|
1 | 1 | = User Installation Guide |
2 | 2 |
|
3 | | -== Getting Started |
4 | | - |
5 | | -Before installing the Watcher operator you first need a functional |
6 | | -OpenShift installation with the required Openstack operators, |
7 | | -including the Telemetry operator. The following links point |
8 | | -to documents detailing how to create this required starting environment: |
9 | | - |
10 | | -* https://github.com/openstack-k8s-operators/openstack-operator[Openstack Operator] |
11 | | -* https://github.com/openstack-k8s-operators/telemetry-operator[Telemetry Operator] |
12 | | -* https://kubernetes.io/docs/concepts/extend-kubernetes/operator/[Kubernetes operators] |
13 | | -* https://prometheus.io/[Prometheus metrics] |
14 | | - |
15 | | -A CRC (https://crc.dev/docs/introducing/[Code Ready Containers]) installation is |
16 | | -adequade for a developer environment. |
17 | | - |
18 | | -To verify that the environment set up is ready, do the following: |
19 | | - |
20 | | -. Log in to the Kubernetes/Openshift environment: |
21 | | -+ |
22 | | -[,console] |
23 | | ----- |
24 | | -$ oc login -u <username> -p <password> https://api.crc.testing:6443 --insecure-skip-tls-verify=true |
25 | | ----- |
26 | | -+ |
27 | | -. Access the Openstack client and verify the service endpoints are available: |
28 | | -+ |
29 | | -[,console] |
30 | | ----- |
31 | | -$ oc rsh openstackclient openstack endpoint list -c 'ID' -c 'Service Name' -c 'Enabled' |
32 | | -+----------------------------------+--------------+---------+ |
33 | | -| ID | Service Name | Enabled | |
34 | | -+----------------------------------+--------------+---------+ |
35 | | -| 0bada656064a4d409bc5fed610654edd | neutron | True | |
36 | | -| 17453066f8dc40bfa0f8584007cffc9a | cinderv3 | True | |
37 | | -| 22768bf3e9a34fefa57b96c20d405cfe | keystone | True | |
38 | | -| 54e3d48cdda84263b7f1c65c924f3e3a | glance | True | |
39 | | -| 74345a18262740eb952d2b6b7220ceeb | keystone | True | |
40 | | -| 789a2d6048174b849a7c7243421675b4 | placement | True | |
41 | | -| 9b7d8f26834343a59108a4225e0e574a | nova | True | |
42 | | -| a836d134394846ff88f2f3dd8d96de34 | nova | True | |
43 | | -| af1bf23e62c148d3b7f6c47f8f071739 | placement | True | |
44 | | -| ce0489dfeff64afb859338e480397f90 | glance | True | |
45 | | -| db69cc22117344b796f97e8dd3dc67e5 | neutron | True | |
46 | | -| fa48dc132b524915b4d1ca963c50a653 | cinderv3 | True | |
47 | | -+----------------------------------+--------------+---------+ |
48 | | ----- |
49 | | -+ |
50 | | -. Verify that the Telemetry operator with Prometheus metric storage is ready: |
51 | | -+ |
52 | | -[,console] |
53 | | ----- |
54 | | -$ oc get telemetry |
55 | | -NAME STATUS MESSAGE |
56 | | -telemetry True Setup complete |
57 | | -
|
58 | | -$ oc get metricstorage |
59 | | -NAME STATUS MESSAGE |
60 | | -metric-storage True Setup complete |
61 | | -
|
62 | | -$ oc get route metric-storage-prometheus |
63 | | -NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD |
64 | | -metric-storage-prometheus metric-storage-prometheus-openstack.apps-crc.testing metric-storage-prometheus web edge/Redirect None |
65 | | ----- |
66 | | -+ |
67 | | -. You can view the Prometheus metrics in a web browser at the `HOST/PORT` address, for example, |
68 | | -https://metric-storage-prometheus-openstack.apps-crc.testing. |
69 | | - |
70 | | -== Installing the Operator |
71 | | - |
72 | | -.Procedure |
73 | | - |
74 | | -Now that you have a ready working environment, you can install the Watcher Operator. |
75 | | -NOTE: The steps below require you to log in to your OpenShift cluster as a user with |
76 | | -cluster-admin privileges. |
77 | | - |
78 | | -. Create a `watcher-operator.yaml` file: |
79 | | -+ |
80 | | -[source,yaml] |
81 | | ----- |
82 | | ---- |
83 | | -apiVersion: operators.coreos.com/v1alpha1 |
84 | | -kind: CatalogSource |
85 | | -metadata: |
86 | | - name: watcher-operator-index |
