Skip to main content
Version: latest

Deploy to OpenStack

This guide provides you with the steps to deploy a PCG cluster to an OpenStack environment. Before you begin the installation, carefully review the Prerequisites section.

Prerequisites

  • Palette version 4.0.X or greater.

  • A Palette API key. Refer to the Create API Key page for guidance.

    warning

    The installation does not work with Single Sign-On (SSO) credentials. You must use an API key from a local tenant admin account in Palette to deploy the PCG. After the PCG is configured and functioning, this local account is no longer used to keep the PCG connected to Palette, so you can deactivate the account if desired.

  • Download and install the Palette CLI from the Downloads page. Refer to the Palette CLI Install guide to learn more.

The following system requirements must be met to install a PCG in OpenStack:

  • PCG IP address requirements:

    • One IP address for a single-node PCG or three IP addresses for a three-node PCG. Refer to the PCG Sizing section for more information on sizing.
    • One IP address reserved for cluster repave operations.
    • One IP address for the Virtual IP (VIP).
    • DNS can resolve the domain api.spectrocloud.com.
  • An x86 Linux environment with a Docker daemon installed and a connection to Palette and the OpenStack endpoint. The Palette CLI installation must be invoked on an up-to-date Linux system with the x86-64 architecture.

  • An Open Stack SSH Key Pair. Refer to the Configure access and security for instances guide to learn how to create an SSH key pair.

  • An OpenStack user account with the required permissions to deploy the PCG. Review the OpenStack Cloud Account Permissions section to learn more about the required permissions.

OpenStack Cloud Account Permissions

The following permissions are required to deploy a PCG to OpenStack and for Palette to register an OpenStack account.

"volume:attachment_update": "rule:admin_or_owner"
"volume:attachment_delete": "rule:admin_or_owner"
"volume:attachment_complete": "rule:admin_or_owner"
"volume:multiattach_bootable_volume": "rule:admin_or_owner"
"message:get_all": "rule:admin_or_owner"
"message:get": "rule:admin_or_owner"
"message:delete": "rule:admin_or_owner"
"volume:get_snapshot_metadata": "rule:admin_or_owner"
"volume:update_snapshot_metadata": "rule:admin_or_owner"
"volume:delete_snapshot_metadata": "rule:admin_or_owner"
"volume:get_all_snapshots": "rule:admin_or_owner"
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
"volume:create_snapshot": "rule:admin_or_owner"
"volume:get_snapshot": "rule:admin_or_owner"
"volume:update_snapshot": "rule:admin_or_owner"
"volume:delete_snapshot": "rule:admin_or_owner"
"backup:get_all": "rule:admin_or_owner"
"backup:get": "rule:admin_or_owner"
"backup:update": "rule:admin_or_owner"
"backup:delete": "rule:admin_or_owner"
"backup:restore": "rule:admin_or_owner"
"group:get_all": "rule:admin_or_owner"
"group:get": "rule:admin_or_owner"
"group:update": "rule:admin_or_owner"
"group:get_all_group_snapshots": "rule:admin_or_owner"
"group:get_group_snapshot": "rule:admin_or_owner"
"group:delete_group_snapshot": "rule:admin_or_owner"
"group:update_group_snapshot": "rule:admin_or_owner"
"group:reset_group_snapshot_status": "rule:admin_or_owner"
"group:delete": "rule:admin_or_owner"
"group:enable_replication": "rule:admin_or_owner"
"group:disable_replication": "rule:admin_or_owner"
"group:failover_replication": "rule:admin_or_owner"
"group:list_replication_targets": "rule:admin_or_owner"
"volume_extension:quotas:show": "rule:admin_or_owner"
"limits_extension:used_limits": "rule:admin_or_owner"
"volume_extension:volume_type_access": "rule:admin_or_owner"
"volume:extend": "rule:admin_or_owner"
"volume:extend_attached_volume": "rule:admin_or_owner"
"volume:revert_to_snapshot": "rule:admin_or_owner"
"volume:retype": "rule:admin_or_owner"
"volume:update_readonly_flag": "rule:admin_or_owner"
"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"
"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"
"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"
"volume_extension:volume_actions:reserve": "rule:admin_or_owner"
"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"
"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"
"volume_extension:volume_actions:attach": "rule:admin_or_owner"
"volume_extension:volume_actions:detach": "rule:admin_or_owner"
"volume:get_all_transfers": "rule:admin_or_owner"
"volume:create_transfer": "rule:admin_or_owner"
"volume:get_transfer": "rule:admin_or_owner"
"volume:delete_transfer": "rule:admin_or_owner"
"volume:get_volume_metadata": "rule:admin_or_owner"
"volume:create_volume_metadata": "rule:admin_or_owner"
"volume:update_volume_metadata": "rule:admin_or_owner"
"volume:delete_volume_metadata": "rule:admin_or_owner"
"volume_extension:volume_image_metadata": "rule:admin_or_owner"
"volume:get": "rule:admin_or_owner"
"volume:get_all": "rule:admin_or_owner"
"volume:update": "rule:admin_or_owner"
"volume:delete": "rule:admin_or_owner"
"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
"volume:multiattach": "rule:admin_or_owner"

Deploy PCG

  1. In an x86 Linux host with the Palette CLI installed, open up a terminal session.

  2. Issue the following command to authenticate with Palette. When prompted, enter the required information. Refer to the table below for information about each parameter.

    palette login
    ParameterDescription
    Spectro Cloud ConsoleEnter the Palette endpoint URL. When using the Palette SaaS service, enter https://console.spectrocloud.com. When using a self-hosted instance of Palette, enter the URL for that instance.
    Allow Insecure ConnectionEnabling this option bypasses x509 server Certificate Authority (CA) verification. Enter y if you are using a self-hosted Palette or VerteX instance with self-signed TLS certificates and need to provide a file path to the instance CA. Otherwise, enter n.
    Spectro Cloud API KeyEnter your Palette API Key. Refer to the Create API Key guide to create an API key.
    Spectro Cloud OrganizationSelect your Palette Organization name.
    Spectro Cloud ProjectSelect the project you want to register the OpenStack account in.
    AcknowledgeAccept the login banner message. Login banner messages are only displayed if the tenant admin enabled a login banner.
    info

    The CloudAccount.apiKey and Mgmt.apiKey values in the pcg.yaml file are encrypted and cannot be manually updated. To change these values, use the palette pcg install --update-passwords command. Refer to the PCG command reference page for more information.

  3. Once you have authenticated successfully, start the PCG installer by issuing the following command. Refer to the table below for information about each parameter.

    palette pcg install
    ParameterDescription
    Management Plane TypeSelect Palette or VerteX.
    Enable Ubuntu Pro (required for production)Enter y if you want to use Ubuntu Pro and provide an Ubuntu Pro token. Otherwise press n.
    Select an image registry typeFor a non-airgap installation, choose Default to pull images from public image registries. This requires an internet connection. For an airgap installation, select Custom and point to our airgap support VM or a custom internal registry that contains the required images.
    Share PCG Cloud Account across platform ProjectsEnter y if you want the Cloud Account associated with the PCG to be available from all projects within your organization. Enter n if you want the Cloud Account to only be available at the tenant admin scope.
    Cloud TypeSelect OpenStack.
    Private Cloud Gateway NameEnter a custom name for the PCG. Example: openstack-pcg-1.
    Share PCG Cloud Account across platform ProjectsEnter y if you want the Cloud account associated with the PCG to be available from all projects within your organization. Enter n if you want the Cloud Account to only be available at the tenant admin scope.
  4. Next, provide environment configurations for the cluster. Refer to the following table for information about each option.

