Skip to content

Installation with the CBIS extension#

Overview#

Use this procedure to install the CBIS extension for the ML2 plugin.

The EDA ML2 plugin creates a ConnectPlugin within the Connect Service using the name of the CBIS Cloud deployment, as provisioned at installation time. Take care that no ConnectPlugin exists with that name before the CBIS deployment.

Preparation#

Create a Service Account#

The EDA Connect OpenStack Plugin uses a ServiceAccount in the EDA Kubernetes cluster to create the necessary resources in the EDA cluster for the integration to properly work.

To create a service account in the EDA Kubernetes cluster, the following resource can be used.

Service Account and Cluster Role Binding manifest

This service account must be created in the eda-system namespace.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: openstack-plugin
  namespace: eda-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: openstack-plugin
subjects:
- kind: ServiceAccount
  name: openstack-plugin
  namespace: eda-system
roleRef:
  kind: ClusterRole
  # This cluster role is assumed to be already installed by connect app.
  name: eda-connect-plugin-cluster-role
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f - <<EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: openstack-plugin
  namespace: eda-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: openstack-plugin
subjects:
- kind: ServiceAccount
  name: openstack-plugin
  namespace: eda-system
roleRef:
  kind: ClusterRole
  # This cluster role is assumed to be already installed by connect app.
  name: eda-connect-plugin-cluster-role
  apiGroup: rbac.authorization.k8s.io

EOF

Create a Service Account Token#

From the above Service Account, we need to create a Service Account Token which can be used by the plugin to connect to the EDA Kubernetes cluster. This can be done with the below manifest, which should be applied on the EDA Kubernetes cluster.

Service Account Token Manifest 
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: openstack-plugin
  namespace: eda-system
  annotations:
    kubernetes.io/service-account.name: openstack-plugin

kubectl apply -f - <<EOF
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: openstack-plugin
  namespace: eda-system
  annotations:
    kubernetes.io/service-account.name: openstack-plugin

EOF

After creating the Service Account Token, you can retrieve the bearer token and ca_cert information using the following commands from the eda-system namespace. This token is what will need to be provided to the plugin during deployment.

kubectl get secrets/openstack-plugin -n eda-system --template={{.data.token}} | base64 --decode

kubectl get secrets/openstack-plugin -n eda-system --template={{.data.ca_cert}} | base64 --decode
Service Account naming

When using the OpenStack plugin in production, it is advised to create a service account per plugin. This way tokens can be revoked on a per-plugin basis.

Procedure#

Step 1 - Extract tarball

Untar the integration tarball and put the extracted content under /root/cbis-extensions inside the CBIS Manager VM.

This creates the /root/cbis-extensions/eda_connect folder.

Step 2 - Refresh the CBIS manager UI

The CBIS Manager should now detect /root/cbis-extensions/eda_connect as an SDN extension.

img.png

Step 3 - Add the extension configuration on CBIS manager UI

Choose a unique name for each cloud. If there is another cloud name registered to the same EDA environment, the CBIS deployment fails before undercloud deployment. An error message indicates that a ConnectPlugin exists with the same name.

Step 4 - Enter the EDA environment details

CBIS cloud extension environment details

The Connect OpenStack plugin communicates with EDA using the Kubernetes API.

  • EDA Connect service API URI: URI of the Kubernetes API hosting EDA. This can be found in the kubeconfig file for your cluster.
  • EDA plugin namespace: The namespace in which the nodes for this cloud are deployed.
  • API Bearer Token: The bearer token needed to communicate with the Kubernetes API. This can be extracted from the service account token created in a previous step.
  • EDA Server CA Certificate: The self-signed CA certificate of the Kubernetes API. This can be extracted from the service account token created in a previous step.
  • Nic-Mapping provisioning: Allow manual creation of nic-mapping entries.

Updating the Bearer token after installation#

When the Bearer token needs to be updated after installation use the following procedure:

Step 1 - Update the plugin.ini file with the new token

The configuration file can be found at /etc/neutron/plugins/ml2/ml2_conf_eda_connect.ini:

[ml2_eda_connect]
# Api host of the Connect service
#api_host = None
# Api bearer autentication token
api_token = <new api token>
# CA certificate file
ca_cert_path = /opt/stack/data/eda.pem
# Verify SSL
#verify_ssl = True
# Used as an identifier of the Connect plugin
#plugin_name = openstack
# Plugin heartbeat interval min=3, max=60 to Connect service
# in seconds.
#heartbeat_interval = 10

If there is a need to update the certificate info for connecting to the EDA Kubernetes API, replace the file referred to in the ca_cert_path.

Step 2 - Restart Neutron