Adoption of public SSH key for Amphorae

OSPNET-1078

docs_user/assemblies/proc_adopting-the-loadbalancer-dataplane.adoc

@@ -0,0 +1,41 @@
+[id="adopting-the-loadbalancer-dataplane_{context}"]
+
+= {loadbalancer_service} data plane adoption
+At this point all services on the new control plane should be running including
+the {loadbalancer_service} services.
+
+== Failover load balancers in ERROR state
+
+As the management network configuration and the controller IP has changed
+in the new control plane the amphora load balancers will show up in ERROR
+state at this point.
+
+[source,bash]
+----
+$ openstack loadbalancer list
++--------------------------------------+------+----------------------------------+--------------+---------------------+------------------+----------+
+| id                                   | name | project_id                       | vip_address  | provisioning_status | operating_status | provider |
++--------------------------------------+------+----------------------------------+--------------+---------------------+------------------+----------+
+| 5dabaa20-d9df-42a7-b74e-8533ac99b152 | lb1  | c388c1dbd3ff40009a523726e009b4cf | 172.24.4.250 | ERROR               | ONLINE           | amphora  |
++--------------------------------------+------+----------------------------------+--------------+---------------------+------------------+----------+
+----
+
+A failover is necessary to configure the loadbalancers for the new environment and to
+upgrade them to use the new amphora image.
+
+[source,bash]
+----
+$ openstack loadbalancer failover --wait 5dabaa20-d9df-42a7-b74e-8533ac99b152
+----
+
+This can be automated if necessary. The following script does this by
+failing over all loadbalancers in error, but only five at a time.
+
+// TODO(tweining): test
+
+[source,bash]
+----
+# TODO(tweining): verify it is provisioning status, not operating status
+$ openstack loadbalancer list --operating-status OFFLINE -f value -c id | \
+    xargs -P 5 -I {} openstack loadbalancer failover --wait {}
+----

docs_user/modules/proc_adopting-the-loadbalancer-service.adoc

@@ -34,6 +34,15 @@ dual CA configuration.
 include::../../tests/roles/dataplane_adoption/tasks/octavia_certs.yaml[lines="7..83",indent=0]
 ----
 
+. (Optional) Public SSH key of Amphorae
++
+These commands will copy the existing public SSH key that can be used for connecting to the amphorae and installs it in Openshift.
++
+[source,bash]
+----
+include::../../tests/roles/dataplane_adoption/tasks/octavia_ssh.yaml[lines="7..20",indent=0]
+----
+
 . Add the octavia interfaces to each NodeNetworkConfigurationPolicy.
 +
 The following command adds the network interface that is being
@@ -120,6 +129,7 @@ spec:
   ovn:
     template:
       ovnController:
+        networkAttachment: tenant
         nicMappings:
           octavia: octbr
   octavia:

tests/roles/dataplane_adoption/tasks/main.yaml

@@ -458,12 +458,16 @@
   ansible.builtin.include_tasks:
     file: neutron_verify.yaml
 
-
 - name: Adopt Octavia Certificates Wallaby->Antelope FFU
   when: octavia_adoption|bool
   ansible.builtin.include_tasks:
     file: octavia_certs.yaml
 
+- name: Adopt Octavia Amphora public SSH key Wallaby->Antelope FFU
+  when: octavia_adoption|bool
+  ansible.builtin.include_tasks:
+    file: octavia_ssh.yaml
+
 - name: Adopted Cinder post-checks
   ansible.builtin.include_tasks:
     file: cinder_verify.yaml

tests/roles/dataplane_adoption/tasks/octavia_ssh.yaml

@@ -0,0 +1,20 @@
+- name: Migrate old Octavia public SSH key for amphorae
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    CONTROLLER1_SCP="{{ controller1_ssh  | regex_replace('^ssh', 'scp')}}"
+
+    ${CONTROLLER1_SCP}:/etc/octavia/ssh/octavia_id_rsa.pub $HOME/octavia_sshkey.pub
+
+    # Install new data in k8s
+    oc apply -f - <<EOF
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: sshPubkey
+      namespace: openstack
+    data:
+      key: $(cat $HOME/octavia_sshkey.pub)
+    EOF
+
+    rm -f $HOME/octavia_sshkey.pub