openstack-k8s-operators · vakwetu · Mar 10, 2026
diff --git a/playbooks/skmo/configure-leaf-listener.yaml b/playbooks/skmo/configure-leaf-listener.yaml
@@ -0,0 +1,27 @@
+---
+- name: Patch leaf control plane with barbican-keystone-listener transport URL
+  hosts: localhost
+  gather_facts: false
+  vars:
+    central_namespace: openstack
+    leaf_namespace: openstack2
+    leaf_transport_url_name: rabbitmq-transport-url-barbican-keystone-listener-regiontwo
+  tasks:
+    - name: Extract transport_url from generated secret
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc get secret {{ leaf_transport_url_name }} -n {{ central_namespace }} \
+          -o jsonpath='{.data.transport_url}' | base64 -d
+      args:
+        executable: /bin/bash
+      register: leaf_notifications_transport_url
+      changed_when: false
+
+    - name: Patch OpenStackControlPlane in leaf region with notifications transport_url
+      ansible.builtin.shell: |
+        set -euo pipefail
+        transport_url="{{ leaf_notifications_transport_url.stdout }}"
+        oc patch openstackcontrolplane controlplane -n {{ leaf_namespace }} --type merge \
+          -p "{\"spec\":{\"barbican\":{\"template\":{\"barbicanKeystoneListener\":{\"customServiceConfig\":\"[DEFAULT]\\ntransport_url = ${transport_url}\\n[keystone_notifications]\\npool_name = barbican-listener-regionTwo\\n\"}}}}}"
+      args:
+        executable: /bin/bash
diff --git a/playbooks/skmo/ensure-central-ca-bundle.yaml b/playbooks/skmo/ensure-central-ca-bundle.yaml
@@ -0,0 +1,28 @@
+---
+- name: Ensure central control plane uses custom CA bundle
+  hosts: localhost
+  gather_facts: false
+  vars:
+    central_namespace: openstack
+    controlplane_name: controlplane
+    ca_bundle_secret_name: custom-ca-certs
+  tasks:
+    - name: Check current caBundleSecretName
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} get osctlplane {{ controlplane_name }} \
+          -o jsonpath='{.spec.tls.caBundleSecretName}'
+      args:
+        executable: /bin/bash
+      register: ca_bundle_name
+      changed_when: false
+      failed_when: false
+
+    - name: Patch control plane to use custom CA bundle when unset
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} patch osctlplane {{ controlplane_name }} \
+          --type json -p '[{"op":"add","path":"/spec/tls","value":{}},{"op":"add","path":"/spec/tls/caBundleSecretName","value":"{{ ca_bundle_secret_name }}"}]'
+      args:
+        executable: /bin/bash
+      when: ca_bundle_name.stdout | trim == ""
diff --git a/playbooks/skmo/prepare-leaf.yaml b/playbooks/skmo/prepare-leaf.yaml
@@ -0,0 +1,208 @@
+---
+- name: Prepare SKMO leaf prerequisites in regionZero
+  hosts: localhost
+  gather_facts: false
+  vars:
+    skmo_values_file: "{{ cifmw_architecture_repo }}/examples/va/multi-namespace-skmo/control-plane2/skmo-values.yaml"
+    osp_secrets_env_file: "{{ cifmw_architecture_repo }}/lib/control-plane/base/osp-secrets.env"
+    central_namespace: openstack
+    leaf_namespace: openstack2
+    leaf_secret_name: osp-secret
+    central_rootca_secret: rootca-public
+    central_rootca_internal_secret: rootca-internal
+    leaf_transport_url_name: barbican-keystone-listener-regiontwo
+    leaf_transport_url_name_secret: rabbitmq-transport-url-barbican-keystone-listener-regiontwo
+    leaf_transport_url_secret_copy: barbican-keystone-listener-regiontwo-transport
+  tasks:
+    - name: Wait for central Keystone API to be ready
+      kubernetes.core.k8s_info:
+        api_version: keystone.openstack.org/v1beta1
+        kind: KeystoneAPI
+        namespace: "{{ central_namespace }}"
+      register: _keystoneapi_info
+      retries: 60
+      delay: 10
+      until:
+        - _keystoneapi_info.resources | length > 0
+        - _keystoneapi_info.resources[0].status.conditions is defined
+        - _keystoneapi_info.resources[0].status.conditions |
+          selectattr('type', 'equalto', 'Ready') |
+          selectattr('status', 'equalto', 'True') | list | length > 0
+
+    - name: Wait for openstackclient pod to be ready in central region
+      kubernetes.core.k8s_info:
+        api_version: v1
+        kind: Pod
+        namespace: "{{ central_namespace }}"
+        name: openstackclient
+      register: _osc_pod_info
+      retries: 30
+      delay: 10
+      until:
+        - _osc_pod_info.resources | length > 0
+        - _osc_pod_info.resources[0].status.conditions is defined
+        - _osc_pod_info.resources[0].status.conditions |
+          selectattr('type', 'equalto', 'Ready') |