    ParameterDescription
    HTTPS ProxyLeave this blank unless you are using an HTTPS Proxy. This setting will be propagated to all PCG nodes and all of its cluster nodes. Example: https://USERNAME:PASSWORD@PROXYIP:PROXYPORT.
    HTTP ProxyLeave this blank unless you are using an HTTP Proxy. This setting will be propagated to all PCG nodes and all of its cluster nodes. Example: http://USERNAME:PASSWORD@PROXYIP:PROXYPORT.
    No ProxyProvide a list of local network CIDR addresses, hostnames, and domain names that should be excluded from being a proxy. This setting will be propagated to all the nodes to bypass the proxy server. Example for a self-hosted environment: my.company.com,10.10.0.0/16.
    Proxy CA Certificate FilepathThe default is blank. You can provide the file path of a CA certificate on the installer host. If provided, this CA certificate will be copied to each host in the PCG cluster during deployment. The provided path will be used on the PCG cluster hosts. Example: /usr/local/share/ca-certificates/ca.crt.
    Pod CIDREnter the CIDR pool that will be used to assign IP addresses to pods in the PCG cluster. The pod IP addresses should be unique and not overlap with any machine IPs in the environment.
    Service IP RangeEnter the IP address range that will be used to assign IP addresses to services in the PCG cluster. The service IP addresses should be unique and not overlap with any machine IPs in the environment.
  5. If you selected Custom for the image registry type, you will be prompted to provide the following information.

    ParameterDescription
    Registry NameAssign a name to the custom registry.
    Registry EndpointThe endpoint or IP address for the custom registry. Example: https://palette.example.com or https://10.10.1.0.
    Registry Base Content PathThe base content path for the custom registry. Example: spectro-images.
    Configure Registry MirrorYour system default text editor, such as Vi, will open up and allow you to customize the default mirror registry settings. Add any additional registry mirrors you want to add. Otherwise, press Esc and then :wq to save and exit the file.
    Allow Insecure Connection (Bypass x509 Verification)Enabling this option bypasses x509 CA verification. Enter n if using a custom registry with self-signed SSL certificates. Otherwise, enter y. If you enter y, you will receive a follow-up prompt asking you to provide the file path to the CA certificate.
    Registry CA certificate FilepathThe CA certificate for the custom registry. This is optional. Provide the file path of the CA certificate on the installer host. Example: /usr/local/share/ca-certificates/ca.crt.
    Registry UsernameThe username for the custom registry.
    PasswordThe password for the custom registry.
  6. Next, provide the OpenStack environment configurations. Refer to the following table for information about each option.

    ParameterDescription
    OpenStack Identity EndpointOpenStack Identity endpoint. Domain or IP address. Example: https://openstack.mycompany.com/identity.
    OpenStack Account UsernameOpenStack account username.
    OpenStack Account PasswordOpenStack account password.
    Allow Insecure ConnectionEnabling this option bypasses x509 verification. Enter y if you are using an OpenStack instance with self-signed TLS certificates. Otherwise, enter n.
    CA certificate FilepathThe CA certificate for the OpenStack environment. This is optional. Provide the file path of the CA certificate on the installer host. Example: /usr/local/share/ca-certificates/ca.crt.
    Default DomainThe default domain for the OpenStack environment.
    Default RegionThe default region for the OpenStack environment.
    Default ProjectThe default project for the OpenStack environment.

    After providing the OpenStack environment configurations and credentials, the Palette CLI will query the OpenStack environment to validate the credentials. If the credentials are valid, the installation process will continue. If the credentials are invalid, you will be prompted to re-enter the credentials.

  7. After the OpenStack environment configurations are validated, you will be prompted for additional OpenStack configuration values. Use the following table to learn more about each option.

    ParameterDescription
    DomainSelect the domain you want to target for the PCG deployment. Example: Default.
    RegionSelect a region for the PCG deployment.
    ProjectSpecify an OpenStack project to place the PCG cluster in.
    Placement TypePlacement can be static or dynamic. For static placement, cluster nodes are placed into existing networks. For dynamic placement, a new network is created.
    NetworkSelect an existing network. This is only required for static placement.
    SubnetSelect an existing subnet. This is only required for static placement.
    DNS Server(s)Enter a comma-separated list of DNS server IPs. This is only required for dynamic placement.
    Node CIDREnter a node CIDR. This is only required for dynamic placement. Example: 10.55.0.0/24.
    SSH Public KeyProvide the public OpenSSH key for the PCG cluster. Use this key when establishing an SSH connection with the PCG cluster. This prompt will result in the default text editor for the Operating System to open. Vi is the more common text editor used in Linux environments.
    Patch OS on bootThis parameter indicates whether or not to patch the OS of the PCG hosts on the first boot.
    Reboot nodes once OS patch is appliedThis parameter indicates whether or not to reboot PCG nodes after OS patches are complete. This only applies if the Patch OS on boot parameter is enabled.
    AZsSelect the availability zones for the PCG cluster.
    FlavorSpecify the OpenStack Flavor for the PCG nodes.
    Number of NodesSpecify the number of nodes for the PCG cluster. We recommend three-node clusters for production workloads.
    Node AffinityEnter y to schedule all Palette pods on the control plane node.
  8. A new PCG configuration file is generated, and its location is displayed on the console. You will receive an output similar to the following.

    ==== PCG config saved ====
    Location: :/home/demo/.palette/pcg/pcg-20230706150945/pcg.yaml

    The Palette CLI will now provision a PCG cluster in your OpenStack environment. You can monitor the progress of the PCG cluster by navigating to Palette and selecting Tenant Settings from the left Main Menu. Next, click on Private Cloud Gateways from the left Tenant Settings Menu and select the PCG cluster you just deployed to access its details page. From the details page, select the Events tab to view the progress of the PCG cluster deployment.

    If you encounter issues during the installation, refer to the PCG Troubleshooting guide for debugging assistance. If you need additional help, reach out to our Customer Support team.

    warning

    You cannot modify a deployed PCG cluster. If you need to make changes to the PCG cluster, you must first delete the cluster and redeploy it. We recommend you save your PCG configuration file for future use. Use the --config-only flag to save the configuration file without deploying the PCG cluster. Refer to the Generate a Configuration File section to learn more. For additional assistance, visit our Customer Support portal.

  9. To avoid potential vulnerabilities, once the installation is complete, remove the kind images that were installed in the environment where you initiated the installation.

    Issue the following command to list all instances of kind that exist in the environment.

    docker images
    REPOSITORY     TAG        IMAGE ID       CREATED        SIZE
    kindest/node v1.26.13 131ad18222cc 5 months ago 910MB

    Then, use the following command template to remove all instances of kind.

    docker image rm kindest/node:<version>

    Consider the following example for reference.

    docker image rm kindest/node:v1.26.13
    Untagged: kindest/node:v1.26.13
    Untagged: kindest/node@sha256:15ae92d507b7d4aec6e8920d358fc63d3b980493db191d7327541fbaaed1f789
    Deleted: sha256:131ad18222ccb05561b73e86bb09ac3cd6475bb6c36a7f14501067cba2eec785
    Deleted: sha256:85a1a4dfc468cfeca99e359b74231e47aedb007a206d0e2cae2f8290e7290cfd

Validate

Once installed, the PCG registers itself with Palette. To verify the PCG is registered, use the following steps.

  1. Log in to Palette as a tenant admin.

  2. Navigate to the left Main Menu and select Tenant Settings.

  3. From the Tenant Settings Menu, click on Private Cloud Gateways. Verify your PCG cluster is available from the list of PCG clusters displayed and that its Status is healthy.

  4. Navigate to the left Tenant Settings Menu and select Cloud Accounts.

  5. Verify a new OpenStack cloud account is available from the list of cloud accounts displayed.

Next Steps

After you have successfully deployed the PCG into your OpenStack environment, you can now deploy Kubernetes clusters in your OpenStack environment through Palette. Check out the Deploying an OpenStack Cluster guide to learn how to deploy a Kubernetes cluster in OpenStack that is managed by Palette.