Original source: https://input.scs.community/scs-operator-hackathon-images-flavors#
Yaook SCS Operator Hackathon - Manage OpenStack resources in K8s¶
OSISM Image/Flavor Manager¶
- Commandline tool which is supposed to be run manually
- Integration in k8s would require some amount of glue code
- qick and dirty solution: CronJob with configuration in a ConfiMap
- awkward user interface
PoC OpenStack Resource Controller¶
Rough Steps¶
1export ORC_RELEASE="https://github.com/k-orc/openstack-resource-controller/releases/download/v2.4.0/install.yaml"
2kubectl apply --server-side -f $ORC_RELEASE
1kubectl create -n orc-system secret generic openstack-clouds \
2 --from-file=clouds.yaml=./orc_clouds.yaml
1clouds:
2 local-admin:
3 auth:
4 auth_url: https://keystone.yaook.svc:5000/v3
5 password: geheim
6 project_domain_name: Default
7 project_name: admin
8 user_domain_name: Default
9 username: yaook-sys-maint
10 endpoint_type: internal
1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 labels:
5 app: glance-api
6 state.yaook.cloud/component: api_deployment
7 state.yaook.cloud/parent-group: yaook.cloud
8 state.yaook.cloud/parent-name: glance
9 state.yaook.cloud/parent-plural: glancedeployments
10 state.yaook.cloud/parent-version: v1
11 name: glance-api
12 namespace: yaook
13spec:
14 progressDeadlineSeconds: 600
15 replicas: 1
16 revisionHistoryLimit: 10
17 selector:
18 matchLabels:
19 state.yaook.cloud/component: api_deployment
20 state.yaook.cloud/parent-group: yaook.cloud
21 state.yaook.cloud/parent-name: glance
22 state.yaook.cloud/parent-plural: glancedeployments
23 state.yaook.cloud/parent-version: v1
24 strategy:
25 rollingUpdate:
26 maxSurge: 25%
27 maxUnavailable: 25%
28 type: RollingUpdate
29 template:
30 metadata:
31 annotations:
32 config-timestamp: 2026-02-24T19:44:46.002795Z+JJXKSZ2trz0
33 creationTimestamp: null
34 labels:
35 state.yaook.cloud/component: api_deployment
36 state.yaook.cloud/parent-group: yaook.cloud
37 state.yaook.cloud/parent-name: glance
38 state.yaook.cloud/parent-plural: glancedeployments
39 state.yaook.cloud/parent-version: v1
40 spec:
41 affinity:
42 nodeAffinity:
43 requiredDuringSchedulingIgnoredDuringExecution:
44 nodeSelectorTerms:
45 - matchExpressions:
46 - key: image.yaook.cloud/api
47 operator: Exists
48 - matchExpressions:
49 - key: any.yaook.cloud/api
50 operator: Exists
51 automountServiceAccountToken: false
52 containers:
53 - env:
54 - name: REQUESTS_CA_BUNDLE
55 value: /etc/pki/tls/certs/ca-bundle.crt
56 - name: HTTP_PROXY
57 value: http://10.65.117.35:3128
58 - name: NO_PROXY
59 value: .svc,.cluster,10.0.0.0/8
60 image: registry.yaook.cloud/yaook/glance-2025.1:1.1.151
61 imagePullPolicy: IfNotPresent
62 lifecycle:
63 preStop:
64 exec:
65 command:
66 - /bin/sleep
67 - "5"
68 livenessProbe:
69 exec:
70 command:
71 - curl
72 - --fail
73 - localhost:8080
74 failureThreshold: 3
75 periodSeconds: 10
76 successThreshold: 1
77 timeoutSeconds: 5
78 name: glance-api
79 readinessProbe:
80 exec:
81 command:
82 - curl
83 - --fail
84 - localhost:8080
85 failureThreshold: 3
86 periodSeconds: 10
87 successThreshold: 1
88 timeoutSeconds: 5
89 resources: {}
90 terminationMessagePath: /dev/termination-log
91 terminationMessagePolicy: File
92 volumeMounts:
93 - mountPath: /etc/glance
94 name: glance-config-volumev2
95 - mountPath: /etc/pki/tls/certs
96 name: ca-certs
97 - mountPath: /etc/ceph/ceph.conf
98 name: glance-ceph-conf-volume
99 subPath: ceph.conf
100 - mountPath: /etc/ceph/keyfile
101 name: glance-ceph-keyfile-volume
102 subPath: keyfile
103 - env:
104 - name: SERVICE_PORT
105 value: "9292"
106 - name: LOCAL_PORT
107 value: "8080"
108 - name: METRICS_PORT
109 value: "9090"
110 - name: REQUESTS_CA_BUNDLE
111 value: /etc/ssl/certs/ca-certificates.crt
112 - name: MAX_BODY_SIZE_MB
