Overview
Support charm for OpenStack operations. Its main purpose is to package common tasks into easy-to-use actions.
Typically it will be deployed into a container on an infrastructure node.
The charm requires OpenStack credentials to operate, and some actions require administrative access to cloud computes via ssh.
See the actions tab for more details.
Deploy and Configure
Deploy this charm with:
juju deploy cloudsupport
Set up OpenStack connection params by providing yaml-formatted string with one cloud named cloud1. For safety it is strongly advised to utilize an administrative project, separate from production workload projects.
cat clouds.yaml
clouds:
cloud1:
region_name: {region_name}
auth:
auth_url: {auth_url}
username: {username}
password: {password}
user_domain_name: {user_domain_name}
project_name: {project_name}
domain_name: {domain_name}
juju config cloudsupport clouds-yaml=@clouds.yaml
Also ensure that the config param cloud-name matches the name of the cloud in the clouds-yaml.
juju config cloudsupport cloud-name="cloud1"
The test-connectivity action needs credentials to connect to compute nodes. Those can be configured by passing in a ssh key:
juju config cloudsupport ssh-key=@~/.local/share/juju/ssh/juju_id_rsa'
If a CA certificate is required to connect to the OpenStack API it can be provided thusly:
juju config cloudsupport ssl-ca='
-----BEGIN CERTIFICATE-----
<certificate body>
-----END CERTIFICATE-----
'
Add nrpe check
This charm provides an nrpe check to ensure that the VMs deployed with it are not left running on the cloud for more than
stale-warn-days (this generates a warning) or more than stale-crit-days (this generates a critical alert).
To configure it, relate the charm with nrpe
juju add-relation cloudsupport nrpe
and enable the check that is disabled by default
juju config cloudsupport stale-server-check=true
Use juju config to tune the stale-warn-days (default 7) and the stale-crit-days (default 14)
Specific VMs can be ignored when checking for stale servers, adding their uuid to the config param stale-ignored-uuids
Cryptography
This charm interacts with the OpenStack API to set up and delete instances and therefore needs to be provided user credentials via the clouds-yaml option (it is recommended to configure a dedicated user). Since the credentials are stored as charm config values, they are stored unencrypted in the Juju DB in the controller, as well as on-disk on the cloudsupport unit(s) in file /etc/openstack/clouds.yaml. This file is set to be world-readable to allow the nrpe process to access it.
The optional test-connectivity action will log into the generated test VM(s) to perform connectivity tests. In order to do this, it needs to have access to the correct private ssh key. This key is configured in the ssh-key config option, which is also stored both in the Juju controller DB and on-disk on the cloudsupport unit(s). Contrary to how the OpenStack API credentials are stored, the ssh key is held in a root-only-readable file, as no process other than the charm code itself needs to use it.
Finally, a custom CA certificate can be provided if the OpenStack API endpoints offer certificates that cannot be validated with the built-in CA certificates.
As a note, the current architecture predates the Juju secrets backend, which could be leveraged in the future as an enhancement.
Project and community
Example Charm / Charm Bundle is a member of the Ubuntu family. It’s an open source project that warmly welcomes community projects, contributions, suggestions, fixes and constructive feedback.