[ English | Indonesia | 한국어 (대한민국) | Deutsch | English (United Kingdom) ]

External DNS to FQDN/Ingress

Overview

In order to access your OpenStack deployment on Kubernetes we can use the Ingress Controller or NodePorts to provide a pathway in. A background on Ingress, OpenStack-Helm fully qualified domain name (FQDN) overrides, installation, examples, and troubleshooting will be discussed here.

Ingress

OpenStack-Helm utilizes the Kubernetes Ingress Controller

An Ingress is a collection of rules that allow inbound connections to reach the cluster services.

 internet
     |
[ Ingress ]
--|-----|--
[ Services ]

It can be configured to give services externally-reachable URLs, load balance traffic, terminate SSL, offer name based virtual hosting, and more.

Essentially the use of Ingress for OpenStack-Helm is an Nginx proxy service. Ingress (Nginx) is accessible by your cluster public IP - e.g. the IP associated with kubectl get pods -o wide --all-namespaces | grep ingress-api Ingress/Nginx will be listening for server name requests of „keystone“ or „keystone.openstack“ and will route those requests to the proper internal K8s Services. These public listeners in Ingress must match the external DNS that you will set up to access your OpenStack deployment. Note each rule also has a Service that directs Ingress Controllers allow access to the endpoints from within the cluster.

External DNS and FQDN

Prepare ahead of time your FQDN and DNS layouts. There are a handful of OpenStack endpoints you will want to expose for API and Dashboard access.

Update your lab/environment DNS server with your appropriate host values creating A Records for the edge node IP’s and various FQDN’s. Alternatively you can test these settings locally by editing your /etc/hosts. Below is an example with a dummy domain os.foo.org and dummy Ingress IP 1.2.3.4.

A Records

1.2.3.4     horizon.os.foo.org
1.2.3.4     neutron.os.foo.org
1.2.3.4     keystone.os.foo.org
1.2.3.4     nova.os.foo.org
1.2.3.4     metadata.os.foo.org
1.2.3.4     glance.os.foo.org

The default FQDN’s for OpenStack-Helm are

horizon.openstack.svc.cluster.local
neutron.openstack.svc.cluster.local
keystone.openstack.svc.cluster.local
nova.openstack.svc.cluster.local
metadata.openstack.svc.cluster.local
glance.openstack.svc.cluster.local

We want to change the public configurations to match our DNS layouts above. In each Chart values.yaml is a endpoints configuration that has host_fqdn_override’s for each API that the Chart either produces or is dependent on. Read more about how Endpoints are developed. Note while Glance Registry is listening on a Ingress http endpoint, you will not need to expose the registry for external services.

Installation

Implementing the FQDN overrides must be done at install time. If you run these as helm upgrades, Ingress will notice the updates though none of the endpoint build-out jobs will run again, unless they are cleaned up manually or using a tool like Armada.

Two similar options exist to set the FQDN overrides for External DNS mapping.

First, edit the values.yaml for Neutron, Glance, Horizon, Keystone, and Nova.

Using Horizon as an example, find the endpoints config.

For identity and dashboard at host_fdqn_override.public replace null with the value as keystone.os.foo.org and horizon.os.foo.org

endpoints:
  cluster_domain_suffix: cluster.local
  identity:
    name: keystone
    hosts:
      default: keystone-api
      public: keystone
    host_fqdn_override:
      default: null
      public: keystone.os.foo.org
    .
    .
  dashboard:
    name: horizon
    hosts:
      default: horizon-int
      public: horizon
    host_fqdn_override:
      default: null
      public: horizon.os.foo.org

After making the configuration changes, run a make and then install as you would from AIO or MultiNode instructions.

Second option would be as --set flags when calling helm install

Add to the Install steps these flags - also adding a shell environment variable to save on repeat code.

export FQDN=os.foo.org

helm install --name=horizon ./horizon --namespace=openstack \
  --set network.node_port.enabled=true \
  --set endpoints.dashboard.host_fqdn_override.public=horizon.$FQDN \
  --set endpoints.identity.host_fqdn_override.public=keystone.$FQDN

Note if you need to make a DNS change, you will have to do uninstall (helm delete <chart>) and install again.

Once installed, access the API’s or Dashboard at http://horizon.os.foo.org

Examples

Code examples below.

If doing an AIO install, all the --set flags

export FQDN=os.foo.org

helm install --name=keystone local/keystone --namespace=openstack \
  --set endpoints.identity.host_fqdn_override.public=keystone.$FQDN

helm install --name=glance local/glance --namespace=openstack \
  --set storage=pvc \
  --set endpoints.image.host_fqdn_override.public=glance.$FQDN \
  --set endpoints.identity.host_fqdn_override.public=keystone.$FQDN

helm install --name=nova local/nova --namespace=openstack \
  --values=./tools/overrides/mvp/nova.yaml \
  --set conf.nova.libvirt.virt_type=qemu \
  --set conf.nova.libvirt.cpu_mode=none \
  --set endpoints.compute.host_fqdn_override.public=nova.$FQDN \
  --set endpoints.compute_metadata.host_fqdn_override.public=metadata.$FQDN \
  --set endpoints.image.host_fqdn_override.public=glance.$FQDN \
  --set endpoints.network.host_fqdn_override.public=neutron.$FQDN \
  --set endpoints.identity.host_fqdn_override.public=keystone.$FQDN

helm install --name=neutron local/neutron \
  --namespace=openstack --values=./tools/overrides/mvp/neutron-ovs.yaml \
  --set endpoints.network.host_fqdn_override.public=neutron.$FQDN \
  --set endpoints.compute.host_fqdn_override.public=nova.$FQDN \
  --set endpoints.identity.host_fqdn_override.public=keystone.$FQDN

helm install --name=horizon local/horizon --namespace=openstack \
  --set=network.node_port.enabled=true \
  --set endpoints.dashboard.host_fqdn_override.public=horizon.$FQDN \
  --set endpoints.identity.host_fqdn_override.public=keystone.$FQDN

Troubleshooting

Review the Ingress configuration.

Get the Nginx configuration from the Ingress Pod:

kubectl exec -it ingress-api-2210976527-92cq0 -n openstack -- cat /etc/nginx/nginx.conf

Look for server configuration with a server_name matching your desired FQDN

server {
    server_name nova.os.foo.org;
    listen [::]:80;
    set $proxy_upstream_name "-";
    location / {
        set $proxy_upstream_name "openstack-nova-api-n-api";
        .
        .
    }

Check Chart Status

Get the helm status of your chart.

helm status keystone

Verify the v1beta1/Ingress resource has a Host with your FQDN value

LAST DEPLOYED: Thu Sep 28 20:00:49 2017
NAMESPACE: openstack
STATUS: DEPLOYED

RESOURCES:
==> v1beta1/Ingress
NAME      HOSTS                            ADDRESS      PORTS  AGE
keystone  keystone,keystone.os.foo.org     1.2.3.4      80     35m