diff --git a/bundle.yaml b/bundle.yaml index 731359a..3bdd9d4 100644 --- a/bundle.yaml +++ b/bundle.yaml @@ -1,48 +1,652 @@ -# Charmed OpenStack Caracal (2024.1) bundle for VR0 DC0 Omega Cloud -# -# STATUS: PLACEHOLDER — drafting begins after NetBox IPv4 import completes. -# -# This file will contain the canonical Juju bundle. The overlay -# (overlays/vr0-dc0-testcloud.yaml) will pin testcloud-specific values -# (num_units, machine constraints). -# -# Source-of-truth references (per D-010): -# - Channel pins per D-002 (channel matrix) -# - VIPs from NetBox VR0 DC0 Provider /22 API VIP range (10.12.4.224-.254) -# and IPv6 Provider API VIP /64 (2602:f3e2:e02:11::/64) -# - Hostnames per D-008 DNS convention -# (.omega.dc0.vr0.cloud.neumatrix.local) -# - Endpoint bindings per D-003 Option B -# -# Expected sections (final ordering when drafted): -# - name, description, series -# - variables (anchors for shared values) -# - machines (TBD post-MAAS inventory) -# - applications (Charmed OpenStack services + subordinates) -# - relations (per the documented Caracal relation graph) -# -# Required relations to verify before drafting: -# - keystone <-> mysql-router <-> mysql-innodb-cluster -# - keystone <-> vault:certificates -# - Each API charm <-> hacluster + vault:certificates (D-009) -# - Octavia <-> ovn-chassis-octavia (its OWN subordinate, NOT main ovn-chassis) -# - Barbican <-> barbican-vault <-> vault:secrets -# - Magnum: shared-db (with colon — see known bugs in design-decisions.md) -# - Vault HA: vault:ha <-> vault-hacluster:ha; etcd:db <-> vault:etcd; -# etcd:certificates <-> easyrsa:client (D-006) -# - Designate (D-008): standard keystone/mysql-router/rabbit + dns-mdns/dns-frontend -# -# Known anti-patterns to avoid (from docs/design-decisions.md): -# - magnum-shared-db missing colon (deploy-blocker) -# - empty/shared osd-devices YAML anchor (deploy-blocker; not applicable -# at testcloud scale but pattern matters for Roosevelt) -# - ovn-chassis binding `overlay-suffix` (invalid; use `data`) -# - hardcoded NIC names in bridge-interface-mappings -# - GUI annotation collisions -# -# TODO before drafting: -# - [ ] NetBox IPv4 prefixes imported (netbox/ipv4-prefixes-import.py) -# - [ ] NetBox VLANs imported (netbox/vlans-import.py) -# - [ ] MAAS hardware inventory of openstack0-3 (NIC names, disk paths) -# - [ ] Decide MAAS tags for testcloud machines -# - [ ] Verify Caracal channel matrix on Charmhub (D-002) is current +# ============================================================ +# Caracal 2024.1 — VR0 DC0 Omega Cloud testcloud rebuild bundle +# ============================================================ +# Generated: 2026-05-22 +# Replaces: bundle-pre-destroy.yaml (Bobcat 2023.2) +# Charm channels: verified against Charmhub 2026-05-22 (see Caracal_Rebuild handoff D-002) +# Bindings: public:provider, else:metal for API charms; all-metal for backend charms +# HA chain: ALL hacluster subordinates + vip configs + :ha relations COMMENTED OUT +# until NetBox VIP allocations land in 10.12.4.224-.254 +# Vault HA: etcd backend + easyrsa CA bootstrap live; vault-hacluster commented +# Magnum: Layer A only — CAPI driver graft is Layer B (runbooks/04a + 05) +# Octavia: lb-mgmt PKI options present but VALUES commented out — source from +# either Bobcat backup (~/backups/pre-caracal-destroy-2026-05-22/) +# or fresh octavia-cert-runbook (TBD) +# OVN tunnels: remain on metal space (Bobcat-proven); enp8s0 3_data v2 improvement +# Resources: omitted — let charms use latest available resource revisions +# ============================================================ + +name: vr0-dc0-omega-caracal-testcloud +description: | + Charmed OpenStack Caracal (2024.1) on Ubuntu 22.04 LTS (Jammy) deployed via Juju 3.6 bundle + against MAAS-managed VMs (openstack0-3, virsh). + Decisions referenced (see Caracal_Rebuild handoff): + D-001 Path 2A (Juju-bundle paradigm) + D-002 channel matrix + D-003 Option B (provider /22 carries FIPs + API VIPs) + D-005 Ceph Squid + D-006 Vault HA via etcd + easyrsa + D-007 Magnum Layer A + Layer B graft + D-008 Designate day-one + D-009 hacluster subordinates (decorative on testcloud) + D-016 IPv4-only v1 + D-018 MAAS-release-direct teardown + +default-base: ubuntu@22.04/stable + +variables: + # ----- UCA pocket + Ceph source ---------------------------------------------- + openstack-origin: &openstack-origin cloud:jammy-caracal + ceph-source: &ceph-source cloud:jammy-caracal + + # ----- Bindings for external-API-facing charms (public on provider) ---------- + api-bindings: &api-bindings + "": metal + public: provider + admin: metal + internal: metal + shared-db: metal + amqp: metal + certificates: metal + cluster: metal + ha: metal + + # ----- Bindings for backend / internal-only charms (all metal) --------------- + # Used for ceph-mon (Ceph public network IS metal, not OpenStack public), + # ceph-osd, ovn-central, mysql-innodb-cluster, rabbitmq-server, nova-compute, etc. + internal-bindings: &internal-bindings + "": metal + +machines: + "8": + constraints: arch=amd64 tags=openstack + "9": + constraints: arch=amd64 tags=openstack + "10": + constraints: arch=amd64 tags=openstack + "11": + constraints: arch=amd64 tags=openstack + +applications: + + # ===================================================================== + # Datastores: MySQL InnoDB Cluster, RabbitMQ, Vault + HA backend + # ===================================================================== + + mysql-innodb-cluster: + charm: mysql-innodb-cluster + channel: 8.0/stable + num_units: 3 + to: [lxd:8, lxd:9, lxd:10] + bindings: *internal-bindings + constraints: arch=amd64 + + rabbitmq-server: + charm: rabbitmq-server + channel: 3.9/stable + num_units: 1 + to: [lxd:10] + bindings: *internal-bindings + constraints: arch=amd64 + + vault: + charm: vault + channel: 1.8/stable + num_units: 1 # 3 on Roosevelt (D-009) + to: [lxd:11] + options: {} + # TODO(netbox): uncomment vip + vault-hacluster app + :ha relation + # atomically once provider VIP is allocated from 10.12.4.224-.254 + # vip: 10.12.4. + bindings: *api-bindings + constraints: arch=amd64 + + vault-mysql-router: + charm: mysql-router + channel: 8.0/stable + + etcd: + charm: etcd + channel: latest/stable # support charm; not in OS delivery table + num_units: 3 # Vault HA backend (D-006) + to: [lxd:8, lxd:9, lxd:10] + bindings: *internal-bindings + constraints: arch=amd64 + # Note: etcd charm has its OWN `channel:` config option (controls etcd snap). + # Leaving at charm default; revisit if a specific etcd binary version is needed. + + easyrsa: + charm: easyrsa + channel: latest/stable + num_units: 1 # One-shot CA for etcd bootstrap (D-006) + to: [lxd:8] + bindings: *internal-bindings + constraints: arch=amd64 + + # ===================================================================== + # Identity: Keystone + # ===================================================================== + + keystone: + charm: keystone + channel: 2024.1/stable + num_units: 1 # 3 on Roosevelt (D-009) + to: [lxd:8] + options: {} + # TODO(netbox): vip + keystone-hacluster + :ha relation atomic uncomment + # vip: 10.12.4. + bindings: *api-bindings + constraints: arch=amd64 + + keystone-mysql-router: + charm: mysql-router + channel: 8.0/stable + + # ===================================================================== + # Image: Glance + simplestreams-sync + # ===================================================================== + + glance: + charm: glance + channel: 2024.1/stable + num_units: 1 + to: [lxd:11] + options: {} + # TODO(netbox): vip + glance-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + glance-mysql-router: + charm: mysql-router + channel: 8.0/stable + + glance-simplestreams-sync: + charm: glance-simplestreams-sync + channel: 2024.1/stable + num_units: 1 + to: [lxd:8] + bindings: *internal-bindings + constraints: arch=amd64 + + # ===================================================================== + # Compute: Nova cloud-controller + compute + Placement + # ===================================================================== + + nova-cloud-controller: + charm: nova-cloud-controller + channel: 2024.1/stable + num_units: 1 + to: [lxd:11] + options: + console-access-protocol: novnc + network-manager: Neutron + # TODO(netbox): vip + nova-cloud-controller-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + nova-compute: + charm: nova-compute + channel: 2024.1/stable + num_units: 3 + to: ["9", "10", "11"] + options: + config-flags: default_ephemeral_format=ext4 + enable-live-migration: true + enable-resize: true + migration-auth-type: ssh + resume-guests-state-on-host-boot: true + virt-type: qemu # Testcloud nested-KVM; Roosevelt will use 'kvm' + bindings: *internal-bindings + constraints: arch=amd64 + storage: + ephemeral-device: loop,10240M + + ncc-mysql-router: + charm: mysql-router + channel: 8.0/stable + + placement: + charm: placement + channel: 2024.1/stable + num_units: 1 + to: [lxd:11] + options: {} + # TODO(netbox): vip + placement-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + placement-mysql-router: + charm: mysql-router + channel: 8.0/stable + + # ===================================================================== + # Networking: Neutron + OVN + # ===================================================================== + + neutron-api: + charm: neutron-api + channel: 2024.1/stable + num_units: 1 + to: [lxd:9] + options: + enable-ml2-port-security: true + flat-network-providers: physnet1 + neutron-security-groups: true + # TODO(netbox): vip + neutron-api-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + neutron-api-mysql-router: + charm: mysql-router + channel: 8.0/stable + + neutron-api-plugin-ovn: + charm: neutron-api-plugin-ovn + channel: 2024.1/stable + + ovn-central: + charm: ovn-central + channel: 24.03/stable + num_units: 3 + to: [lxd:8, lxd:9, lxd:10] + bindings: *internal-bindings + constraints: arch=amd64 + + # ovn-chassis: subordinate to nova-compute. MAC-based bridge-interface-mappings + # captured from MAAS 2026-05-22 (Bobcat used hardcoded 'enp1s0' — anti-pattern fix). + # The charm picks whichever MAC is found locally per unit; non-matching MACs ignored. + ovn-chassis: + charm: ovn-chassis + channel: 24.03/stable + options: + ovn-bridge-mappings: physnet1:br-ex + bridge-interface-mappings: >- + br-ex:52:54:00:3d:fd:54 + br-ex:52:54:00:9d:63:77 + br-ex:52:54:00:89:7f:ce + br-ex:52:54:00:99:fc:c2 + + # ovn-chassis-octavia: separate ovn-chassis app, subordinate to octavia. + # No bridge-interface-mappings — matches Bobcat-proven pattern (Octavia mgmt + # traffic rides Neutron tenant overlay; no external physnet bridge needed here). + ovn-chassis-octavia: + charm: ovn-chassis + channel: 24.03/stable + + # ===================================================================== + # Block Storage: Cinder + cinder-ceph + # ===================================================================== + + cinder: + charm: cinder + channel: 2024.1/stable + num_units: 1 + to: [lxd:9] + options: + block-device: None + glance-api-version: 2 + # TODO(netbox): vip + cinder-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + storage: + block-devices: loop,10240M + + cinder-mysql-router: + charm: mysql-router + channel: 8.0/stable + + cinder-ceph: + charm: cinder-ceph + channel: 2024.1/stable + + # ===================================================================== + # Ceph: mon + osd + radosgw (Squid release per D-005) + # ===================================================================== + + ceph-mon: + charm: ceph-mon + channel: squid/stable + num_units: 3 + to: [lxd:8, lxd:9, lxd:10] + options: + source: *ceph-source + expected-osd-count: 4 + monitor-count: 3 + bindings: *internal-bindings # Ceph 'public' here = clients on metal, NOT OS public API + constraints: arch=amd64 + + ceph-osd: + charm: ceph-osd + channel: squid/stable + num_units: 4 + to: ["8", "9", "10", "11"] + options: + source: *ceph-source + osd-devices: /dev/vdb # libvirt-attached, MAAS-untracked, wiped 2026-05-22 + bindings: *internal-bindings + constraints: arch=amd64 tags=openstack + storage: # Loop-backed auxiliaries (testcloud has no real SSDs) + bluestore-db: loop,1024M + bluestore-wal: loop,1024M + cache-devices: loop,10240M + osd-devices: loop,1024M + osd-journals: loop,1024M # Legacy storage name still in squid metadata; benign + + ceph-radosgw: + charm: ceph-radosgw + channel: squid/stable + num_units: 1 + to: [lxd:8] + options: + source: *ceph-source + # TODO(netbox): vip + ceph-radosgw-hacluster + :ha relation + bindings: *api-bindings # radosgw IS externally-facing (S3/Swift API) + constraints: arch=amd64 + + # ===================================================================== + # Dashboard: openstack-dashboard (Horizon) + # ===================================================================== + + openstack-dashboard: + charm: openstack-dashboard + channel: 2024.1/stable + num_units: 1 + to: [lxd:10] + options: + debug: "false" + # TODO(netbox): vip + openstack-dashboard-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + dashboard-mysql-router: + charm: mysql-router + channel: 8.0/stable + + # ===================================================================== + # Load Balancer: Octavia + # ===================================================================== + # CRITICAL: vault:certificates must be in bundle from day-one (post-deploy add + # causes documented apache2/octavia-api masking bug — see test deployment v3 handoff) + + octavia: + charm: octavia + channel: 2024.1/stable + num_units: 1 + to: [lxd:11] + options: + debug: false + openstack-origin: *openstack-origin + # ----- PKI material (4 cert blobs + passphrase) --------------------- + # TODO(octavia-cert): inline values BEFORE deploy. Two sources: + # (a) Copy from Bobcat backup at: + # ~/backups/pre-caracal-destroy-2026-05-22/bundle-pre-destroy.yaml + # (lines ~230-234; CA valid until 2027-05-15 — adequate for testcloud) + # (b) Generate fresh via the (yet-to-be-written) octavia-cert-runbook + # — required for Roosevelt deploy + # lb-mgmt-controller-cacert: + # lb-mgmt-controller-cert: + # lb-mgmt-issuing-ca-key-passphrase: + # lb-mgmt-issuing-ca-private-key: + # lb-mgmt-issuing-cacert: + # TODO(netbox): vip + octavia-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + octavia-mysql-router: + charm: mysql-router + channel: 8.0/stable + + octavia-dashboard: + charm: octavia-dashboard + channel: 2024.1/stable + + octavia-diskimage-retrofit: + charm: octavia-diskimage-retrofit + channel: 2024.1/stable + options: + amp-image-tag: octavia-amphora + + # ===================================================================== + # Secrets: Barbican + # ===================================================================== + + barbican: + charm: barbican + channel: 2024.1/stable + num_units: 1 + to: [lxd:11] + options: + openstack-origin: *openstack-origin + # TODO(netbox): vip + barbican-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + barbican-mysql-router: + charm: mysql-router + channel: 8.0/stable + + barbican-vault: + charm: barbican-vault + channel: 2024.1/stable + + # ===================================================================== + # Kubernetes-as-a-Service: Magnum (Layer A — CAPI graft is Layer B) + # ===================================================================== + # NOTE: After bundle deploys, magnum/0 will show active/idle but CANNOT + # create K8s clusters. Layer B (post-deploy) brings it to life: + # 1. capi-mgmt VM with k3s + CAPI operators (runbook 04a) + # 2. pip install magnum-capi-helm==1.1.0 into magnum venv (runbook 05) + # 3. /etc/magnum/magnum.conf.d/99-capi.conf with enabled_drivers + # 4. Install kubeconfig at /etc/magnum/kubeconfig + # 5. Create Keystone capi-mgmt project + capo user + app credential + + magnum: + charm: magnum + channel: 2024.1/stable + num_units: 1 + to: [lxd:9] + options: + openstack-origin: *openstack-origin + region: RegionOne + # TODO(netbox): vip + magnum-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + magnum-mysql-router: + charm: mysql-router + channel: 8.0/stable + + magnum-dashboard: + charm: magnum-dashboard + channel: 2024.1/stable + + # ===================================================================== + # DNS: Designate (NEW for Caracal v1 per D-008) + # ===================================================================== + # Naming convention: .omega.dc0.vr0.cloud.neumatrix.local + + designate: + charm: designate + channel: 2024.1/stable + num_units: 1 + to: [lxd:8] + options: + openstack-origin: *openstack-origin + # TODO(d008): set nameservers per omega.dc0.vr0 zone before deploy + # nameservers: "ns1.omega.dc0.vr0.cloud.neumatrix.local. ns2.omega.dc0.vr0.cloud.neumatrix.local." + # TODO(netbox): vip + designate-hacluster + :ha relation + bindings: *api-bindings + constraints: arch=amd64 + + designate-mysql-router: + charm: mysql-router + channel: 8.0/stable + + designate-bind: + charm: designate-bind + channel: 2024.1/stable + num_units: 1 + to: [lxd:8] + bindings: *internal-bindings + constraints: arch=amd64 + + # ===================================================================== + # HA Cluster Subordinates (COMMENTED until NetBox VIP allocations) + # ===================================================================== + # Channel: 2.4/stable (per Caracal Charm Delivery table, corrected from D-002). + # Uncomment EACH block (hacluster app + corresponding :ha relation + principal vip) + # ATOMICALLY when its VIP is allocated. 