Newer
Older
openstack-caracal-ipv4 / clientdocs / acceptance-checklist.md

Omega Cloud -- Acceptance Checklist (TEMPLATE)

TEMPLATE NOTE (removed before delivery): fields written as {{THIS}} are filled in by us per client at handover.

The definition of "your environment works": every row below passes. Run it once at onboarding -- with us on the line if you like -- and re-run any row whenever you suspect a problem. Rows marked "You" are fully self-service; rows marked "Us" need a request through your account contact. Rows marked "expected refusal" MUST fail -- they prove the platform's boundaries are protecting you.

Unless a row says otherwise, run the checks as your automation credential (OS_CLOUD={{TENANT_SHORT_NAME}}, per the CI/Automation Integration Guide). Substitute any small shared machine size and base image from openstack flavor list / openstack image list. The starter-kit script scripts/acceptance-run.sh automates every fully self-service row below (and tears its resources down again); the rows that need a password login or a human are listed in its output.

A. Sign-in and discovery

# Proves Minimal check Expected result Who
A1 Pipeline sign-in (application credential) openstack token issue a token, scoped to your project You
A2 Cluster account sign-in (password) as {{TENANT_SHORT_NAME}}-cluster: openstack token issue a token, scoped to your project You
A3 Admin account sign-in (password, dashboard) log in to {{DASHBOARD_URL}} as {{TENANT_SHORT_NAME}}-domain-admin with domain {{TENANT_SHORT_NAME}} dashboard opens showing the Identity section; the error popups at this login are normal for this account -- dismiss them (see the Self-Service Guide) You
A4 Endpoint discovery openstack catalog list every service used in sections B-H appears with an endpoint You
A5 Quota envelope visible openstack limits show --absolute limits match your agreed quota You
A6 Identity boundary (expected refusal) with the application credential: openstack user create ci-accept-probe permission DENIED -- identity work belongs to -domain-admin only You

B. Identity self-service (as {{TENANT_SHORT_NAME}}-domain-admin)

Run these rows with the command-line client -- identity tasks are done via the CLI today (the exact commands are in the Self-Service Guide).

# Proves Minimal check Expected result Who
B1 You can manage your own team create user ci-accept-user in your domain, grant member on {{TENANT_SHORT_NAME}}-prod, then delete the user create, grant, and delete all succeed You
B2 Escalation is blocked (expected refusal) try to grant admin on your project to any of your users grant refused / does not appear in openstack role assignment list You

C. Networking

# Proves Minimal check Expected result Who
C1 Handover network intact openstack network show {{TENANT_SHORT_NAME}}-net and openstack router show {{TENANT_SHORT_NAME}}-router both exist; router's external gateway is on provider-ext You
C2 Network create/delete create network ci-accept-net + a subnet on it (non-overlapping range), then delete both both succeed You
C3 Firewall self-service create security group ci-accept-sg with a TCP/22 rule, then delete it both succeed You
C4 Public IP allocation openstack floating ip create provider-ext, then delete it an address is allocated and released You

D. Compute

# Proves Minimal check Expected result Who
D1 Shared images and sizes visible openstack image list and openstack flavor list the shared base images and machine sizes appear You
D2 Server lifecycle boot ci-accept-vm on {{TENANT_SHORT_NAME}}-net with keypair {{TENANT_SHORT_NAME}}-key; wait; delete status reaches ACTIVE; delete completes You
D3 End-to-end reachability attach a floating IP to ci-accept-vm and SSH in with your keypair (allow TCP/22 in its security group first) SSH login succeeds You

Note on D2: keypairs are per-account and {{TENANT_SHORT_NAME}}-key is owned by the -cluster account, so when running D2 as the automation credential, boot with a keypair of your own instead -- the automated runner scripts/acceptance-run.sh creates (and deletes) a throwaway ci-accept-key for exactly this reason. Row H2 proves the handover keypair itself.

E. Block storage

# Proves Minimal check Expected result Who
E1 Volume lifecycle openstack volume create --size 1 ci-accept-vol status reaches available You
E2 Attach/detach attach ci-accept-vol to ci-accept-vm, verify in-use, detach, delete all four steps succeed You

F. Load balancers

# Proves Minimal check Expected result Who
F1 Load balancer lifecycle openstack loadbalancer create --name ci-accept-lb --vip-subnet-id {{TENANT_SHORT_NAME}}-subnet --wait, then delete (--cascade) provisioning ACTIVE and operating ONLINE; delete completes You
F2 Listener/pool/member on ci-accept-lb before deleting: add a listener (TCP/80), a pool, and ci-accept-vm as a member all three create calls succeed You

Note: load balancers take several minutes to build; that is normal.

G. Secrets and certificates

# Proves Minimal check Expected result Who
G1 Secret lifecycle openstack secret store --name ci-accept-secret --payload check123, retrieve it, delete it stored, retrieved intact, deleted You

This is the same store that holds TLS certificates for load balancer listeners, so G1 passing means your TLS workflow will work.

H. Kubernetes clusters

Run H2/H3 as {{TENANT_SHORT_NAME}}-cluster signed in with its PASSWORD -- that is a platform requirement, not a preference. Cluster builds take tens of minutes; agree timing with us if you are running the whole checklist in one sitting.

# Proves Minimal check Expected result Who
H1 Your cluster template exists openstack coe cluster template show {{TENANT_SHORT_NAME}}-k8s template found You
H2 Cluster lifecycle openstack coe cluster create ci-accept-k8s --cluster-template {{TENANT_SHORT_NAME}}-k8s --keypair {{TENANT_SHORT_NAME}}-key --master-count 1 --node-count 1; wait; fetch kubeconfig (openstack coe cluster config); delete CREATE_COMPLETE; kubectl get nodes answers; delete completes You
H3 Cluster boundary (expected refusal) attempt the same create with the application credential refused -- clusters require the -cluster password login You

I. Object storage

The platform runs an object storage service (S3/Swift compatible), available to your accounts. Run this row by hand, with the CLI or on the dashboard's object storage page, whichever you prefer; the automated runner lists it with the manual rows.

# Proves Minimal check Expected result Who
I1 Object storage lifecycle openstack container create ci-accept-bucket, upload/download a small object, delete both (or the same via the dashboard) all steps succeed You

J. Operator-side paths (request drills)

# Proves Minimal check Expected result Who
J1 Quota change path an authorized requester asks {{ACCOUNT_CONTACT}} for a (small, real) quota change change is applied and visible in openstack limits show --absolute Us
J2 Escalation path send a test "urgent" notice to {{ACCOUNT_CONTACT}} as agreed at handover acknowledged within the agreed response window Us

Sign-off

All rows above passed on: __

For {{TENANT_SHORT_NAME}}: __ (name, role)

For Omega Cloud: __ (name, role)

Leftover check: after sign-off, run openstack server list, openstack volume list, openstack loadbalancer list, openstack floating ip list, openstack network list, openstack security group list, and openstack coe cluster list -- nothing named ci-accept-* should remain, and your quota consumption should be back to its pre-checklist level.