diff --git a/runbooks/phase-06-incloud-mgmt-cluster.md b/runbooks/phase-06-incloud-mgmt-cluster.md index 115ca2f..da84bd5 100644 --- a/runbooks/phase-06-incloud-mgmt-cluster.md +++ b/runbooks/phase-06-incloud-mgmt-cluster.md @@ -68,36 +68,45 @@ the stored disk_format lands `raw` on the redeploy (expected; D-021 Ceph fast-clone alignment). -LIVE-REVIEW (two as-built facts not in the record -- capture from the OLD cloud -BEFORE teardown if still possible): `openstack project show capi-mgmt -f yaml` -(the project's domain) and `openstack image show ubuntu-24.04-noble -f yaml` -(visibility). The block below defaults the domain from the admin token and lets -glance default visibility (the 06-08 import landed `shared` with no flag); if 6.2 -later fails image-not-found under capi-mgmt scope, `openstack image set --public -ubuntu-24.04-noble` is the one-line repair. +AS-BUILT FACTS (verified live 2026-06-10 pre-teardown; supersede the rebuild +handoff, which wrongly placed capi-mgmt in admin_domain): project `capi-mgmt` +lives in domain `capi` ("CAPI/Magnum workload identity"); the noble image is +`public` with os_distro/os_version properties; admin@admin_domain holds `member` +(not admin) on the project. NOTE -- the old static CAPO identity (user `capo`, +its app-cred, `capo-clouds.yaml`) is a FOSSIL of the retired D-033 out-of-cloud +path and is deliberately NOT recreated: the current architecture needs no static +cloud credential (`clusterctl init` takes none; per-cluster creds are +magnum-minted at create time per D-039). ```bash ( { set -u source ~/admin-openrc - echo "=== project capi-mgmt (verify-or-create) ===" - PROJ_DOMAIN="${OS_PROJECT_DOMAIN_NAME:-default}" # LIVE-REVIEW: as-built domain - openstack project show capi-mgmt >/dev/null 2>&1 \ + echo "=== domain capi (verify-or-create; as-built: 'CAPI/Magnum workload identity', NOT Juju-created) ===" + PROJ_DOMAIN="capi" # as-built, verified live 2026-06-10 + openstack domain show "$PROJ_DOMAIN" >/dev/null 2>&1 \ + && echo "[SKIP] domain $PROJ_DOMAIN exists" \ + || { openstack domain create --description "CAPI/Magnum workload identity" "$PROJ_DOMAIN" >/dev/null \ + && echo "[OK] domain $PROJ_DOMAIN"; } + + echo "=== project capi-mgmt in domain $PROJ_DOMAIN (verify-or-create) ===" + openstack project show capi-mgmt --domain "$PROJ_DOMAIN" >/dev/null 2>&1 \ && echo "[SKIP] project capi-mgmt exists" \ - || { openstack project create --domain "$PROJ_DOMAIN" capi-mgmt >/dev/null \ + || { openstack project create --domain "$PROJ_DOMAIN" \ + --description "CAPI management project" capi-mgmt >/dev/null \ && echo "[OK] project capi-mgmt (domain $PROJ_DOMAIN)"; } - echo "=== role: let $OS_USERNAME scope to capi-mgmt (OS_PROJECT_ID blocks in 6.x/7.8/8.x) ===" + echo "=== role: $OS_USERNAME gets MEMBER on capi-mgmt (as-built grant; OS_PROJECT_ID blocks in 6.x/7.8/8.x) ===" openstack role assignment list --user "$OS_USERNAME" --user-domain "$OS_USER_DOMAIN_NAME" \ --project capi-mgmt --project-domain "$PROJ_DOMAIN" -f value 2>/dev/null | grep -q . \ && echo "[SKIP] role assignment present" \ || { openstack role add --user "$OS_USERNAME" --user-domain "$OS_USER_DOMAIN_NAME" \ - --project capi-mgmt --project-domain "$PROJ_DOMAIN" admin \ - && echo "[OK] admin role on capi-mgmt"; } + --project capi-mgmt --project-domain "$PROJ_DOMAIN" member \ + && echo "[OK] member role on capi-mgmt"; } - echo "=== flavors (as-built specs; public) ===" + echo "=== flavors (as-built specs; public -- verified live 2026-06-10 pre-teardown) ===" for spec in "gp.large 4 16384 80" "gp.mid 2 8192 40" "capi.node 2 4096 40" \ - "gp.small 1 2048 20" "m1.lbtest 1 1024 4"; do + "gp.small 1 4096 20" "m1.lbtest 1 1024 4"; do set -- $spec openstack flavor show "$1" >/dev/null 2>&1 \ && echo "[SKIP] flavor $1 exists" \ @@ -115,8 +124,12 @@ --import-method glance-direct \ --file "$SRC" \ --container-format bare --disk-format qcow2 \ + --visibility public \ + --property os_distro=ubuntu --property os_version=24.04 \ --name ubuntu-24.04-noble fi + # as-built (verified live 2026-06-10): visibility=public, os_distro=ubuntu, os_version=24.04, + # stored raw in Ceph via the bundle's glance image-conversion=true. echo "=== poll to active (import + conversion) ===" for i in $(seq 1 40); do ST=$(openstack image show ubuntu-24.04-noble -f value -c status 2>/dev/null || echo '?')