service: metal-internal
internal: metal-internal
neutron-api: metal-internal
neutron-plugin-api: metal-internal
neutron-plugin-api-subordinate: metal-internal
public: provider-public
shared-db: metal-internal
constraints: arch=amd64
neutron-api-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
neutron-api-plugin-ovn:
charm: neutron-api-plugin-ovn
channel: 2024.1/stable
bindings:
'': metal-admin
certificates: metal-internal
neutron-plugin: metal-internal
ovsdb-cms: metal-internal
ovn-central:
charm: ovn-central
channel: 24.03/stable
num_units: 3
to: [lxd:8, lxd:9, lxd:10]
bindings:
'': metal-admin
certificates: metal-internal
coordinator: metal-internal
ovsdb: metal-internal
ovsdb-cms: metal-internal
ovsdb-peer: metal-internal
ovsdb-server: metal-internal
constraints: arch=amd64
# ovn-chassis: subordinate to nova-compute. MAC-based bridge-interface-mappings captured from
# MAAS 2026-05-22 (Bobcat used hardcoded 'enp1s0' -- anti-pattern fix). The charm picks whichever
# MAC is found locally per unit; non-matching MACs are ignored.
ovn-chassis:
charm: ovn-chassis
channel: 24.03/stable
options:
ovn-bridge-mappings: physnet1:br-ex
prefer-chassis-as-gw: true # B2 -- elects gateway chassis so tenant routers get external egress
bridge-interface-mappings: >-
br-ex:52:54:00:3d:fd:54
br-ex:52:54:00:9d:63:77
br-ex:52:54:00:89:7f:ce
br-ex:52:54:00:99:fc:c2
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
data: data-tenant
ovsdb: metal-internal
ovsdb-subordinate: metal-internal
ovn-chassis-octavia:
charm: ovn-chassis
channel: 24.03/stable
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
data: data-tenant
ovsdb: metal-internal
ovsdb-subordinate: metal-internal
cinder:
charm: cinder
channel: 2024.1/stable
num_units: 1
to: [lxd:9]
options:
block-device: None
glance-api-version: 2
vip: "10.12.4.52 10.12.8.52 10.12.12.52" # B1
bindings:
'': metal-admin
amqp: metal-internal
backup-backend: metal-internal
ceph: storage
certificates: metal-internal
cinder-volume-service: metal-internal
cluster: metal-internal
ha: metal-internal
identity-credentials: metal-internal
identity-service: metal-internal
image-service: metal-internal
internal: metal-internal
public: provider-public
shared-db: metal-internal
storage-backend: metal-internal
constraints: arch=amd64 # owns the relation -- but the binding still provisions the NIC.
cinder-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
cinder-ceph:
charm: cinder-ceph
channel: 2024.1/stable
bindings:
'': metal-admin
ceph: storage
ceph-access: storage
storage-backend: metal-internal
ceph-mon:
charm: ceph-mon
channel: squid/stable
num_units: 3
to: [lxd:8, lxd:9, lxd:10]
options:
source: *ceph-source
expected-osd-count: 4
monitor-count: 3
bindings:
'': metal-admin
bootstrap-source: storage
client: storage
cluster: replication
mds: storage
mon: storage
osd: storage
public: storage
radosgw: storage
rbd-mirror: storage
constraints: arch=amd64 # provisions the NIC and sets the Ceph public net. Mons use only the
# public net (no cluster binding needed).
ceph-osd:
charm: ceph-osd
channel: squid/stable
num_units: 4
to: ["8", "9", "10", "11"]
options:
source: *ceph-source
osd-devices: /dev/vdb # libvirt-attached, MAAS-untracked, wiped pre-deploy
bindings:
'': metal-admin
cluster: replication
mon: storage
public: storage
secrets-storage: metal-internal
constraints: arch=amd64 tags=openstack
ceph-radosgw:
charm: ceph-radosgw
channel: squid/stable
num_units: 1
to: [lxd:8]
options:
source: *ceph-source
vip: "10.12.4.60 10.12.8.60 10.12.12.60" # B1 -- radosgw HA un-deferred for Roosevelt fidelity (decorative HA on testcloud)
bindings:
'': metal-admin
certificates: metal-internal
cluster: metal-internal
gateway: metal-internal
ha: metal-internal
identity-service: metal-internal
internal: metal-internal
mon: storage
object-store: metal-internal
public: provider-public
radosgw-user: metal-internal
s3: metal-internal
constraints: arch=amd64
# =====================================================================
# Dashboard: openstack-dashboard (Horizon)
# =====================================================================
openstack-dashboard:
charm: openstack-dashboard
channel: 2024.1/stable
num_units: 1
to: [lxd:10]
options:
debug: "false"
vip: "10.12.4.58 10.12.8.58 10.12.12.58" # B1 -- browse HTTPS by IP (B5); ALLOWED_HOSTS must permit the VIP IP (verify at deploy)
bindings:
