[openstack-dev] [TripleO] Let's use Ansible to deploy OpenStack services on Kubernetes

Dmitry Tantsur dtantsur at redhat.com
Fri Jul 14 16:54:37 UTC 2017

On 07/14/2017 06:16 PM, Fox, Kevin M wrote:
> https://xkcd.com/927/
> I don't think adopting helm as a dependency adds more complexity then writing more new k8s object deployment tooling?

I don't know much about the containerization work, and I don't have a big say in 
TripleO, but that's the question I have as well. If we are going now to rewrite 
ansible modules for everything (including MariaDB per Emilien's comment), this 
may require too much effort.

Think of TripleO contributors, who are not on tripleo-core (the group which 
probably contains 99% of people understanding TripleO well). Writing heat 
templates is already not fun, but at least people got used to it more or less. 
Now we will need to rewrite a lot of puppet into a lot of ansible, and a lot of 
yaml into... mmm.. more ansible? If we go down this way, let's at least make 
sure we're not inventing a bicycle.

> There are efforts to make it easy to deploy kolla-kubernetes microservice charts using ansible for orchestration in kolla-kubernetes. See:
> https://review.openstack.org/#/c/473588/
> What kolla-kubernetes brings to the table is a tested/shared base k8s object layer. Orchestration is done by ansible via TripleO, and the solutions already found/debugged to how to deploy OpenStack in containers on Kubernetes can be reused/shared.
> See for example:
> https://github.com/tripleo-apb/ansible-role-k8s-keystone/blob/331f405bd3f7ad346d99e964538b5b27447a0ebf/provision-keystone-apb/tasks/main.yaml
> I don't see much by way of dealing with fernet token rotation. That was a tricky bit of code to get to work, but kolla-kubernetes has a solution to it. You can get it by: helm install kolla/keystone-fernet-rotate-job.
> We designed this layer to be shareable so we all can contribute to the commons rather then having every project reimplement their own and have to chase bugs across all the implementations. The deployment projects will be stronger together if we can share as much as possible.


> Please reconsider. I'd be happy to talk with you more if you want.
> Thanks,
> Kevin
> ________________________________________
> From: Flavio Percoco [flavio at redhat.com]
> Sent: Friday, July 14, 2017 2:17 AM
> To: openstack-dev at lists.openstack.org
> Subject: [openstack-dev] [TripleO] Let's use Ansible to deploy OpenStack services on Kubernetes
> Greetings,
> As some of you know, I've been working on the second phase of TripleO's
> containerization effort. This phase if about migrating the docker based
> deployment onto Kubernetes.
> These phase requires work on several areas: Kubernetes deployment, OpenStack
> deployment on Kubernetes, configuration management, etc. While I've been diving
> into all of these areas, this email is about the second point, OpenStack
> deployment on Kubernetes.
> There are several tools we could use for this task. kolla-kubernetes,
> openstack-helm, ansible roles, among others. I've looked into these tools and
> I've come to the conclusion that TripleO would be better of by having ansible
> roles that would allow for deploying OpenStack services on Kubernetes.
> The existing solutions in the OpenStack community require using Helm. While I
> like Helm and both, kolla-kubernetes and openstack-helm OpenStack projects, I
> believe using any of them would add an extra layer of complexity to TripleO,
> which is something the team has been fighting for years years - especially now
> that the snowball is being chopped off.
> Adopting any of the existing projects in the OpenStack communty would require
> TripleO to also write the logic to manage those projects. For example, in the
> case of openstack-helm, the TripleO team would have to write either ansible
> roles or heat templates to manage - install, remove, upgrade - the charts (I'm
> happy to discuss this point further but I'm keepping it at a high-level on
> purpose for the sake of not writing a 10k-words-long email).
> James Slagle sent an email[0], a couple of days ago, to form TripleO plans
> around ansible. One take-away from this thread is that TripleO is adopting
> ansible more and more, which is great and it fits perfectly with the conclusion
> I reached.
> Now, what this work means is that we would have to write an ansible role for
> each service that will deploy the service on a Kubernetes cluster. Ideally these
> roles will also generate the configuration files (removing the need of puppet
> entirely) and they would manage the lifecycle. The roles would be isolated and
> this will reduce the need of TripleO Heat templates. Doing this would give
> TripleO full control on the deployment process too.
> In addition, we could also write Ansible Playbook Bundles to contain these roles
> and run them using the existing docker-cmd implementation that is coming out in
> Pike (you can find a PoC/example of this in this repo[1]).
> Now, I do realize the amount of work this implies and that this is my
> opinion/conclusion. I'm sending this email out to kick-off the discussion and
> gather thoughts and opinions from the rest of the community.
> Finally, what I really like about writing pure ansible roles is that ansible is
> a known, powerfull, tool that has been adopted by many operators already. It'll
> provide the flexibility needed and, if structured correctly, it'll allow for
> operators (and other teams) to just use the parts they need/want without
> depending on the full-stack. I like the idea of being able to separate concerns
> in the deployment workflow and the idea of making it simple for users of TripleO
> to do the same at runtime. Unfortunately, going down this road means that my
> hope of creating a field where we could collaborate even more with other
> deployment tools will be a bit limited but I'm confident the result would also
> be useful for others and that we all will benefit from it... My hopes might be a
> bit naive *shrugs*
> Flavio
> [0] http://lists.openstack.org/pipermail/openstack-dev/2017-July/119405.html
> [1] https://github.com/tripleo-apb/tripleo-apbs
> --
> @flaper87
> Flavio Percoco
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list