87 | | - namespace: openstack-operators |
88 | | -spec: |
89 | | - image: quay.io/openstack-k8s-operators/watcher-operator-index:latest |
90 | | - sourceType: grpc |
91 | | ---- |
92 | | -apiVersion: operators.coreos.com/v1 |
93 | | -kind: OperatorGroup |
94 | | -metadata: |
95 | | - name: openstack |
96 | | - namespace: openstack-operators |
97 | | ---- |
98 | | -apiVersion: operators.coreos.com/v1alpha1 |
99 | | -kind: Subscription |
100 | | -metadata: |
101 | | - name: watcher-operator |
102 | | - namespace: openstack-operators |
103 | | -spec: |
104 | | - name: watcher-operator |
105 | | - channel: alpha |
106 | | - source: watcher-operator-index |
107 | | - sourceNamespace: openstack-operators |
108 | | ----- |
109 | | -+ |
110 | | -. `oc apply` the file to create the resources: |
111 | | -+ |
112 | | -[,console] |
113 | | ----- |
114 | | -$ oc apply -f watcher-operator.yaml |
115 | | -catalogsource.operators.coreos.com/watcher-operator-index created |
116 | | -operatorgroup.operators.coreos.com/openstack unchanged |
117 | | -subscription.operators.coreos.com/watcher-operator created |
118 | | ----- |
119 | | -+ |
120 | | -. Check that the operator is installed: |
121 | | -+ |
122 | | -[,console] |
123 | | ----- |
124 | | -$ oc get subscription.operators.coreos.com/watcher-operator -n openstack-operators |
125 | | -NAME PACKAGE SOURCE CHANNEL |
126 | | -watcher-operator watcher-operator watcher-operator-index alpha |
127 | | -
|
128 | | -$ oc get pod -l openstack.org/operator-name=watcher -n openstack-operators |
129 | | -NAME READY STATUS RESTARTS AGE |
130 | | -watcher-operator-controller-manager-dd95db756-kslw9 2/2 Running 0 44s |
131 | | -
|
132 | | -$ oc get csv watcher-operator.v0.0.1 |
133 | | -NAME DISPLAY VERSION REPLACES PHASE |
134 | | -watcher-operator.v0.0.1 Watcher Operator 0.0.1 Succeeded |
135 | | ----- |
136 | | - |
137 | | -== Deploying the Watcher Service |
138 | | - |
139 | | -Now, you will need to create a Watcher Custom Resource based on the `Watcher CRD` in the same project where your |
140 | | -OpenStackControlPlane CR is created. Typically, this is `openstack` project but you can check it with: |
141 | | - |
142 | | -[,console] |
143 | | ----- |
144 | | -$ oc get OpenStackControlPlane --all-namespaces |
145 | | -NAMESPACE NAME STATUS MESSAGE |
146 | | -openstack openstack-controlplane True Setup complete |
147 | | -
|
148 | | ----- |
149 | | - |
150 | | - |
151 | | -.Procedure |
152 | | - |
153 | | -. Use the following commands to _view_ the `Watcher CRD` definition and specification schema: |
154 | | -+ |
155 | | -[,console] |
156 | | ----- |
157 | | -$ oc describe crd watcher |
158 | | -
|
159 | | -$ oc explain watcher.spec |
160 | | ----- |
161 | | -+ |
162 | | -. Add a WatcherPassword field to the `Secret` created as part of the control plane deployment. |
163 | | -+ |
164 | | -For more information, see link:https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_preparing-RHOCP-for-RHOSO#proc_providing-secure-access-to-the-RHOSO-services_preparing[Providing secure access to the Red Hat OpenStack Services on OpenShift services]. |
165 | | -+ |
166 | | -. Update the `Secret`, and verify that the `WatcherPassword` field is present: |
167 | | -+ |
168 | | -[,console] |
169 | | ----- |
170 | | -$ oc apply -f <secret file> -n openstack |
171 | | -
|
172 | | -$ oc describe secret osp-secret -n openstack | grep Watcher |
173 | | -WatcherPassword: 9 bytes |
174 | | ----- |
175 | | -+ |
176 | | -. To expose the watcher services over https, some certificates are needed |
177 | | -which will be automatically created by the openstack-operator as part of the |
178 | | -OpenStackControlPlane creation. |
179 | | -+ |
180 | | -. Create a file on your workstation named `watcher.yaml` to define the Watcher |
181 | | - CR. In the `endpointURL` field, replace the `example.com` domain with your |
182 | | - cluster domain and the `openstack` with the name of the project you are |