'': metal-admin
application-dashboard: metal-internal
certificates: metal-internal
cluster: metal-internal
dashboard: metal-internal
dashboard-plugin: metal-internal
ha: metal-internal
identity-service: metal-internal
public: provider-public
shared-db: metal-internal
website: metal-internal
websso-fid-service-provider: metal-internal
websso-trusted-dashboard: metal-internal
constraints: arch=amd64
dashboard-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
# =====================================================================
# Load Balancer: Octavia
# =====================================================================
# CRITICAL: vault:certificates must be in bundle from day-one (post-deploy add causes the
# documented apache2/octavia-api masking bug -- see test deployment v3 handoff).
octavia:
charm: octavia
channel: 2024.1/stable
num_units: 1
to: [lxd:11]
options:
debug: false
openstack-origin: *openstack-origin
amp-image-tag: octavia-amphora # B4 -- MUST match the tag octavia-diskimage-retrofit stamps
# ----- PKI material -------------------------------------------------
# 5 lb-mgmt-* options are supplied via overlays/octavia-pki.yaml
# (gitignored). Generated per runbooks/01a-octavia-pki-generation.md.
# Deploy with:
# juju deploy ./bundle.yaml \
# --overlay overlays/vr0-dc0-testcloud.yaml \
# --overlay overlays/octavia-pki.yaml
vip: "10.12.4.57 10.12.8.57 10.12.12.57" # B1
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
cluster: metal-internal
ha: metal-internal
identity-service: metal-internal
internal: metal-internal
neutron-api: metal-internal
neutron-openvswitch: metal-internal
ovsdb-cms: data-tenant
ovsdb-subordinate: metal-internal
public: provider-public
shared-db: metal-internal
constraints: arch=amd64 # subset for the subordinate's data binding (subset rule).
octavia-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
octavia-dashboard:
charm: octavia-dashboard
channel: 2024.1/stable
bindings:
'': metal-admin
certificates: metal-internal
dashboard: metal-internal
octavia-diskimage-retrofit:
charm: octavia-diskimage-retrofit
channel: 2024.1/stable
options:
amp-image-tag: octavia-amphora
use-internal-endpoints: true # B4 -- charm ships FALSE; required so the retrofit glance client uses the internal (IP) endpoint
image-format: raw # B4 -- RAW, not the qcow2 default: glance is Ceph-backed, and the charm
# + Ceph docs recommend raw so RBD can fast-clone the amphora (qcow2
# forces a convert-on-import and defeats CoW).
# =====================================================================
# Secrets: Barbican
# =====================================================================
bindings:
'': metal-admin
certificates: metal-internal
identity-credentials: metal-internal
barbican:
charm: barbican
channel: 2024.1/stable
num_units: 1
to: [lxd:11]
options:
openstack-origin: *openstack-origin
vip: "10.12.4.51 10.12.8.51 10.12.12.51" # B1
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
cluster: metal-internal
ha: metal-internal
identity-service: metal-internal
internal: metal-internal
public: provider-public
secrets: metal-internal
shared-db: metal-internal
constraints: arch=amd64
barbican-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
barbican-vault:
