Add OpenStackAssistant CRD for AI-powered cluster health checks and upgrades#1914
Add OpenStackAssistant CRD for AI-powered cluster health checks and upgrades#1914dprince wants to merge 7 commits intoopenstack-k8s-operators:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dprince The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
OpenStackControlPlane CRD Size Report
Threshold reference
|
|
Build failed (check pipeline). Post ✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 05m 10s |
Implements the OpenStackAssistant API (assistant.openstack.org/v1beta1) which deploys a managed Goose AI agent pod with read-only RBAC for cluster diagnostics via Lightspeed Stack.
Add a dedicated Model field to GooseConfig so the Goose AI model can be set declaratively in the OpenStackAssistant CR spec rather than requiring it to be passed as a raw env var. When set, the controller injects the GOOSE_MODEL environment variable into the pod. Update the entrypoint script to use $HOME/.config/goose/ instead of ~/.goose/ for Goose configuration paths, aligning with the XDG base directory convention used by newer Goose versions.
|
Build failed (check pipeline). Post ✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 24m 25s |
|
Build failed (check pipeline). Post ