Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Deploying the Load-balancing service in an existing environment

Deploying the Load-balancing service (octavia) to an existing Red Hat OpenStack Services on OpenShift (RHOSO) environment consists of creating a secret to secure communication and then deploying the Load-balancing service in the RHOSO control plane.

Note

When your RHOSO environment was installed, the networks required for the Load-balancing service were configured and added to the control plane. For more information, see Preparing networks for Red Hat OpenStack Services on OpenShift in Deploying Red Hat OpenStack Services on OpenShift.

Overview

You must perform the steps in the following procedures to deploy the Load-balancing service (octavia):

  1. Create a CA passphrase for certificate generation and signing.
  2. Deploy the Load-balancing service.
Important

The steps in these procedures provide sample values that you add to the required CRs. The actual values that you provide will depend on your particular hardware configuration and local networking policies.

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, you create a Secret custom resource (CR) which is used to encrypt the generated private key of the Server CA. RHOSO uses dual CAs to make communication between the Load balancing service (octavia) amphora and its controller more secure.

Prerequisites

  • You have the oc command line tool installed on your workstation.
  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.

Procedure

  1. Generate a Base64, encoded password.

    Retain the encoded output to use in a later step.

    Example

    In this example, the password, my_password is encoded using the Base64 encoding scheme: 

    $ echo -n my_password | base64
  2. Create a Secret CR file on your workstation, for example, octavia-ca-passphrase.yaml.

  3. Add the following configuration to octavia-ca-passphrase.yaml: 

    apiVersion: v1
data:
  server-ca-passphrase: <Base64_password>
kind: Secret
metadata:
  name: octavia-ca-passphrase
  namespace: openstack
type: Opaque
    • Replace the <Base64_password> with the Base64-encoded password that you created earlier.

  4. Create the Secret CR in the cluster: 

    $ oc create -f octavia-ca-passphrase.yaml

Verification

  • Confirm that the Secret CR exists: 

    $ oc describe secret octavia-ca-passphrase -n openstack

Next steps

3.2. Deploying the Load-balancing service
Copy link

To deploy the Red Hat OpenStack Services on OpenShift (RHOSO) Load-balancing service (octavia), you must configure the OVN controller to create a NIC mapping for the provider network as well as add it to the networkAttachments property for each Load-balancing service that controls load balancers (amphorae).

Prerequisites

  • You have the oc command line tool installed on your workstation.
  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.

Procedure

  1. Using the Skopeo utility, obtain the amphora image version. You will need the image version in a SHA format for a later step: 

    $ podman login registry.redhat.io

$ sudo dnf install -y skopeo

$ skopeo inspect docker://registry.redhat.io/rhoso/\
octavia-amphora-image-rhel9:$(oc get openstackversion \
-o jsonpath='{.items[0].status.deployedVersion}' | \
awk -F '-' '{print $1}') --format '{{.Name}}@{{.Digest}}'

  2. Open your OpenStackControlPlane CR file, and enable the Load-balancing service (octavia) by adding the following service configuration: 

    apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack-control-plane
  namespace: openstack
  spec:
...
    octavia:
      enabled: true
      template:
        octaviaHousekeeping:
          networkAttachments:
            - octavia
        octaviaHealthManager:
          networkAttachments:
            - octavia
        octaviaWorker:
          networkAttachments:
            - octavia
...

  3. With the amphora image version that you obtained in an earlier step, use the octavia.template.amphoraImageContainerImage parameter to add the amphora image to the Image service (glance):

    Example
    ...
    octavia:
      enabled: true
      template:
        octaviaHousekeeping:
          networkAttachments:
            - octavia
        octaviaHealthManager:
          networkAttachments:
            - octavia
        octaviaWorker:
          networkAttachments:
            - octavia
        amphoraImageContainerImage: registry.redhat.io/rhoso/\
        octavia-amphora-image-rhel9@sha256:312cd5e8ea9fe261c1929aefececbeb22afe5e433ae76ef0860d98e561db21c9
...

  4. Optional: to enable flow resumption, perform the following steps.

    For more information, see Avoiding taskflow interruptions by using flow resumption.

    1. Create the octavia-redis database in Redis by adding the schema name, octavia-redis:, and the number of replicas, replicas: 1: 

      apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack-control-plane
  namespace: openstack
  spec:
...
    redis:
      enabled: true
      templates:
        octavia-redis:
          replicas: 1
...

    2. Enable the octavia-redis database by adding the line, redisServiceName: octavia-redis: 

      apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack-control-plane
  namespace: openstack
  spec:
...
    octavia:
      enabled: true
      template:
        databaseInstance: <Galera_CR>
        redisServiceName: octavia-redis
        octaviaHousekeeping:
          networkAttachments:
            - octavia
        octaviaHealthManager:
          networkAttachments:
            - octavia
        octaviaWorker:
          networkAttachments:
            - octavia
...

  5. Locate the service configuration for ovn, and add the following configuration under template: 

    ...
  ovn:
    template:
      ovnController:
        networkAttachment: tenant
        nicMappings:
          octavia: octbr
    • networkAttachment - Note the one-character difference between the OVN networkAttachment property and the octavia networkAttachments property. The name tenant is an example value.
    • nicMappings - The value must be octavia: octbr.

  6. Update the OpenStackControlPlane custom resource with the required values for the Load-balancing service.

    Example
    $ oc apply -f openstack_control_plane.yaml -n openstack

Verification

  1. Wait until RHOCP creates the Load-balancing service resources. Run the following command to check the status: 

    $ oc wait octavia octavia --for condition=Ready
    Sample output

    You should see output similar to the following: 

    octavia.octavia.openstack.org/octavia condition met

  2. Confirm that the Load-balancing service pods are running: 

    $ oc get pods | grep octavia
    Sample output

    You should see output similar to the following: 

    octavia-api-78b56bb844-ngjhc                  2/2     Running     0          12s
octavia-healthmanager-f6hpx                   1/1     Running     0          14s
octavia-housekeeping-knwpf                    1/1     Running     0          10s
octavia-redis-redis-0                         2/2     Running     0          20s
octavia-rsyslog-4nkv8                         1/1     Running     0          23s
octavia-worker-l5hs4                          1/1     Running     0          26s

  3. Access the remote shell for the OpenStackClient pod from your workstation: 

    $ oc rsh -n openstack openstackclient

  4. Confirm that the networks octavia-provider-net and lb-mgmt-net are present: 

    $ openstack network list -f yaml
    Sample output
    - ID: 2e4fc309-546b-4ac8-9eae-aa8d70a27a9b
  Name: octavia-provider-net
  Subnets:
  - eea45073-6e56-47fd-9153-12f7f49bc115
- ID: 77881d3f-04b0-46cb-931f-d54003cce9f0
  Name: lb-mgmt-net
  Subnets:
  - e4ab96af-8077-4971-baa4-e0d40a16f55a

    The network, octavia-provider-net, is the external provider network, and is limited to the RHOSO control plane. The lb-mgmt-net network connects the Load-balancing service to amphora instances.

  5. Exit the openstackclient pod: 

    $ exit
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top