charm: barbican-vault
channel: 2024.1/stable
# =====================================================================
# Kubernetes-as-a-Service: Magnum (Layer A -- CAPI graft is Layer B)
# =====================================================================
# NOTE: After bundle deploys, magnum/0 will show active/idle but CANNOT create K8s clusters.
# Layer B (post-deploy) brings it to life -- see runbooks/phase-06..08:
# 1. In-cloud single-homed mgmt VM (capi-mgmt-v2) with k8s-snap + CAPI/CAPO (phase-06; D-035)
# 2. magnum-capi-helm==1.4.0 grafted onto the conductor (phase-07; D-037/D-042)
# 3. /etc/magnum/magnum.conf.d/00-capi-helm.conf (driver) + 50-keystone-v3-override.conf,
# both read via --config-dir wired into /etc/default/magnum-{conductor,api} (D-037/D-047)
# 4. kubeconfig at /etc/magnum/kubeconfig (server = the mgmt FIP) (phase-07)
# 5. magnum trustee domain-setup (REQUIRED; D-046); per-cluster app-creds are
# minted by magnum at cluster-create -- NO static capo user/app-cred (D-039)
bindings:
'': metal-admin
certificates: metal-internal
secrets: metal-internal
secrets-storage: metal-internal
magnum:
charm: magnum
channel: 2024.1/stable
num_units: 1
to: [lxd:9]
options:
openstack-origin: *openstack-origin
region: RegionOne
vip: "10.12.4.54 10.12.8.54 10.12.12.54" # B1
bindings:
'': metal-admin
amqp: metal-internal
certificates: metal-internal
cluster: metal-internal
ha: metal-internal
identity-service: metal-internal
internal: metal-internal
public: provider-public
shared-db: metal-internal
constraints: arch=amd64
magnum-mysql-router:
charm: mysql-router
channel: 8.0/stable
bindings:
'': metal-admin
certificates: metal-internal
db-router: metal-internal
shared-db: metal-internal
magnum-dashboard:
charm: magnum-dashboard
channel: 2024.1/stable
# =====================================================================
# HA Cluster Subordinates (11 active for v1: 10 API charms + ceph-radosgw)
# =====================================================================
# Channel: 2.4/stable (per Caracal Charm Delivery table, D-002 verified 2026-05-22).
# cluster_count: 1 (decorative on single-unit testcloud, D-009 / BUNDLEFIX-003).
# VIPs front-loaded into the MAAS-reserved provider/metal /26 per B1 (.2-.63).
# vault-hacluster stays commented (vault single-unit on mysql, C1 / BUNDLEFIX-002).
# designate-hacluster stays deferred (D-019).
#
bindings:
'': metal-admin
certificates: metal-internal
dashboard: metal-internal
keystone-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
glance-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
neutron-api-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
nova-cloud-controller-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
placement-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
openstack-dashboard-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
cinder-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
octavia-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
barbican-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
magnum-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}}
ceph-radosgw-hacluster: {charm: hacluster, channel: 2.4/stable, options: {cluster_count: 1}, bindings: {'': metal-admin, ha: metal-internal, hanode: metal-internal, pacemaker-remote: metal-internal, peer-availability: metal-internal}} # B1 -- un-deferred
# vault-hacluster: { charm: hacluster, channel: 2.4/stable } # C1: vault single-unit on mysql; HA at Roosevelt
# v2-deferred (D-019): designate-hacluster: { charm: hacluster, channel: 2.4/stable }
# memcached: nova-cloud-controller token/cell caching (BUNDLEFIX-004)
memcached:
charm: memcached
channel: latest/stable
num_units: 1
to: [lxd:8]
bindings:
'': metal-admin
cache: metal-internal
cluster: metal-internal
constraints: arch=amd64
relations:
- [nova-cloud-controller:memcache, memcached:cache]
# ---- Vault (single unit, MySQL storage backend via vault-mysql-router; C1 -- etcd+easyrsa removed)
- [vault-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [vault:shared-db, vault-mysql-router:shared-db]
- [mysql-innodb-cluster:certificates, vault:certificates]
# - [vault:ha, vault-hacluster:ha] # vault de-HA'd on testcloud (C1/BUNDLEFIX-002); HA backend a Roosevelt item
# ---- Keystone (identity, hub of all OS service relations)
- [keystone-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [keystone-mysql-router:shared-db, keystone:shared-db]
- [keystone:certificates, vault:certificates]
- [keystone:ha, keystone-hacluster:ha]
# ---- Glance (image)
- [glance-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [glance-mysql-router:shared-db, glance:shared-db]
- [glance:identity-service, keystone:identity-service]
- [glance:certificates, vault:certificates]
- [glance:ha, glance-hacluster:ha]
# ---- Glance simplestreams sync (Octavia amphora pipeline source)
- [glance-simplestreams-sync:identity-service, keystone:identity-service]
