diff --git a/bundle.yaml b/bundle.yaml index 42c9999..b17ff09 100644 --- a/bundle.yaml +++ b/bundle.yaml @@ -1,36 +1,54 @@ # ============================================================ -# Caracal 2024.1 — VR0 DC0 Omega Cloud testcloud rebuild bundle +# Caracal 2024.1 -- VR0 DC0 Omega Cloud testcloud rebuild bundle # ============================================================ -# Generated: 2026-05-22 +# Generated: 2026-05-22 (rebuild revision 2026-06-01, bundle-cleanup change-set) # Replaces: bundle-pre-destroy.yaml (Bobcat 2023.2) # Charm channels: verified against Charmhub 2026-05-22 (see Caracal_Rebuild handoff D-002) -# Bindings: public:provider, else:metal for API charms; all-metal for backend charms -# HA chain: ALL hacluster subordinates + vip configs + :ha relations COMMENTED OUT -# until NetBox VIP allocations land in 10.12.4.224-.254 -# Vault HA: etcd backend + easyrsa CA bootstrap live; vault-hacluster commented -# Magnum: Layer A only — CAPI driver graft is Layer B (runbooks/04a + 05) -# Octavia: lb-mgmt PKI options present but VALUES commented out — source from -# either Bobcat backup (~/backups/pre-caracal-destroy-2026-05-22/) -# or fresh octavia-cert-runbook (TBD) -# OVN tunnels: remain on metal space (Bobcat-proven); enp8s0 3_data v2 improvement -# Resources: omitted — let charms use latest available resource revisions +# Bindings: public:provider, else:metal for API charms; all-metal for backend charms. +# Ceph data nets via public/cluster BINDINGS on ceph-mon/ceph-osd (these provision the +# container/host NICs; ceph-*-network config would NOT). Ceph CLIENTS bind ceph->storage, +# and each subordinate's storage/data binding is mirrored on its PRINCIPAL (subset rule). (C2) +# Endpoints: IP-ONLY -- os-public-hostname dropped on all API charms; the dual VIPs ARE the +# catalog endpoints (public 10.12.4.N / internal+admin 10.12.8.N). Vault issues +# per-VIP IP-SAN certs. No control-plane DNS dependency. (B5) +# HA chain: hacluster subordinates + dual VIPs + :ha relations ACTIVE for 11 API charms +# (10 prior + ceph-radosgw, un-deferred). VIPs front-loaded into the MAAS-reserved +# /26: provider 10.12.4.2-.63, metal 10.12.8.2-.63 (supersedes .224-.254). (B1) +# Vault: single unit, MYSQL storage backend (via vault-mysql-router). etcd + easyrsa +# REMOVED -- the etcd backend was never used (live storage = mysql) and is moot at +# 1 unit; HA backend (Raft vs etcd) is a Roosevelt rehearsal item. (C1; revises D-006) +# Ceph networks: FULL separation via network-space BINDINGS -- ceph-mon/ceph-osd public->storage +# (10.12.16.0/22), ceph-osd cluster->replication (10.12.20.0/22). Bindings, NOT +# ceph-*-network config, so the LXD-contained mon actually gets a storage NIC. +# Clients bind ceph->storage; container principals carry it too (subset rule). (C2) +# Magnum: Layer A only -- CAPI driver graft is Layer B (runbooks/04a + 05) +# Octavia: lb-mgmt PKI options supplied via overlays/octavia-pki.yaml (gitignored). +# Amphora-pipeline options baked (use-internal-endpoints etc.). (B4) +# OVN tunnels: geneve overlay on the DATA space (10.12.12.0/22) -- ovn-chassis + ovn-chassis-octavia +# 'data' binding; their principals also carry data (nova-compute:neutron-plugin bare-metal, +# octavia:ovsdb-cms provisions the container NIC) per the subset rule. Prereq: enp8s0 +# link-subnet to 10.12.12.4N (rebuild-prep, machines Ready). +# Resources: omitted -- let charms use latest available resource revisions # ============================================================ name: vr0-dc0-omega-caracal-testcloud description: | Charmed OpenStack Caracal (2024.1) on Ubuntu 22.04 LTS (Jammy) deployed via Juju 3.6 bundle against MAAS-managed VMs (openstack0-3, virsh). - Decisions referenced (see Caracal_Rebuild handoff): + Decisions referenced (see Caracal_Rebuild