diff --git a/bundle.yaml b/bundle.yaml index 3bdd9d4..5504d05 100644 --- a/bundle.yaml +++ b/bundle.yaml @@ -94,10 +94,9 @@ channel: 1.8/stable num_units: 1 # 3 on Roosevelt (D-009) to: [lxd:11] - options: {} - # TODO(netbox): uncomment vip + vault-hacluster app + :ha relation - # atomically once provider VIP is allocated from 10.12.4.224-.254 - # vip: 10.12.4. + options: + vip: 10.12.4.236 + os-public-hostname: vault.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -132,9 +131,9 @@ channel: 2024.1/stable num_units: 1 # 3 on Roosevelt (D-009) to: [lxd:8] - options: {} - # TODO(netbox): vip + keystone-hacluster + :ha relation atomic uncomment - # vip: 10.12.4. + options: + vip: 10.12.4.229 + os-public-hostname: keystone.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -151,8 +150,9 @@ channel: 2024.1/stable num_units: 1 to: [lxd:11] - options: {} - # TODO(netbox): vip + glance-hacluster + :ha relation + options: + vip: 10.12.4.228 + os-public-hostname: glance.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -180,7 +180,8 @@ options: console-access-protocol: novnc network-manager: Neutron - # TODO(netbox): vip + nova-cloud-controller-hacluster + :ha relation + vip: 10.12.4.232 + os-public-hostname: nova.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -210,8 +211,9 @@ channel: 2024.1/stable num_units: 1 to: [lxd:11] - options: {} - # TODO(netbox): vip + placement-hacluster + :ha relation + options: + vip: 10.12.4.235 + os-public-hostname: placement.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -232,7 +234,8 @@ enable-ml2-port-security: true flat-network-providers: physnet1 neutron-security-groups: true - # TODO(netbox): vip + neutron-api-hacluster + :ha relation + vip: 10.12.4.231 + os-public-hostname: neutron.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -285,7 +288,8 @@ options: block-device: None glance-api-version: 2 - # TODO(netbox): vip + cinder-hacluster + :ha relation + vip: 10.12.4.226 + os-public-hostname: cinder.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 storage: @@ -339,7 +343,9 @@ to: [lxd:8] options: source: *ceph-source - # TODO(netbox): vip + ceph-radosgw-hacluster + :ha relation + # v2-deferred: ceph-radosgw HA deferred to v2 per workstream-2 decision. + # vip slot 10.12.4.225 reserved for ceph-radosgw VIP in v2. + # See also commented ceph-radosgw-hacluster app + :ha relation below. bindings: *api-bindings # radosgw IS externally-facing (S3/Swift API) constraints: arch=amd64 @@ -354,7 +360,8 @@ to: [lxd:10] options: debug: "false" - # TODO(netbox): vip + openstack-dashboard-hacluster + :ha relation + vip: 10.12.4.234 + os-public-hostname: horizon.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -388,7 +395,8 @@ # lb-mgmt-issuing-ca-key-passphrase: # lb-mgmt-issuing-ca-private-key: # lb-mgmt-issuing-cacert: - # TODO(netbox): vip + octavia-hacluster + :ha relation + vip: 10.12.4.233 + os-public-hostname: octavia.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -417,7 +425,8 @@ to: [lxd:11] options: openstack-origin: *openstack-origin - # TODO(netbox): vip + barbican-hacluster + :ha relation + vip: 10.12.4.224 + os-public-hostname: barbican.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -448,7 +457,8 @@ options: openstack-origin: *openstack-origin region: RegionOne - # TODO(netbox): vip + magnum-hacluster + :ha relation + vip: 10.12.4.230 + os-public-hostname: magnum.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -474,7 +484,8 @@ openstack-origin: *openstack-origin # TODO(d008): set nameservers per omega.dc0.vr0 zone before deploy # nameservers: "ns1.omega.dc0.vr0.cloud.neumatrix.local. ns2.omega.dc0.vr0.cloud.neumatrix.local." - # TODO(netbox): vip + designate-hacluster + :ha relation + vip: 10.12.4.227 + os-public-hostname: designate.omega.dc0.vr0.cloud.neumatrix.local bindings: *api-bindings constraints: arch=amd64 @@ -491,25 +502,26 @@ constraints: arch=amd64 # ===================================================================== - # HA Cluster Subordinates (COMMENTED until NetBox VIP allocations) + # HA Cluster Subordinates (12 active for v1; ceph-radosgw deferred to v2) # ===================================================================== - # Channel: 2.4/stable (per Caracal Charm Delivery table, corrected from D-002). - # Uncomment EACH block (hacluster app + corresponding :ha relation + principal vip) - # ATOMICALLY when its VIP is allocated. 13 hacluster subordinates total per D-009. + # Channel: 2.4/stable (per Caracal Charm Delivery table, D-002 verified 2026-05-22). + # VIPs allocated from provider /22 range 10.12.4.224-.254 per D-003. + # NetBox IPAddress records queued post-deployment (engineer review pending). + # See workstream-2 decision (2026-05-22). # - # keystone-hacluster: { charm: hacluster, channel: 2.4/stable } - # glance-hacluster: { charm: hacluster, channel: 2.4/stable } - # neutron-api-hacluster: { charm: hacluster, channel: 2.4/stable } - # nova-cloud-controller-hacluster: { charm: hacluster, channel: 2.4/stable } - # placement-hacluster: { charm: hacluster, channel: 2.4/stable } - # openstack-dashboard-hacluster: { charm: hacluster, channel: 2.4/stable } - # cinder-hacluster: { charm: hacluster, channel: 2.4/stable } - # octavia-hacluster: { charm: hacluster, channel: 2.4/stable } - # barbican-hacluster: { charm: hacluster, channel: 2.4/stable } - # magnum-hacluster: { charm: hacluster, channel: 2.4/stable } - # vault-hacluster: { charm: hacluster, channel: 2.4/stable } - # ceph-radosgw-hacluster: { charm: hacluster, channel: 2.4/stable } - # designate-hacluster: { charm: hacluster, channel: 2.4/stable } + keystone-hacluster: { charm: hacluster, channel: 2.4/stable } + glance-hacluster: { charm: hacluster, channel: 2.4/stable } + neutron-api-hacluster: { charm: hacluster, channel: 2.4/stable } + nova-cloud-controller-hacluster: { charm: hacluster, channel: 2.4/stable } + placement-hacluster: { charm: hacluster, channel: 2.4/stable } + openstack-dashboard-hacluster: { charm: hacluster, channel: 2.4/stable } + cinder-hacluster: { charm: hacluster, channel: 2.4/stable } + octavia-hacluster: { charm: hacluster, channel: 2.4/stable } + barbican-hacluster: { charm: hacluster, channel: 2.4/stable } + magnum-hacluster: { charm: hacluster, channel: 2.4/stable } + vault-hacluster: { charm: hacluster, channel: 2.4/stable } + # v2-deferred: ceph-radosgw-hacluster: { charm: hacluster, channel: 2.4/stable } + designate-hacluster: { charm: hacluster, channel: 2.4/stable } relations: @@ -519,20 +531,20 @@ - [vault-mysql-router:db-router, mysql-innodb-cluster:db-router] - [vault:shared-db, vault-mysql-router:shared-db] - [mysql-innodb-cluster:certificates, vault:certificates] - # TODO(netbox): - [vault:ha, vault-hacluster:ha] + - [vault:ha, vault-hacluster:ha] # ---- Keystone (identity, hub of all OS service relations) - [keystone-mysql-router:db-router, mysql-innodb-cluster:db-router] - [keystone-mysql-router:shared-db, keystone:shared-db] - [keystone:certificates, vault:certificates] - # TODO(netbox): - [keystone:ha, keystone-hacluster:ha] + - [keystone:ha, keystone-hacluster:ha] # ---- Glance (image) - [glance-mysql-router:db-router, mysql-innodb-cluster:db-router] - [glance-mysql-router:shared-db, glance:shared-db] - [glance:identity-service, keystone:identity-service] - [glance:certificates, vault:certificates] - # TODO(netbox): - [glance:ha, glance-hacluster:ha] + - [glance:ha, glance-hacluster:ha] # ---- Glance simplestreams sync (Octavia amphora pipeline source) - [glance-simplestreams-sync:identity-service, keystone:identity-service] @@ -548,7 +560,7 @@ - [nova-cloud-controller:cloud-compute, nova-compute:cloud-compute] - [nova-cloud-controller:cinder-volume-service, cinder:cinder-volume-service] - [nova-cloud-controller:certificates, vault:certificates] - # TODO(netbox): - [nova-cloud-controller:ha, nova-cloud-controller-hacluster:ha] + - [nova-cloud-controller:ha, nova-cloud-controller-hacluster:ha] # ---- Nova compute - [nova-compute:amqp, rabbitmq-server:amqp] @@ -560,7 +572,7 @@ - [placement:identity-service, keystone:identity-service] - [placement:placement, nova-cloud-controller:placement] - [placement:certificates, vault:certificates] - # TODO(netbox): - [placement:ha, placement-hacluster:ha] + - [placement:ha, placement-hacluster:ha] # ---- Neutron API + OVN - [neutron-api-mysql-router:db-router, mysql-innodb-cluster:db-router] @@ -575,7 +587,7 @@ - [ovn-chassis:ovsdb, ovn-central:ovsdb] - [ovn-chassis:nova-compute, nova-compute:neutron-plugin] - [ovn-chassis:certificates, vault:certificates] - # TODO(netbox): - [neutron-api:ha, neutron-api-hacluster:ha] + - [neutron-api:ha, neutron-api-hacluster:ha] # ---- Cinder + cinder-ceph - [cinder-mysql-router:db-router, mysql-innodb-cluster:db-router] @@ -587,7 +599,7 @@ - [cinder-ceph:storage-backend, cinder:storage-backend] - [cinder-ceph:ceph, ceph-mon:client] - [cinder-ceph:ceph-access, nova-compute:ceph-access] - # TODO(netbox): - [cinder:ha, cinder-hacluster:ha] + - [cinder:ha, cinder-hacluster:ha] # ---- Ceph mon + osd + radosgw - [ceph-mon:osd, ceph-osd:mon] @@ -596,14 +608,14 @@ - [ceph-radosgw:mon, ceph-mon:radosgw] - [ceph-radosgw:identity-service, keystone:identity-service] - [ceph-radosgw:certificates, vault:certificates] - # TODO(netbox): - [ceph-radosgw:ha, ceph-radosgw-hacluster:ha] + # v2-deferred: - [ceph-radosgw:ha, ceph-radosgw-hacluster:ha] # ---- OpenStack Dashboard (Horizon) - [dashboard-mysql-router:db-router, mysql-innodb-cluster:db-router] - [dashboard-mysql-router:shared-db, openstack-dashboard:shared-db] - [openstack-dashboard:identity-service, keystone:identity-service] - [openstack-dashboard:certificates, vault:certificates] - # TODO(netbox): - [openstack-dashboard:ha, openstack-dashboard-hacluster:ha] + - [openstack-dashboard:ha, openstack-dashboard-hacluster:ha] # ---- Octavia (LBaaS) # CRITICAL: octavia:certificates ↔ vault:certificates MUST be present at deploy time @@ -620,7 +632,7 @@ # Octavia amphora image pipeline - [octavia-diskimage-retrofit:juju-info, glance-simplestreams-sync:juju-info] - [octavia-diskimage-retrofit:identity-credentials, keystone:identity-credentials] - # TODO(netbox): - [octavia:ha, octavia-hacluster:ha] + - [octavia:ha, octavia-hacluster:ha] # ---- Barbican (secrets) - [barbican-mysql-router:db-router, mysql-innodb-cluster:db-router] @@ -631,7 +643,7 @@ - [barbican:secrets, barbican-vault:secrets] - [barbican-vault:certificates, vault:certificates] - [barbican-vault:secrets-storage, vault:secrets] - # TODO(netbox): - [barbican:ha, barbican-hacluster:ha] + - [barbican:ha, barbican-hacluster:ha] # ---- Magnum (Layer A only; CAPI graft is Layer B/runbook 05) - [magnum-mysql-router:db-router, mysql-innodb-cluster:db-router] @@ -640,7 +652,7 @@ - [magnum:amqp, rabbitmq-server:amqp] - [magnum:certificates, vault:certificates] - [magnum-dashboard:dashboard, openstack-dashboard:dashboard-plugin] - # TODO(netbox): - [magnum:ha, magnum-hacluster:ha] + - [magnum:ha, magnum-hacluster:ha] # ---- Designate (DNS) — NEW for Caracal v1 per D-008 - [designate-mysql-router:db-router, mysql-innodb-cluster:db-router] @@ -649,4 +661,4 @@ - [designate:amqp, rabbitmq-server:amqp] - [designate:certificates, vault:certificates] - [designate:dns-backend, designate-bind:dns-backend] - # TODO(netbox): - [designate:ha, designate-hacluster:ha] + - [designate:ha, designate-hacluster:ha] diff --git a/docs/netbox-vip-queue.md b/docs/netbox-vip-queue.md new file mode 100644 index 0000000..f7c0638 --- /dev/null +++ b/docs/netbox-vip-queue.md @@ -0,0 +1,102 @@ +# Post-deployment NetBox VIP imports (queued from workstream 2) + +**Status:** Queued. To be imported after successful cloud deployment + validation, +once `netbox/ipv4-prefixes-import.py` engineer review unblocks the Provider /22 +prefix import. + +**Background:** Per D-010 (NetBox-upstream policy), IPAM entries should exist in +NetBox before being written into IaC. For v1 testcloud, this rule was relaxed +under workstream 2 (2026-05-22) to avoid blocking the rebuild on the engineer +review. VIPs were written into `bundle.yaml` directly. This document captures +the corresponding NetBox writes that need to happen post-deploy. + +**Scope:** v1 only (IPv4). v2 IPv6 VIPs are out of scope. + +--- + +## Provider prefix (parent — gating) + +Before any IPAddress entries can be created, the parent prefix must exist: + +| Prefix | Site | Role | Status | +|---|---|---|---| +| `10.12.4.0/22` | VR0 DC0 | provider | Active | + +Created by: `netbox/ipv4-prefixes-import.py` (per D-010, gated on engineer review). + +--- + +## VIP IPAddress entries + +All entries under prefix `10.12.4.0/22`, tenant scope = VR0 DC0 Omega Cloud (or +appropriate testcloud tenant convention). + +| IP | Status | DNS name | Description | +|---|---|---|---| +| `10.12.4.224/22` | Active | `barbican.omega.dc0.vr0.cloud.neumatrix.local` | barbican API VIP — Charmed OpenStack hacluster | +| `10.12.4.225/22` | Reserved | — | RESERVED for ceph-radosgw HA VIP in v2 (workstream-2 decision; ceph-radosgw HA deferred to v2) | +| `10.12.4.226/22` | Active | `cinder.omega.dc0.vr0.cloud.neumatrix.local` | cinder API VIP — Charmed OpenStack hacluster | +| `10.12.4.227/22` | Active | `designate.omega.dc0.vr0.cloud.neumatrix.local` | designate API VIP — Charmed OpenStack hacluster | +| `10.12.4.228/22` | Active | `glance.omega.dc0.vr0.cloud.neumatrix.local` | glance API VIP — Charmed OpenStack hacluster | +| `10.12.4.229/22` | Active | `keystone.omega.dc0.vr0.cloud.neumatrix.local` | keystone API VIP — Charmed OpenStack hacluster | +| `10.12.4.230/22` | Active | `magnum.omega.dc0.vr0.cloud.neumatrix.local` | magnum API VIP — Charmed OpenStack hacluster | +| `10.12.4.231/22` | Active | `neutron.omega.dc0.vr0.cloud.neumatrix.local` | neutron-api API VIP — Charmed OpenStack hacluster | +| `10.12.4.232/22` | Active | `nova.omega.dc0.vr0.cloud.neumatrix.local` | nova-cloud-controller API VIP — Charmed OpenStack hacluster | +| `10.12.4.233/22` | Active | `octavia.omega.dc0.vr0.cloud.neumatrix.local` | octavia API VIP — Charmed OpenStack hacluster | +| `10.12.4.234/22` | Active | `horizon.omega.dc0.vr0.cloud.neumatrix.local` | openstack-dashboard (Horizon) VIP — Charmed OpenStack hacluster | +| `10.12.4.235/22` | Active | `placement.omega.dc0.vr0.cloud.neumatrix.local` | placement API VIP — Charmed OpenStack hacluster | +| `10.12.4.236/22` | Active | `vault.omega.dc0.vr0.cloud.neumatrix.local` | vault VIP — Charmed Vault hacluster (D-006) | + +**Notes:** + +- Mask is `/22` (the parent prefix mask), not `/32` — NetBox convention for + endpoint IP addresses within a prefix. +- The Reserved slot at `.225` documents the v2 intent without consuming an + active allocation. When v2 work brings ceph-radosgw HA online, this entry's + Status flips Reserved → Active and the bundle's `# v2-deferred:` markers are + uncommented. +- `nova-cloud-controller` charm → DNS short name `nova` (catalog service name, + not charm name). +- `openstack-dashboard` charm → DNS short name `horizon` (project name). +- `neutron-api` charm → DNS short name `neutron`. + +--- + +## FIP pool — for completeness (not part of workstream 2) + +Per D-003, the Provider /22 also carries the Neutron FIP pool. These are NOT +individual IPAddress entries; they're modeled as an IP Range under the prefix: + +| Range | Purpose | +|---|---| +| `10.12.4.10 – 10.12.4.223` | Neutron FIP pool (created by `ipv4-prefixes-import.py`) | +| `10.12.4.224 – 10.12.4.254` | API VIP pool (the 13 entries above + future) | + +Neutron `allocation_pools` for the provider subnet MUST exclude `.224–.254` — +this is enforced in `runbooks/06-tenant-setup.md` (or wherever the provider +subnet is created). + +--- + +## Execution path (when unblocked) + +1. Confirm engineer review of `netbox/ipv4-prefixes-import.py` has signed off. +2. Run `netbox/ipv4-prefixes-import.py` — creates the Provider /22 prefix + FIP + IP Range + API VIP IP Range. +3. Add the 13 IPAddress entries from the table above. Two paths: + - **Web UI:** Per-entry manual creation. Tedious but reviewable. + - **API/script:** Extend `ipv4-prefixes-import.py` with a VIP-addresses + section, OR write a separate `netbox/ipv4-vips-import.py` that reads + this document (or a YAML/CSV companion). Idempotent (skip-if-exists). +4. Sanity check: NetBox prefix view of `10.12.4.0/22` shows all 13 entries. +5. Cross-check: every active VIP in `bundle.yaml` has a matching Active + entry in NetBox; the Reserved entry at `.225` has no corresponding bundle + entry (v2-deferred). + +--- + +## Change log + +| Date | Change | Reference | +|---|---|---| +| 2026-05-22 | Document created. 12 active VIP allocations queued + 1 v2-reserved slot. | Workstream 2 — VIP allocation + hacluster activation |