- [glance-simplestreams-sync:certificates, vault:certificates]
# ---- Nova cloud controller (NCC)
- [ncc-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [ncc-mysql-router:shared-db, nova-cloud-controller:shared-db]
- [nova-cloud-controller:identity-service, keystone:identity-service]
- [nova-cloud-controller:amqp, rabbitmq-server:amqp]
- [nova-cloud-controller:image-service, glance:image-service]
- [nova-cloud-controller:neutron-api, neutron-api:neutron-api]
- [nova-cloud-controller:cloud-compute, nova-compute:cloud-compute]
- [nova-cloud-controller:cinder-volume-service, cinder:cinder-volume-service]
- [nova-cloud-controller:certificates, vault:certificates]
- [nova-cloud-controller:ha, nova-cloud-controller-hacluster:ha]
# ---- Nova compute
- [nova-compute:amqp, rabbitmq-server:amqp]
- [nova-compute:image-service, glance:image-service]
# ---- Placement
- [placement-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [placement-mysql-router:shared-db, placement:shared-db]
- [placement:identity-service, keystone:identity-service]
- [placement:placement, nova-cloud-controller:placement]
- [placement:certificates, vault:certificates]
- [placement:ha, placement-hacluster:ha]
# ---- Neutron API + OVN
- [neutron-api-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [neutron-api-mysql-router:shared-db, neutron-api:shared-db]
- [neutron-api:identity-service, keystone:identity-service]
- [neutron-api:amqp, rabbitmq-server:amqp]
- [neutron-api:certificates, vault:certificates]
- [neutron-api-plugin-ovn:neutron-plugin, neutron-api:neutron-plugin-api-subordinate]
- [neutron-api-plugin-ovn:ovsdb-cms, ovn-central:ovsdb-cms]
- [neutron-api-plugin-ovn:certificates, vault:certificates]
- [ovn-central:certificates, vault:certificates]
- [ovn-chassis:ovsdb, ovn-central:ovsdb]
- [ovn-chassis:nova-compute, nova-compute:neutron-plugin]
- [ovn-chassis:certificates, vault:certificates]
- [neutron-api:ha, neutron-api-hacluster:ha]
# ---- Cinder + cinder-ceph
- [cinder-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [cinder-mysql-router:shared-db, cinder:shared-db]
- [cinder:identity-service, keystone:identity-service]
- [cinder:amqp, rabbitmq-server:amqp]
- [cinder:image-service, glance:image-service]
- [cinder:certificates, vault:certificates]
- [cinder-ceph:storage-backend, cinder:storage-backend]
- [cinder-ceph:ceph, ceph-mon:client]
- [cinder-ceph:ceph-access, nova-compute:ceph-access]
- [cinder:ha, cinder-hacluster:ha]
# ---- Ceph mon + osd + radosgw
- [ceph-mon:osd, ceph-osd:mon]
- [ceph-mon:client, nova-compute:ceph]
- [ceph-mon:client, glance:ceph]
- [ceph-radosgw:mon, ceph-mon:radosgw]
- [ceph-radosgw:identity-service, keystone:identity-service]
- [ceph-radosgw:certificates, vault:certificates]
- [ceph-radosgw:ha, ceph-radosgw-hacluster:ha] # B1 -- un-deferred
# ---- OpenStack Dashboard (Horizon)
- [dashboard-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [dashboard-mysql-router:shared-db, openstack-dashboard:shared-db]
- [openstack-dashboard:identity-service, keystone:identity-service]
- [openstack-dashboard:certificates, vault:certificates]
- [openstack-dashboard:ha, openstack-dashboard-hacluster:ha]
# ---- Octavia (LBaaS)
# CRITICAL: octavia:certificates <-> vault:certificates MUST be present at deploy time
- [octavia-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [octavia-mysql-router:shared-db, octavia:shared-db]
- [octavia:identity-service, keystone:identity-service]
- [octavia:amqp, rabbitmq-server:amqp]
- [octavia:neutron-api, neutron-api:neutron-load-balancer]
- [octavia:certificates, vault:certificates]
- [octavia-dashboard:dashboard, openstack-dashboard:dashboard-plugin]
- [ovn-chassis-octavia:ovsdb, ovn-central:ovsdb]
- [ovn-chassis-octavia:ovsdb-subordinate, octavia:ovsdb-subordinate]
- [ovn-chassis-octavia:certificates, vault:certificates]
# Octavia amphora image pipeline
- [octavia-diskimage-retrofit:juju-info, glance-simplestreams-sync:juju-info]
- [octavia-diskimage-retrofit:identity-credentials, keystone:identity-credentials]
- [octavia:ha, octavia-hacluster:ha]
# ---- Barbican (secrets)
- [barbican-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [barbican-mysql-router:shared-db, barbican:shared-db]
- [barbican:identity-service, keystone:identity-service]
- [barbican:amqp, rabbitmq-server:amqp]
- [barbican:certificates, vault:certificates]
- [barbican:secrets, barbican-vault:secrets]
- [barbican-vault:certificates, vault:certificates]
- [barbican-vault:secrets-storage, vault:secrets]
- [barbican:ha, barbican-hacluster:ha]
# ---- Magnum (Layer A only; CAPI graft is Layer B/runbooks phase-06..08)
- [magnum-mysql-router:db-router, mysql-innodb-cluster:db-router]
- [magnum:shared-db, magnum-mysql-router:shared-db]
- [magnum:identity-service, keystone:identity-service]
- [magnum:amqp, rabbitmq-server:amqp]
- [magnum:certificates, vault:certificates]
- [magnum-dashboard:dashboard, openstack-dashboard:dashboard-plugin]
- [magnum:ha, magnum-hacluster:ha]