handoff + 2026-06-01 bundle-cleanup change-set): D-001 Path 2A (Juju-bundle paradigm) D-002 channel matrix D-003 Option B (provider /22 carries FIPs + API VIPs) D-005 Ceph Squid - D-006 Vault HA via etcd + easyrsa + D-006 Vault HA backend -- REVISED: etcd/easyrsa dropped for testcloud; Raft-vs-etcd is a Roosevelt item (C1) D-007 Magnum Layer A + Layer B graft D-019 (supersedes D-008) Designate deferred to v2 D-009 hacluster subordinates (decorative on testcloud) D-016 IPv4-only v1 D-018 MAAS-release-direct teardown + Bundle-cleanup (2026-06-01): B5 IP-only endpoints; C1 vault-on-mysql (etcd/easyrsa removed); + C2 full Ceph network separation; B1 VIP front-load + radosgw HA un-defer; B2 ovn prefer-chassis-as-gw; + B3 nova Ceph-RBD ephemeral; B4 octavia amphora-pipeline options. C3 radosgw unchanged (already correct). default-base: ubuntu@22.04/stable @@ -45,8 +63,8 @@ public: provider # ----- Bindings for backend / internal-only charms (all metal) --------------- - # Used for ceph-mon (Ceph public network IS metal, not OpenStack public), - # ceph-osd, ovn-central, mysql-innodb-cluster, rabbitmq-server, nova-compute, etc. + # Used for ovn-central, mysql-innodb-cluster, rabbitmq-server, vault, memcached, and the + # mysql-router subordinates. (ceph-mon / ceph-osd now use explicit public/cluster bindings, see C2.) internal-bindings: &internal-bindings "": metal @@ -63,8 +81,11 @@ applications: # ===================================================================== - # Datastores: MySQL InnoDB Cluster, RabbitMQ, Vault + HA backend + # Datastores: MySQL InnoDB Cluster, RabbitMQ, Vault # ===================================================================== + # C1: etcd + easyrsa REMOVED. Vault is single-unit and uses the MySQL storage backend via + # vault-mysql-router (matches the live deploy; the etcd HA backend was never exercised and is + # moot at one unit). Vault HA backend (Raft vs etcd) is a Roosevelt rehearsal item. mysql-innodb-cluster: charm: mysql-innodb-cluster @@ -85,7 +106,7 @@ vault: charm: vault channel: 1.8/stable - num_units: 1 # 3 on Roosevelt (D-009) + num_units: 1 # 3 on Roosevelt (D-009); HA backend decided there (C1) to: [lxd:11] bindings: *internal-bindings constraints: arch=amd64 @@ -95,24 +116,6 @@ channel: 8.0/stable bindings: *internal-bindings - etcd: - charm: etcd - channel: latest/stable # support charm; not in OS delivery table - num_units: 3 # Vault HA backend (D-006) - to: [lxd:8, lxd:9, lxd:10] - bindings: *internal-bindings - constraints: arch=amd64 - # Note: etcd charm has its OWN `channel:` config option (controls etcd snap). - # Leaving at charm default; revisit if a specific etcd binary version is needed. - - easyrsa: - charm: easyrsa - channel: latest/stable - num_units: 1 # One-shot CA for etcd bootstrap (D-006) - to: [lxd:8] - bindings: *internal-bindings - constraints: arch=amd64 - # ===================================================================== # Identity: Keystone # ===================================================================== @@ -123,8 +126,7 @@ num_units: 1 # 3 on Roosevelt (D-009) to: [lxd:8] options: - vip: "10.12.4.229 10.12.8.229" - os-public-hostname: keystone.omega.dc0.vr0.cloud.neumatrix.local + vip: "10.12.4.10 10.12.8.10" # B1 front-loaded VIP; IS the catalog endpoint (B5, no os-public-hostname) bindings: *api-bindings constraints: arch=amd64 @@ -143,9 +145,11 @@ num_units: 1 to: [lxd:11] options: - vip: "10.12.4.228 10.12.8.228" - os-public-hostname: glance.omega.dc0.vr0.cloud.neumatrix.local - bindings: *api-bindings + vip: "10.12.4.13 10.12.8.13" # B1 + bindings: # api-bindings + ceph->storage (C2; glance is a Ceph client) + "": metal + public: provider + ceph: storage constraints: arch=amd64 glance-mysql-router: @@ -158,6 +162,9 @@ channel: 2024.1/stable num_units: 1 to: [lxd:8] + options: # B4 amphora-pipeline + use-internal-endpoints: true # use internal (IP) catalog endpoints + use_swift: false # skip swift index; sidesteps radosgw object path for the amphora seed bindings: *internal-bindings constraints: arch=amd64 @@ -173,8 +180,7 @@ options: console-access-protocol: novnc network-manager: Neutron - vip: "10.12.4.232 10.12.8.232" - os-public-hostname: nova.omega.dc0.vr0.cloud.neumatrix.local + vip: "10.12.4.16 10.12.8.16" # B1 bindings: *api-bindings constraints: arch=amd64 @@ -185,15 +191,18 @@ to: ["9", "10", "11"] options: config-flags: default_ephemeral_format=ext4 - enable-live-migration: true + enable-live-migration: true # now genuinely usable -- shared Ceph storage = memory-only migrate (B3) enable-resize: true + libvirt-image-backend: rbd # B3 Ceph-RBD ephemeral: DISK_GB from the Ceph pool, not local fs; unlocks Magnum migration-auth-type: ssh resume-guests-state-on-host-boot: true virt-type: qemu # Testcloud nested-KVM; Roosevelt will use 'kvm' - bindings: *internal-bindings + bindings: # C2 ceph/ceph-access -> storage. OVN-on-data: neutron-plugin -> data + "": metal # puts 'data' in this principal's binding set so ovn-chassis' data + ceph: storage # binding is a valid SUBSET (subordinate subset rule). nova-compute is + ceph-access: storage # bare metal -- enp8s0 (data) is already present, so this only needs + neutron-plugin: data # to satisfy the rule, not provision a NIC. constraints: arch=amd64 - storage: - ephemeral-device: loop,10240M ncc-mysql-router: charm: mysql-router @@ -206,8 +215,7 @@ num_units: 1 to: [lxd:11] options: - vip: "10.12.4.235 10.12.8.235" - os-public-hostname: placement.omega.dc0.vr0.cloud.neumatrix.local + vip: "10.12.4.19 10.12.8.19" # B1 bindings: *api-bindings constraints: arch=amd64 @@ -229,8 +237,7 @@ enable-ml2-port-security: true flat-network-providers: physnet1 neutron-security-groups: true - vip: "10.12.4.231 10.12.8.231" - os-public-hostname: neutron.omega.dc0.vr0.cloud.neumatrix.local + vip: "10.12.4.15 10.12.8.15" # B1 bindings: *api-bindings constraints: arch=amd64 @@ -251,26 +258,33 @@ bindings: *internal-bindings constraints: arch=amd64 - # ovn-chassis: subordinate to nova-compute. MAC-based bridge-interface-mappings - # captured from MAAS 2026-05-22 (Bobcat used hardcoded 'enp1s0' — anti-pattern fix). - # The charm picks whichever MAC is found locally per unit; non-matching MACs ignored. + # ovn-chassis: subordinate to nova-compute. MAC-based bridge-interface-mappings captured from + # MAAS 2026-05-22 (Bobcat used hardcoded 'enp1s0' -- anti-pattern fix). The charm picks whichever + # MAC is found locally per unit; non-matching MACs are ignored. ovn-chassis: charm: ovn-chassis channel: 24.03/stable options: ovn-bridge-mappings: physnet1:br-ex + prefer-chassis-as-gw: true # B2 -- elects gateway chassis so tenant routers get external egress bridge-interface-mappings: >- br-ex:52:54:00:3d:fd:54 br-ex:52:54:00:9d:63:77 br-ex:52:54:00:89:7f:ce br-ex:52:54:00:99:fc:c2 + bindings: # OVN-on-data (fidelity): geneve encap onto the data space. + "": metal # 'data' endpoint verified on the charm (was the overlay-suffix bug). + data: data # Prereq: enp8s0 link-subnet to 10.12.12.0/22 (rebuild-prep, machines Ready). - # ovn-chassis-octavia: separate ovn-chassis app, subordinate to octavia. - # No bridge-interface-mappings — matches Bobcat-proven pattern (Octavia mgmt - # traffic rides Neutron tenant overlay; no external physnet bridge needed here). + # ovn-chassis-octavia: separate ovn-chassis app, subordinate to octavia. No bridge-interface-mappings + # and NO prefer-chassis-as-gw -- Octavia mgmt traffic rides the Neutron tenant overlay; it needs no + # external physnet bridge or gateway here. ovn-chassis-octavia: charm: ovn-chassis channel: 24.03/stable + bindings: # OVN-on-data: octavia chassis must share the compute chassis' + "": metal # encap network or cross-chassis geneve tunnels break. The octavia + data: data # CONTAINER gets its data NIC Juju-provisioned at deploy. # ===================================================================== # Block Storage: Cinder + cinder-ceph @@ -284,10 +298,12 @@ options: block-device: None glance-api-version: 2 - vip: "10.12.4.226 10.12.8.226" - os-public-hostname: cinder.omega.dc0.vr0.cloud.neumatrix.local - bindings: *api-bindings - constraints: arch=amd64 + vip: "10.12.4.12 10.12.8.12" # B1 + bindings: # api-bindings + ceph -> storage. cinder's container needs a storage NIC + "": metal # for Ceph; binding the regular 'ceph' endpoint provisions it AND puts + public: provider # 'storage' in cinder's binding set, so cinder-ceph's ceph->storage is a + ceph: storage # valid subset (subset rule). cinder:ceph is unrelated here -- cinder-ceph + constraints: arch=amd64 # owns the relation -- but the binding still provisions the NIC. cinder-mysql-router: charm: mysql-router @@ -297,10 +313,16 @@ cinder-ceph: charm: cinder-ceph channel: 2024.1/stable + bindings: # C2: Ceph client traffic -> storage. Subordinate to cinder; the principal + "": metal # (cinder:ceph -> storage) now carries 'storage', so this is a valid + ceph: storage # subset and the shared container gets a 10.12.16.x NIC. # ===================================================================== # Ceph: mon + osd + radosgw (Squid release per D-005) # ===================================================================== + # C2: full network separation via network-space BINDINGS (public/cluster) -- NOT ceph-*-network config, + # which selects the net but never provisions the LXD-contained mon a storage NIC. Hosts carry enp9s0 + # (storage) + enp10s0 (replication); clients bind ceph->storage to reach the Ceph public net. ceph-mon: charm: ceph-mon @@ -311,8 +333,11 @@ source: *ceph-source expected-osd-count: 4 monitor-count: 3 - bindings: *internal-bindings # Ceph 'public' here = clients on metal, NOT OS public API - constraints: arch=amd64 + bindings: # C2 -- public BINDING (NOT ceph-public-network config). The config + "": metal # selects the net but does NOT give the LXD-contained mon a storage + public: storage # NIC, so the mon can't listen on 10.12.16.0/22. The binding both + constraints: arch=amd64 # provisions the NIC and sets the Ceph public net. Mons use only the + # public net (no cluster binding needed). ceph-osd: charm: ceph-osd @@ -321,8 +346,11 @@ to: ["8", "9", "10", "11"] options: source: *ceph-source - osd-devices: /dev/vdb # libvirt-attached, MAAS-untracked, wiped 2026-05-22 - bindings: *internal-bindings + osd-devices: /dev/vdb # libvirt-attached, MAAS-untracked, wiped pre-deploy + bindings: # C2 -- public/cluster BINDINGS (NOT ceph-*-network config). Bare-metal + "": metal # OSDs already carry enp9s0 (storage) + enp10s0 (replication); the + public: storage # bindings select them as Ceph public (client) and cluster (OSD-to-OSD + cluster: replication # replication/recovery), and keep parity with ceph-mon's method. constraints: arch=amd64 tags=openstack ceph-radosgw: @@ -332,10 +360,11 @@ to: [lxd:8] options: source: *ceph-source - # v2-deferred: ceph-radosgw HA deferred to v2 per workstream-2 decision. - # vip slot 10.12.4.225 reserved for ceph-radosgw VIP in v2. - # See also commented ceph-radosgw-hacluster app + :ha relation below. - bindings: *api-bindings # radosgw IS externally-facing (S3/Swift API) + vip: "10.12.4.20 10.12.8.20" # B1 -- radosgw HA un-deferred for Roosevelt fidelity (decorative HA on testcloud) + bindings: # api-bindings + mon->storage (C2). radosgw IS externally-facing (S3/Swift API). + "": metal + public: provider + mon: storage constraints: arch=amd64 # ===================================================================== @@ -349,8 +378,7 @@ to: [lxd:10] options: debug: "false" - vip: "10.12.4.234 10.12.8.234" - os-public-hostname: horizon.omega.dc0.vr0.cloud.neumatrix.local + vip: "10.12.4.18 10.12.8.18" # B1 -- browse HTTPS by IP (B5); ALLOWED_HOSTS must permit the VIP IP (verify at deploy) bindings: *api-bindings constraints: arch=amd64 @@ -362,8 +390,8 @@ # ===================================================================== # Load Balancer: Octavia # ===================================================================== - # CRITICAL: vault:certificates must be in bundle from day-one (post-deploy add - # causes documented apache2/octavia-api masking bug — see test deployment v3 handoff) + # CRITICAL: vault:certificates must be in bundle from day-one (post-deploy add causes the + # documented apache2/octavia-api masking bug -- see test deployment v3 handoff). octavia: charm: octavia @@ -373,6 +401,7 @@ options: debug: false openstack-origin: *openstack-origin + amp-image-tag: octavia-amphora # B4 -- MUST match the tag octavia-diskimage-retrofit stamps # ----- PKI material ------------------------------------------------- # 5 lb-mgmt-* options are supplied via overlays/octavia-pki.yaml # (gitignored). Generated per runbooks/01a-octavia-pki-generation.md. @@ -380,10 +409,12 @@ # juju deploy ./bundle.yaml \ # --overlay overlays/vr0-dc0-testcloud.yaml \ # --overlay overlays/octavia-pki.yaml - vip: "10.12.4.233 10.12.8.233" - os-public-hostname: octavia.omega.dc0.vr0.cloud.neumatrix.local - bindings: *api-bindings - constraints: arch=amd64 + vip: "10.12.4.17 10.12.8.17" # B1 + bindings: # api-bindings + ovsdb-cms -> data. octavia's CONTAINER needs a data NIC so + "": metal # ovn-chassis-octavia can geneve-encap on the overlay; ovsdb-cms is a + public: provider # REGULAR (octavia<->ovn-central) endpoint -- unused in the amphora-driver + ovsdb-cms: data # setup, so binding it just provisions the NIC AND makes 'data' a valid + constraints: arch=amd64 # subset for the subordinate's data binding (subset rule). octavia-mysql-router: charm: mysql-router @@ -399,6 +430,10 @@ channel: 2024.1/stable options: amp-image-tag: octavia-amphora + use-internal-endpoints: true # B4 -- charm ships FALSE; required so the retrofit glance client uses the internal (IP) endpoint + image-format: raw # B4 -- RAW, not the qcow2 default: glance is Ceph-backed, and the charm + # + Ceph docs recommend raw so RBD can fast-clone the amphora (qcow2 + # forces a convert-on-import and defeats CoW). # ===================================================================== # Secrets: Barbican @@ -411,8 +446,7 @@ to: [lxd:11] options: openstack-origin: *openstack-origin - vip: "10.12.4.224 10.12.8.224" - os-public-hostname: barbican.omega.dc0.vr0.cloud.neumatrix.local + vip: "10.12.4.11 10.12.8.11" # B1 bindings: *api-bindings constraints: arch=amd64 @@ -426,10 +460,10 @@ channel: 2024.1/stable # ===================================================================== - # Kubernetes-as-a-Service: Magnum (Layer A — CAPI graft is Layer B) + # Kubernetes-as-a-Service: Magnum (Layer A -- CAPI graft is Layer B) # ===================================================================== - # NOTE: After bundle deploys, magnum/0 will show active/idle but CANNOT - # create K8s clusters. Layer B (post-deploy) brings it to life: + # NOTE: After bundle deploys, magnum/0 will show active/idle but CANNOT create K8s clusters. + # Layer B (post-deploy) brings it to life: # 1. capi-mgmt VM with k3s + CAPI operators (runbook 04a) # 2. pip install magnum-capi-helm==1.1.0 into magnum venv (runbook 05) # 3. /etc/magnum/magnum.conf.d/99-capi.conf with enabled_drivers @@ -444,8 +478,7 @@ options: openstack-origin: *openstack-origin region: RegionOne - vip: "10.12.4.230 10.12.8.230" - os-public-hostname: magnum.omega.dc0.vr0.cloud.neumatrix.local + vip: "10.12.4.14 10.12.8.14" # B1 bindings: *api-bindings constraints: arch=amd64 @@ -459,12 +492,13 @@ channel: 2024.1/stable # ===================================================================== - # HA Cluster Subordinates (11 active for v1; ceph-radosgw + designate deferred to v2) + # HA Cluster Subordinates (11 active for v1: 10 API charms + ceph-radosgw) # ===================================================================== # Channel: 2.4/stable (per Caracal Charm Delivery table, D-002 verified 2026-05-22). - # VIPs allocated from provider /22 range 10.12.4.224-.254 per D-003. - # NetBox IPAddress records queued post-deployment (engineer review pending). - # See workstream-2 decision (2026-05-22). + # cluster_count: 1 (decorative on single-unit testcloud, D-009 / BUNDLEFIX-003). + # VIPs front-loaded into the MAAS-reserved provider/metal /26 per B1 (.2-.63). + # vault-hacluster stays commented (vault single-unit on mysql, C1 / BUNDLEFIX-002). + # designate-hacluster stays deferred (D-019). # keystone-hacluster: { charm: hacluster, channel: 2.4/stable, options: { cluster_count: 1 } } glance-hacluster: { charm: hacluster, channel: 2.4/stable, options: { cluster_count: 1 } } @@ -476,11 +510,10 @@ octavia-hacluster: { charm: hacluster, channel: 2.4/stable, options: { cluster_count: 1 } } barbican-hacluster: { charm: hacluster, channel: 2.4/stable, options: { cluster_count: 1 } } magnum-hacluster: { charm: hacluster, channel: 2.4/stable, options: { cluster_count: 1 } } - # vault-hacluster: { charm: hacluster, channel: 2.4/stable } - # v2-deferred: ceph-radosgw-hacluster: { charm: hacluster, channel: 2.4/stable } + ceph-radosgw-hacluster: { charm: hacluster, channel: 2.4/stable, options: { cluster_count: 1 } } # B1 -- un-deferred + # vault-hacluster: { charm: hacluster, channel: 2.4/stable } # C1: vault single-unit on mysql; HA at Roosevelt # v2-deferred (D-019): designate-hacluster: { charm: hacluster, channel: 2.4/stable } - # memcached: nova-cloud-controller token/cell caching (BUNDLEFIX-004) memcached: charm: memcached @@ -493,13 +526,11 @@ relations: - [nova-cloud-controller:memcache, memcached:cache] - # ---- Vault HA backend chain (NEW for Caracal v1; chicken-and-egg via easyrsa) - - [easyrsa:client, etcd:certificates] # easyrsa issues etcd TLS one-time - - [vault:etcd, etcd:db] # vault uses etcd as HA backend + # ---- Vault (single unit, MySQL storage backend via vault-mysql-router; C1 -- etcd+easyrsa removed) - [vault-mysql-router:db-router, mysql-innodb-cluster:db-router] - [vault:shared-db, vault-mysql-router:shared-db] - [mysql-innodb-cluster:certificates, vault:certificates] - # - [vault:ha, vault-hacluster:ha] + # - [vault:ha, vault-hacluster:ha] # vault de-HA'd on testcloud (C1/BUNDLEFIX-002); HA backend a Roosevelt item # ---- Keystone (identity, hub of all OS service relations) - [keystone-mysql-router:db-router, mysql-innodb-cluster:db-router] @@ -576,7 +607,7 @@ - [ceph-radosgw:mon, ceph-mon:radosgw] - [ceph-radosgw:identity-service, keystone:identity-service] - [ceph-radosgw:certificates, vault:certificates] - # v2-deferred: - [ceph-radosgw:ha, ceph-radosgw-hacluster:ha] + - [ceph-radosgw:ha, ceph-radosgw-hacluster:ha] # B1 -- un-deferred # ---- OpenStack Dashboard (Horizon) - [dashboard-mysql-router:db-router, mysql-innodb-cluster:db-router] @@ -586,7 +617,7 @@ - [openstack-dashboard:ha, openstack-dashboard-hacluster:ha] # ---- Octavia (LBaaS) - # CRITICAL: octavia:certificates ↔ vault:certificates MUST be present at deploy time + # CRITICAL: octavia:certificates <-> vault:certificates MUST be present at deploy time - [octavia-mysql-router:db-router, mysql-innodb-cluster:db-router] - [octavia-mysql-router:shared-db, octavia:shared-db] - [octavia:identity-service, keystone:identity-service]