The following resources are required before deployment can proceed:
- OpenTofu
- Python environment configured for running Ansible
- Vault access
- Openstack clouds.yaml
- A shared filesystem through a Manila share
- Object storage
- Networking
Terraform is used to provision resources on an Openstack cloud. See the resources definitions in terraform.
Note: Terraform no longer has an open-source license. OpenTofu is a
drop-in replacement supported by CNCF, the terraform command can be replaced by tofu
wherever it appears in external documentation.
- Install OpenTofu using their documented method for your platform: https://opentofu.org/docs/intro/install/
- Run
tofu initin the../../infra/ansible/terraform/directory.
Ansible requires a Python environment. These instructions assume the use of the uv tool for managing both Python and the virtual environments. See uv installation & installing Python guides.
- Create a virtual environment in the
<repo_root>/infra/ansibledirectory
cd <repo_root>/infra/ansible
uv venv- Install the Python requirements & Ansible Galaxy requirements
uv pip install -r requirements-python.txt
uv run ansible-galaxy role install --roles-path galaxy_roles -r requirements-ansible-galaxy.ymlInteracting with the Openstack API requires access credentials configured
in a ~/.config/openstack/clouds.yaml file.
See the SCD cloud documentation for details on how to configure this file.
An ssh key is required in order to access the VMs. See the SCD cloud documentation for details on how to configure your SSH key.
The project secrets are stored by Hashicorp Vault. Running Ansible requires a Vault token to access the secrets. Login to the vault, click on the person icon on the left and select copy token.
Used for: Persistent storage for running system services, e.g. database data. Not used for user data.
A Manila/CephFS share of at least 5TB is required. Once a quota has been assigned to the project:
- Create a new share, under Project->Share->Shares, and mark it private.
- Click on the share, make note of the Export locations.Path value.
- Edit the
vault_cephfs_export_pathvariable to match the value from the previous step. - On the main Shares page click the down arrow on the side of the EDIT SHARE button and go to Manage Rules.
- Add a new rule and once created make note of the _Access Key` value.
- Edit the
vault_cephfs_access_secretvariable to match the value from the previous step.
Used for: Persistent storage of user data.
This is currently expected to be configured to use the Echo object store.
The S3 endpoint is configured through the s3_endpoint ansible variable
in infra/ansible.
An access key and secret are configured in the vault. They cannot be managed through
the Openstack web interface, instead new keys and secrets are created using the
openstack ec2 credentials command.
In the infra/ansible directory run uv run openstack --os-cloud=<cloud_name> ec2 credentials create
to create a new access key/secret pair. Update the Ansible vault accordingly.
Requirements:
- floating IP:
- Using the web interface create one from Project->Network->Floating IPs, using ALLOCATE IP TO PROJECT, ensuring a description is provided.
- Place the value in the Terraform environments tf vars file.
- DNS record pointing at the above floating IP
- Place the value in inventories/dev/group_vars/all/all.yml.