+          selectattr('status', 'equalto', 'True') | list | length > 0
+
+    - name: Load SKMO values
+      ansible.builtin.set_fact:
+        skmo_values: "{{ lookup('file', skmo_values_file) | from_yaml }}"
+
+    - name: Set SKMO leaf facts
+      ansible.builtin.set_fact:
+        leaf_region: "{{ skmo_values.data.leafRegion }}"
+        leaf_admin_user: "{{ skmo_values.data.leafAdminUser }}"
+        leaf_admin_project: "{{ skmo_values.data.leafAdminProject }}"
+        leaf_admin_password_key: "{{ skmo_values.data.leafAdminPasswordKey }}"
+        keystone_internal_url: "{{ skmo_values.data.keystoneInternalURL }}"
+        keystone_public_url: "{{ skmo_values.data.keystonePublicURL }}"
+        ca_bundle_secret_name: "{{ skmo_values.data.leafCaBundleSecretName }}"
+
+    - name: Ensure leaf osp-secret exists (pre-create from env file)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        if ! oc -n {{ leaf_namespace }} get secret {{ leaf_secret_name }} >/dev/null 2>&1; then
+          oc -n {{ leaf_namespace }} create secret generic {{ leaf_secret_name }} \
+            --from-env-file="{{ osp_secrets_env_file }}" \
+            --dry-run=client -o yaml | oc apply -f -
+        fi
+      args:
+        executable: /bin/bash
+
+    - name: Read leaf admin password from leaf secret
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ leaf_namespace }} get secret {{ leaf_secret_name }} \
+          -o jsonpath='{.data.{{ leaf_admin_password_key }}}' | base64 -d
+      args:
+        executable: /bin/bash
+      register: leaf_admin_password
+      changed_when: false
+
+    - name: Ensure leaf region exists in central Keystone
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack region show {{ leaf_region }} >/dev/null 2>&1 || \
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack region create {{ leaf_region }}
+      args:
+        executable: /bin/bash
+
+    - name: Ensure keystone catalog endpoints exist for leaf region
+      ansible.builtin.shell: |
+        set -euo pipefail
+        if ! oc -n {{ central_namespace }} rsh openstackclient \
+          openstack endpoint list --service keystone --interface public --region {{ leaf_region }} \
+          -f value -c ID | head -1 | grep -q .; then
+          oc -n {{ central_namespace }} rsh openstackclient \
+            openstack endpoint create --region {{ leaf_region }} identity public "{{ keystone_public_url }}"
+        fi
+        if ! oc -n {{ central_namespace }} rsh openstackclient \
+          openstack endpoint list --service keystone --interface internal --region {{ leaf_region }} \
+          -f value -c ID | head -1 | grep -q .; then
+          oc -n {{ central_namespace }} rsh openstackclient \
+            openstack endpoint create --region {{ leaf_region }} identity internal "{{ keystone_internal_url }}"
+        fi
+      args:
+        executable: /bin/bash
+
+    - name: Ensure leaf admin project exists in central Keystone
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack project show {{ leaf_admin_project }} >/dev/null 2>&1 || \
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack project create {{ leaf_admin_project }}
+      args:
+        executable: /bin/bash
+
+    - name: Ensure leaf admin user exists and has admin role
+      ansible.builtin.shell: |
+        set -euo pipefail
+        if ! oc -n {{ central_namespace }} rsh openstackclient \
+          openstack user show {{ leaf_admin_user }} >/dev/null 2>&1; then
+          oc -n {{ central_namespace }} rsh openstackclient \
+            openstack user create --domain Default --password "{{ leaf_admin_password.stdout | trim }}" {{ leaf_admin_user }}
+        fi
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack role add --project {{ leaf_admin_project }} --user {{ leaf_admin_user }} admin
+      args:
+        executable: /bin/bash
+
+    - name: Create or append leaf CA bundle secret
+      ansible.builtin.shell: |
+        set -euo pipefail
+        tmpdir="$(mktemp -d)"
+        export TMPDIR="${tmpdir}"
+
+        if oc -n {{ leaf_namespace }} get secret {{ ca_bundle_secret_name }} \
+          >/dev/null 2>&1; then
+          oc -n {{ leaf_namespace }} get secret {{ ca_bundle_secret_name }} \
+            -o json | python3 -c '
+        import base64, json, os, sys
+        tmpdir = os.environ.get("TMPDIR")
+        data = json.load(sys.stdin).get("data", {})
+        for key, value in data.items():
+            path = os.path.join(tmpdir, key)
+            with open(path, "wb") as f:
+                f.write(base64.b64decode(value))
+        '
+        fi
+
+        oc -n {{ central_namespace }} get secret {{ central_rootca_secret }} \
+          -o jsonpath='{.data.tls\.crt}' | base64 -d \
+          > "${tmpdir}/skmo-central-rootca.crt"
+
+        oc -n {{ central_namespace }} get secret {{ central_rootca_internal_secret }} \
+          -o jsonpath='{.data.tls\.crt}' | base64 -d \
+          > "${tmpdir}/skmo-central-rootca-internal.crt"
+
+        oc -n {{ leaf_namespace }} create secret generic \
+          {{ ca_bundle_secret_name }} \
+          --from-file="${tmpdir}" \
+          --dry-run=client -o yaml | oc apply -f -
+
+        rm -rf "${tmpdir}"
+      args:
+        executable: /bin/bash
+
+    - name: Create TransportURL CR in central region for leaf listener
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc apply -f - <<EOF
+        apiVersion: rabbitmq.openstack.org/v1beta1
+        kind: TransportURL
+        metadata:
+          name: {{ leaf_transport_url_name }}
+          namespace: {{ central_namespace }}
+        spec:
+          rabbitmqClusterName: rabbitmq
+        EOF
+      args:
+        executable: /bin/bash
+
+    - name: Wait for TransportURL to be ready
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc wait transporturl {{ leaf_transport_url_name }} \
+          -n {{ central_namespace }} \
+          --for=condition=Ready --timeout=120s
+      args:
+        executable: /bin/bash
+
+    - name: Copy transport URL secret to leaf namespace
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc get secret {{ leaf_transport_url_name_secret }} -n {{ central_namespace }} -o json \
+          | python3 -c '
+        import json, sys
+        secret = json.load(sys.stdin)
+        for key in ["namespace", "uid", "resourceVersion", "creationTimestamp", "ownerReferences", "managedFields"]:
+            secret.get("metadata", {}).pop(key, None)
+        secret["metadata"]["name"] = "{{ leaf_transport_url_secret_copy }}"
+        json.dump(secret, sys.stdout)
+        ' | oc apply -n {{ leaf_namespace }} -f -
+      args:
+        executable: /bin/bash
diff --git a/playbooks/skmo/trust-leaf-ca.yaml b/playbooks/skmo/trust-leaf-ca.yaml
@@ -0,0 +1,55 @@
+---
+- name: Trust SKMO leaf CA in central region
+  hosts: localhost
+  gather_facts: false
+  vars:
+    skmo_values_file: "{{ cifmw_architecture_repo }}/examples/va/multi-namespace-skmo/control-plane2/skmo-values.yaml"
+    central_namespace: openstack
+    leaf_namespace: openstack2
+    leaf_rootca_secret: rootca-public
+    leaf_rootca_internal_secret: rootca-internal
+  tasks:
+    - name: Load SKMO values
+      ansible.builtin.set_fact:
+        skmo_values: "{{ lookup('file', skmo_values_file) | from_yaml }}"
+
+    - name: Set central CA bundle secret name
+      ansible.builtin.set_fact:
+        central_ca_bundle_secret_name: "{{ skmo_values.data.centralCaBundleSecretName }}"
+
+    - name: Create or append central CA bundle secret
+      ansible.builtin.shell: |
+        set -euo pipefail
+        tmpdir="$(mktemp -d)"
+        export TMPDIR="${tmpdir}"
+
+        if oc -n {{ central_namespace }} get secret \
+          {{ central_ca_bundle_secret_name }} >/dev/null 2>&1; then
+          oc -n {{ central_namespace }} get secret \
+            {{ central_ca_bundle_secret_name }} -o json | python3 -c '
+        import base64, json, os, sys
+        tmpdir = os.environ.get("TMPDIR")
+        data = json.load(sys.stdin).get("data", {})
+        for key, value in data.items():
+            path = os.path.join(tmpdir, key)
+            with open(path, "wb") as f:
+                f.write(base64.b64decode(value))
+        '
+        fi
+
+        oc -n {{ leaf_namespace }} get secret {{ leaf_rootca_secret }} \
+          -o jsonpath='{.data.tls\.crt}' | base64 -d \
+          > "${tmpdir}/skmo-leaf-rootca.crt"
+
+        oc -n {{ leaf_namespace }} get secret {{ leaf_rootca_internal_secret }} \
+          -o jsonpath='{.data.tls\.crt}' | base64 -d \
+          > "${tmpdir}/skmo-leaf-rootca-internal.crt"
+
+        oc -n {{ central_namespace }} create secret generic \
+          {{ central_ca_bundle_secret_name }} \
+          --from-file="${tmpdir}" \
+          --dry-run=client -o yaml | oc apply -f -
+
+        rm -rf "${tmpdir}"
+      args:
+        executable: /bin/bash
diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace-skmo b/roles/ci_gen_kustomize_values/templates/multi-namespace-skmo
@@ -0,0 +1 @@
+multi-namespace