13 hacluster subordinates total per D-009. + # + # keystone-hacluster: { charm: hacluster, channel: 2.4/stable } + # glance-hacluster: { charm: hacluster, channel: 2.4/stable } + # neutron-api-hacluster: { charm: hacluster, channel: 2.4/stable } + # nova-cloud-controller-hacluster: { charm: hacluster, channel: 2.4/stable } + # placement-hacluster: { charm: hacluster, channel: 2.4/stable } + # openstack-dashboard-hacluster: { charm: hacluster, channel: 2.4/stable } + # cinder-hacluster: { charm: hacluster, channel: 2.4/stable } + # octavia-hacluster: { charm: hacluster, channel: 2.4/stable } + # barbican-hacluster: { charm: hacluster, channel: 2.4/stable } + # magnum-hacluster: { charm: hacluster, channel: 2.4/stable } + # vault-hacluster: { charm: hacluster, channel: 2.4/stable } + # ceph-radosgw-hacluster: { charm: hacluster, channel: 2.4/stable } + # designate-hacluster: { charm: hacluster, channel: 2.4/stable } + +relations: + + # ---- Vault HA backend chain (NEW for Caracal v1; chicken-and-egg via easyrsa) + - [easyrsa:client, etcd:certificates] # easyrsa issues etcd TLS one-time + - [vault:etcd, etcd:db] # vault uses etcd as HA backend + - [vault-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [vault:shared-db, vault-mysql-router:shared-db] + - [mysql-innodb-cluster:certificates, vault:certificates] + # TODO(netbox): - [vault:ha, vault-hacluster:ha] + + # ---- Keystone (identity, hub of all OS service relations) + - [keystone-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [keystone-mysql-router:shared-db, keystone:shared-db] + - [keystone:certificates, vault:certificates] + # TODO(netbox): - [keystone:ha, keystone-hacluster:ha] + + # ---- Glance (image) + - [glance-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [glance-mysql-router:shared-db, glance:shared-db] + - [glance:identity-service, keystone:identity-service] + - [glance:certificates, vault:certificates] + # TODO(netbox): - [glance:ha, glance-hacluster:ha] + + # ---- Glance simplestreams sync (Octavia amphora pipeline source) + - [glance-simplestreams-sync:identity-service, keystone:identity-service] + - [glance-simplestreams-sync:certificates, vault:certificates] + + # ---- Nova cloud controller (NCC) + - [ncc-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [ncc-mysql-router:shared-db, nova-cloud-controller:shared-db] + - [nova-cloud-controller:identity-service, keystone:identity-service] + - [nova-cloud-controller:amqp, rabbitmq-server:amqp] + - [nova-cloud-controller:image-service, glance:image-service] + - [nova-cloud-controller:neutron-api, neutron-api:neutron-api] + - [nova-cloud-controller:cloud-compute, nova-compute:cloud-compute] + - [nova-cloud-controller:cinder-volume-service, cinder:cinder-volume-service] + - [nova-cloud-controller:certificates, vault:certificates] + # TODO(netbox): - [nova-cloud-controller:ha, nova-cloud-controller-hacluster:ha] + + # ---- Nova compute + - [nova-compute:amqp, rabbitmq-server:amqp] + - [nova-compute:image-service, glance:image-service] + + # ---- Placement + - [placement-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [placement-mysql-router:shared-db, placement:shared-db] + - [placement:identity-service, keystone:identity-service] + - [placement:placement, nova-cloud-controller:placement] + - [placement:certificates, vault:certificates] + # TODO(netbox): - [placement:ha, placement-hacluster:ha] + + # ---- Neutron API + OVN + - [neutron-api-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [neutron-api-mysql-router:shared-db, neutron-api:shared-db] + - [neutron-api:identity-service, keystone:identity-service] + - [neutron-api:amqp, rabbitmq-server:amqp] + - [neutron-api:certificates, vault:certificates] + - [neutron-api-plugin-ovn:neutron-plugin, neutron-api:neutron-plugin-api-subordinate] + - [neutron-api-plugin-ovn:ovsdb-cms, ovn-central:ovsdb-cms] + - [neutron-api-plugin-ovn:certificates, vault:certificates] + - [ovn-central:certificates, vault:certificates] + - [ovn-chassis:ovsdb, ovn-central:ovsdb] + - [ovn-chassis:nova-compute, nova-compute:neutron-plugin] + - [ovn-chassis:certificates, vault:certificates] + # TODO(netbox): - [neutron-api:ha, neutron-api-hacluster:ha] + + # ---- Cinder + cinder-ceph + - [cinder-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [cinder-mysql-router:shared-db, cinder:shared-db] + - [cinder:identity-service, keystone:identity-service] + - [cinder:amqp, rabbitmq-server:amqp] + - [cinder:image-service, glance:image-service] + - [cinder:certificates, vault:certificates] + - [cinder-ceph:storage-backend, cinder:storage-backend] + - [cinder-ceph:ceph, ceph-mon:client] + - [cinder-ceph:ceph-access, nova-compute:ceph-access] + # TODO(netbox): - [cinder:ha, cinder-hacluster:ha] + + # ---- Ceph mon + osd + radosgw + - [ceph-mon:osd, ceph-osd:mon] + - [ceph-mon:client, nova-compute:ceph] + - [ceph-mon:client, glance:ceph] + - [ceph-radosgw:mon, ceph-mon:radosgw] + - [ceph-radosgw:identity-service, keystone:identity-service] + - [ceph-radosgw:certificates, vault:certificates] + # TODO(netbox): - [ceph-radosgw:ha, ceph-radosgw-hacluster:ha] + + # ---- OpenStack Dashboard (Horizon) + - [dashboard-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [dashboard-mysql-router:shared-db, openstack-dashboard:shared-db] + - [openstack-dashboard:identity-service, keystone:identity-service] + - [openstack-dashboard:certificates, vault:certificates] + # TODO(netbox): - [openstack-dashboard:ha, openstack-dashboard-hacluster:ha] + + # ---- Octavia (LBaaS) + # CRITICAL: octavia:certificates ↔ vault:certificates MUST be present at deploy time + - [octavia-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [octavia-mysql-router:shared-db, octavia:shared-db] + - [octavia:identity-service, keystone:identity-service] + - [octavia:amqp, rabbitmq-server:amqp] + - [octavia:neutron-api, neutron-api:neutron-load-balancer] + - [octavia:certificates, vault:certificates] + - [octavia-dashboard:dashboard, openstack-dashboard:dashboard-plugin] + - [ovn-chassis-octavia:ovsdb, ovn-central:ovsdb] + - [ovn-chassis-octavia:ovsdb-subordinate, octavia:ovsdb-subordinate] + - [ovn-chassis-octavia:certificates, vault:certificates] + # Octavia amphora image pipeline + - [octavia-diskimage-retrofit:juju-info, glance-simplestreams-sync:juju-info] + - [octavia-diskimage-retrofit:identity-credentials, keystone:identity-credentials] + # TODO(netbox): - [octavia:ha, octavia-hacluster:ha] + + # ---- Barbican (secrets) + - [barbican-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [barbican-mysql-router:shared-db, barbican:shared-db] + - [barbican:identity-service, keystone:identity-service] + - [barbican:amqp, rabbitmq-server:amqp] + - [barbican:certificates, vault:certificates] + - [barbican:secrets, barbican-vault:secrets] + - [barbican-vault:certificates, vault:certificates] + - [barbican-vault:secrets-storage, vault:secrets] + # TODO(netbox): - [barbican:ha, barbican-hacluster:ha] + + # ---- Magnum (Layer A only; CAPI graft is Layer B/runbook 05) + - [magnum-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [magnum:shared-db, magnum-mysql-router:shared-db] + - [magnum:identity-service, keystone:identity-service] + - [magnum:amqp, rabbitmq-server:amqp] + - [magnum:certificates, vault:certificates] + - [magnum-dashboard:dashboard, openstack-dashboard:dashboard-plugin] + # TODO(netbox): - [magnum:ha, magnum-hacluster:ha] + + # ---- Designate (DNS) — NEW for Caracal v1 per D-008 + - [designate-mysql-router:db-router, mysql-innodb-cluster:db-router] + - [designate-mysql-router:shared-db, designate:shared-db] + - [designate:identity-service, keystone:identity-service] + - [designate:amqp, rabbitmq-server:amqp] + - [designate:certificates, vault:certificates] + - [designate:dns-backend, designate-bind:dns-backend] + # TODO(netbox): - [designate:ha, designate-hacluster:ha]