183 | | - deploying in (if it's different than the `openstack` default). |
184 | | - Although the exact parameters of your file may depend on your |
185 | | - specific environment customization, a Watcher CR similar to the example below |
186 | | - would work in a typical deployment: |
187 | | -+ |
188 | | -[source,yaml] |
189 | | ----- |
190 | | -apiVersion: watcher.openstack.org/v1beta1 |
191 | | -kind: Watcher |
192 | | -metadata: |
193 | | - name: watcher |
194 | | -spec: |
195 | | - databaseInstance: "openstack" |
196 | | - secret: <name of the secret with the credentials of the ControlPlane deploy> |
197 | | - apiServiceTemplate: |
198 | | - override: |
199 | | - service: |
200 | | - public: |
201 | | - endpointURL: https://watcher-public-openstack.example.com |
202 | | - tls: |
203 | | - caBundleSecretName: "combined-ca-bundle" |
204 | | - api: |
205 | | - internal: |
206 | | - secretName: cert-watcher-internal-svc |
207 | | - public: |
208 | | - secretName: cert-watcher-public-svc |
209 | | ----- |
210 | | -+ |
211 | | -There are certain fields of the Watcher CR spec that need to match with the values used in the existing OpenStackControlplane: |
212 | | -+ |
213 | | -* *databaseInstance* parameter value must match to the name of the galera database created in the existing Control Plane. By default, this value is `openstack` but you can find it by running (ignore any galera having `cell` in its name): |
214 | | -+ |
215 | | -[,console] |
216 | | ----- |
217 | | -$ oc get galeras -n openstack |
218 | | -NAME READY MESSAGE |
219 | | -openstack True Setup complete |
220 | | -
|
221 | | ----- |
222 | | -+ |
223 | | -* *rabbitMqClusterName* parameter value should be the name of the existing Rabbitmq cluster, which can be found with the command (ignore any rabbitmq having `cell` in its name). By default, it is `rabbitmq`. |
224 | | -+ |
225 | | -[,console] |
226 | | ----- |
227 | | -$ oc get rabbitmq -n openstack |
228 | | -NAME ALLREPLICASREADY RECONCILESUCCESS AGE |
229 | | -rabbitmq True True 6d15h |
230 | | -
|
231 | | ----- |
232 | | -+ |
233 | | -* *memcachedInstance* must contain the name of the existing memcached CR in the same project (`memcached` by default). you can find it with: |
234 | | -+ |
235 | | -[,console] |
236 | | ----- |
237 | | -$ oc get memcached -n openstack |
238 | | -NAME READY MESSAGE |
239 | | -memcached True Setup complete |
240 | | -
|
241 | | ----- |
242 | | -+ |
243 | | -* *caBundleSecretName* under apiServiceTemplate.tls section must match the value found in command: |
244 | | -+ |
245 | | -[,console] |
246 | | ----- |
247 | | -$ oc get OpenStackControlPlane openstack-controlplane -n openstack \ |
248 | | - -o jsonpath='{.status.tls.caBundleSecretName}' |
249 | | -combined-ca-bundle |
250 | | -
|
251 | | ----- |
252 | | -+ |
253 | | -For more information about how to define an OpenStackControlPlane custom resource (CR), see link:https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_creating-the-control-plane#proc_creating-the-control-plane_controlplane[Creating the control plane]. |
254 | | -+ |
255 | | -. `oc apply` to configure Watcher |
256 | | -+ |
257 | | -[,console] |
258 | | ----- |
259 | | -$ oc apply -f watcher.yaml -n openstack |
260 | | -watcher.watcher.openstack.org/watcher configured |
261 | | ----- |
262 | | -+ |
263 | | -. To check if the service status, run: |
264 | | -+ |
265 | | -[,console] |
266 | | ----- |
267 | | -$ oc wait -n openstack --for condition=Ready --timeout=300s Watcher watcher |
268 | | -watcher.watcher.openstack.org/watcher condition met |
269 | | ----- |
270 | | -+ |
271 | | -where `Watcher` refers to the _kind_ and `watcher` refers to the name of the CR. |
272 | | -. Check that the watcher service has been registered in list of keystone services with command: |
273 | | -+ |
274 | | -[,console] |
275 | | ----- |
276 | | -$ oc rsh openstackclient openstack service list |
277 | | -+----------------------------------+------------+-------------+ |
278 | | -| ID | Name | Type | |
279 | | -+----------------------------------+------------+-------------+ |
280 | | -| 1470e8d6019446a1bcdfdb6dc55f3f6a | nova | compute | |
281 | | -| 41d60e1c678142cf8e5daf7a82af1864 | neutron | network | |
282 | | -| 5b0d95d1c08e4deb832815addd859924 | ceilometer | Ceilometer | |
283 | | -| 7e081cb4928945d7aa41d1622f7b8586 | cinderv3 | volumev3 | |
284 | | -| 8d7ee56ca2bb4dba999d67580909dd90 | glance | image | |
285 | | -| c3348e10fb414780988fbbceac9c4b5f | watcher | infra-optim | |
286 | | -| db60453eca65409bbb0b61f4295c66ec | placement | placement | |
287 | | -| fa717124fbcb4d708ba4c41c9109df81 | keystone | identity | |
288 | | -+----------------------------------+------------+-------------+ |
289 | | ----- |
290 | | -+ |
291 | | -. Check that the openstack cloud can communicate with the watcher endpoints: |
292 | | -+ |
293 | | -[,console] |
294 | | ----- |
295 | | -$ oc rsh openstackclient openstack optimize service list |
296 | | -+----+-------------------------+---------------------------+--------+ |
297 | | -| ID | Name | Host | Status | |
298 | | -+----+-------------------------+---------------------------+--------+ |
299 | | -| 1 | watcher-applier | watcher-applier-0 | ACTIVE | |
300 | | -| 2 | watcher-decision-engine | watcher-decision-engine-0 | ACTIVE | |
301 | | -+----+-------------------------+---------------------------+--------+ |
302 | | ----- |
303 | | -+ |
304 | | -This confirms that the openstackclient pod could communicate with the watcher |
305 | | -services. |
306 | | -. Check that the endpoints use HTTPS: |
307 | | -+ |
308 | | -[,console] |
309 | | ----- |
310 | | -$ oc rsh openstackclient openstack endpoint list --service infra-optim -c 'Service Name' -c 'Interface' -c 'URL' |
311 | | -+--------------+-----------+---------------------------------------------------------------+ |
312 | | -| Service Name | Interface | URL | |
313 | | -+--------------+-----------+---------------------------------------------------------------+ |
314 | | -| watcher | public | https://watcher-public-openstack.example.com | |
315 | | -| watcher | internal | https://watcher-internal.openstack.svc:9322 | |
316 | | -+--------------+-----------+---------------------------------------------------------------+ |
317 | | ----- |
| 3 | +== Watcher operator installation |
| 4 | +The watcher-operator is now integrated in openstack-operator. The |
| 5 | +installation of the operator is now part of the installation of the |
| 6 | +OpenStack Operator. For details about the deployment consult the |
| 7 | +https://openstack-k8s-operators.github.io/openstack-operator/[OpenStack k8s Operators documentation]. |
| 8 | + |
| 9 | +== Watcher service deployment |
| 10 | + |
| 11 | +The deployment of the Watcher service is performed as part of the |
| 12 | +OpenStackControlplane Custom Resource. A Watcher service section |
| 13 | +exist to enable and configure the different aspects of the service. |
| 14 | + |
| 15 | +A default watcher service deployment can be done by just adding |
| 16 | +following content to your **OpenStackControlPlane Custom Resource |
| 17 | +spec**. |
| 18 | + |
| 19 | +``` |
| 20 | + watcher: |
| 21 | + enabled: true |
| 22 | +``` |
| 23 | + |
| 24 | +For additional details and existing parameters in the watcher service |
| 25 | +check the https://openstack-k8s-operators.github.io/openstack-operator/ctlplane/index.html#watchersection[WatcherSection] |
| 26 | +and https://openstack-k8s-operators.github.io/openstack-operator/ctlplane/index.html#watcherspeccore[WatcherSpecCore] |
| 27 | +sections of the documentation. |
| 28 | + |
| 29 | +**Note:** Watcher requires that the **OpenStackControlPlane** has |
| 30 | +Telemetry service enabled, including the MetricStorage system which |
| 31 | +provides the Prometheus backend and metrics required by Watcher. |
0 commit comments