User:BryanDavis/OpenStack

Some things that may be handy when playing with the Wikimedia OpenStack deployment.

Horizon seems to be better these days at letting my admin credential take action in an arbitrary project. I used to use these scripts quite a bit to jump into and out of a project as I was debugging things for folks.

#!/usr/bin/env bash
set -euo pipefail
PROJECT=${1:?Project name required}
USER=${2:-bd808}
sudo wmcs-openstack role add --user "$USER" --project "$PROJECT" reader
sudo wmcs-openstack role add --user "$USER" --project "$PROJECT" member

#!/usr/bin/env bash
set -euo pipefail
PROJECT=${1:?Project name required}
USER=${2:-bd808}
sudo wmcs-openstack role remove --user "$USER" --project "$PROJECT" member
sudo wmcs-openstack role remove --user "$USER" --project "$PROJECT" reader

openstack token issue will give you a bearer token to authenticate to the various APIs. This includes some of put custom APIs like the Puppet external node classifier (ENC) that manages hiera settings for Cloud VPS projects.

$ OS_TOKEN=$(openstack token issue -f yaml | yq .id)
$ curl -XDELETE -H "Accept: application/json" -H "X-Auth-Token: $OS_TOKEN" https://puppet-enc.cloudinfra.wmcloud.org/v1/c26d9d326bdf464fa1025939ded7e5a2/prefix/_

Magnum is a cluster provisioning service that is mostly used to build Kubernetes clusters. I first did a tech spike with the service in phab:T372498. This was also my first tech spike with OpenTofu. Pretty neat stuff on both counts.

The automation in Magnum will setup several components from https://github.com/kubernetes/cloud-provider-openstack for you:

• Keystone auth integration comes with pre-defined RBAC policies for users with the k8s_admin, k8s_developer, and k8s_viewer roles. These roles can be assigned by a member with the admin role in the project via the cli tools or OpenTofu automation.
• The Cinder CSI plugin is deployed with configuration that dynamically allocates Cinder volumes to fulfill PersistentVolumeClaim requests.