113 value: "0"
114 - name: READ_TIMEOUT
115 value: "7200"
116 image: registry.yaook.cloud/yaook/ssl-terminator:1.2.116
117 imagePullPolicy: IfNotPresent
118 livenessProbe:
119 failureThreshold: 3
120 httpGet:
121 path: /.yaook.cloud/ssl-terminator-healthcheck
122 port: 9292
123 scheme: HTTPS
124 periodSeconds: 10
125 successThreshold: 1
126 timeoutSeconds: 1
127 name: ssl-terminator
128 readinessProbe:
129 failureThreshold: 3
130 httpGet:
131 path: /
132 port: 9292
133 scheme: HTTPS
134 periodSeconds: 10
135 successThreshold: 1
136 timeoutSeconds: 1
137 resources: {}
138 terminationMessagePath: /dev/termination-log
139 terminationMessagePolicy: File
140 volumeMounts:
141 - mountPath: /config
142 name: ssl-terminator-config
143 - mountPath: /data
144 name: tls-secret
145 - mountPath: /etc/ssl/certs/ca-certificates.crt
146 name: ca-certs
147 subPath: ca-bundle.crt
148 - env:
149 - name: SERVICE_PORT
150 value: "9293"
151 - name: LOCAL_PORT
152 value: "8080"
153 - name: METRICS_PORT
154 value: "9091"
155 - name: REQUESTS_CA_BUNDLE
156 value: /etc/ssl/certs/ca-certificates.crt
157 - name: MAX_BODY_SIZE_MB
158 value: "0"
159 - name: READ_TIMEOUT
160 value: "7200"
161 image: registry.yaook.cloud/yaook/ssl-terminator:1.2.116
162 imagePullPolicy: IfNotPresent
163 livenessProbe:
164 failureThreshold: 3
165 httpGet:
166 path: /.yaook.cloud/ssl-terminator-healthcheck
167 port: 9293
168 scheme: HTTPS
169 periodSeconds: 10
170 successThreshold: 1
171 timeoutSeconds: 1
172 name: ssl-terminator-external
173 readinessProbe:
174 failureThreshold: 3
175 httpGet:
176 path: /
177 port: 9293
178 scheme: HTTPS
179 periodSeconds: 10
180 successThreshold: 1
181 timeoutSeconds: 1
182 resources: {}
183 terminationMessagePath: /dev/termination-log
184 terminationMessagePolicy: File
185 volumeMounts:
186 - mountPath: /config
187 name: ssl-terminator-external-config
188 - mountPath: /data
189 name: tls-secret-external
190 - mountPath: /etc/ssl/certs/ca-certificates.crt
191 name: ca-certs
192 subPath: ca-bundle.crt
193 - args:
194 - /data/
195 env:
196 - name: YAOOK_SERVICE_RELOAD_MODULE
197 value: traefik
198 image: registry.yaook.cloud/yaook/service-reload:1.0.102
199 imagePullPolicy: IfNotPresent
200 name: service-reload
201 resources: {}
202 terminationMessagePath: /dev/termination-log
203 terminationMessagePolicy: File
204 volumeMounts:
205 - mountPath: /config
206 name: ssl-terminator-config
207 - mountPath: /data
208 name: tls-secret
209 - args:
210 - /data/
211 env:
212 - name: YAOOK_SERVICE_RELOAD_MODULE
213 value: traefik
214 image: registry.yaook.cloud/yaook/service-reload:1.0.102
215 imagePullPolicy: IfNotPresent
216 name: service-reload-external
217 resources: {}
218 terminationMessagePath: /dev/termination-log
219 terminationMessagePolicy: File
220 volumeMounts:
221 - mountPath: /config
222 name: ssl-terminator-external-config
223 - mountPath: /data
224 name: tls-secret-external
225 dnsPolicy: ClusterFirst
226 enableServiceLinks: false
1apiVersion: openstack.k-orc.cloud/v1alpha1
2kind: Image
3metadata:
4 name: cirros
5 namespace: orc-system
6spec:
7 cloudCredentialsRef:
8 cloudName: local-admin
9 secretName: openstack-clouds
10 resource:
11 name: cirros
12 protected: false
13 properties:
14 architecture: x86_64
15 content:
16 diskFormat: raw
17 download:
18 url: https://download.cirros-cloud.net/0.6.3/cirros-0.6.3-x86_64-disk.img
yaml
apiVersion: openstack.k-orc.cloud/v1alpha1
kind: Flavor
metadata:
name: test-flavor
namespace: orc-system
spec:
cloudCredentialsRef:
cloudName: local-admin
secretName: openstack-clouds
resource:
name: armin-1234-flavor
ram: 4123
vcpus: 2
disk: 50
isPublic: true
First Impressions¶
- Wiring Keystone authentication needs some plumbing
- General Keystone connectivity was achieved