First OpenStack Cluster

Purpose: For platform engineers, walks through deploying a first Kubernetes cluster on OpenStack end-to-end (15 minutes configuration + 40–60 minutes deployment).

What You'll Do

Initialize an OpenStack cluster configuration with the CLI
Validate, generate the GitOps repository, and deploy
Verify nodes, OpenStack CCM/CSI, and platform services are running

End result: A 6-node HA Kubernetes cluster on OpenStack with Cinder persistent volumes, Kyverno policies, monitoring, and GitOps — ready for application workloads (~60 minutes total).

Prerequisites

openCenter CLI installed (CLI Installation)
OpenStack application credentials (preferred) or user/password
Permissions to create: instances, networks, subnets, security groups, floating IPs, volumes
An OS image available (Ubuntu 22.04 cloud image recommended)
Flavors sized for control plane (4 vCPU / 8 GB) and workers (8 vCPU / 16 GB)
External network with floating IP pool
DNS records or wildcard domain for ingress
A Git repository for GitOps

Step 1: Initialize the Cluster Configuration

opencenter cluster init my-openstack-cluster --org my-org --type openstack

This creates the configuration at ~/.config/opencenter/clusters/my-org/.my-openstack-cluster-config.yaml and auto-generates SOPS Age keys and an SSH key pair.

Edit the configuration:

opencenter cluster edit my-openstack-cluster

Key sections:

opencenter:
  cluster:
    cluster_name: my-openstack-cluster
    organization: my-org

  infrastructure:
    provider: openstack
    cloud:
      openstack:
        auth_url: https://identity.api.rackspacecloud.com/v3
        region: sjc3
        application_credential_id: ${OPENSTACK_APP_CRED_ID}
        application_credential_secret: ${OPENSTACK_APP_CRED_SECRET}
        external_network: public
        image_id: ubuntu-22.04

  kubernetes:
    version: 1.33.5
    control_plane_count: 3
    worker_count: 3
    cni: calico

  services:
    keycloak:
      enabled: true
    kube-prometheus-stack:
      enabled: true
    loki:
      enabled: true
    velero:
      enabled: true

secrets:
  sops:
    age_keys:
      - age1...  # Auto-generated during init

Set credentials as environment variables (never commit them):

export OPENSTACK_APP_CRED_ID="your-credential-id"
export OPENSTACK_APP_CRED_SECRET="your-credential-secret"

Step 2: Validate Configuration

opencenter cluster validate my-openstack-cluster

Validation checks: schema compliance, OpenStack connectivity (if --validation=online), credential validity, image/flavor existence, and network configuration.

Step 3: Generate GitOps Repository

opencenter cluster generate my-openstack-cluster

This generates:

Terraform/OpenTofu for OpenStack resources (networks, subnets, security groups, instances, floating IPs)
Kubespray inventory with OpenStack Cloud Controller Manager configuration
FluxCD application manifests (GitRepository sources referencing openCenter-gitops-base)
SOPS-encrypted secrets

Step 4: Deploy the Cluster

opencenter cluster deploy my-openstack-cluster

The deploy command:

Creates OpenStack infrastructure via Terraform — private network, subnet, router, security groups, instances, floating IP for API (10–15 minutes)
Installs Kubernetes via Kubespray with containerd, etcd HA, OpenStack CCM, and security hardening (25–40 minutes)
Bootstraps FluxCD which reconciles platform services from openCenter-gitops-base (10–15 minutes)

Step 5: Verify the Cluster

# Check cluster status
opencenter cluster status my-openstack-cluster

# Verify nodes
kubectl get nodes

# Confirm OpenStack CCM is running
kubectl get pods -n openstack-ccm

# Check Cinder CSI
kubectl get sc
kubectl get pvc -A

# Check FluxCD reconciliation
flux get kustomizations

Check Your Work

All nodes show Ready status
OpenStack Cloud Controller Manager pod is running
Cinder CSI driver is provisioning volumes (kubectl get sc shows storage class)
Security groups are correctly applied (openstack security group list)
FluxCD kustomizations show Ready=True

Platform Services Deployed

After FluxCD reconciles, these services from openCenter-gitops-base are running:

Service	Version	Namespace
cert-manager	v1.18.2	cert-manager
Gateway API (Envoy)	latest	envoy-gateway-system
Keycloak	26.4.2	keycloak
Kyverno	3.6.0	kyverno
kube-prometheus-stack	77.6.0	observability
Loki	6.45.2	observability
OpenStack CCM	2.33.1	openstack-ccm
OpenStack CSI (Cinder)	2.33.1	openstack-csi
Velero	10.1.1	velero

Troubleshooting

Symptom	Likely Cause	Fix
Instances fail to create	Quota exceeded	Check `openstack quota show`
Nodes can't reach API	Security group missing port 6443	Run `opencenter cluster validate` with `--validation=online`
Volumes stuck in "creating"	Cinder service unavailable	Check `openstack volume service list`
Cloud controller errors	Invalid application credential	Verify env vars and re-run `opencenter secrets sync`

Next Steps

Deploy Your First Application — Ship a workload via GitOps
Day 2 Operations — Upgrades, drift detection, backups
Secrets Management — Key rotation and lifecycle

What You'll Do​

Prerequisites​

Step 1: Initialize the Cluster Configuration​

Step 2: Validate Configuration​

Step 3: Generate GitOps Repository​

Step 4: Deploy the Cluster​

Step 5: Verify the Cluster​

Check Your Work​

Platform Services Deployed​

Troubleshooting​

Next Steps​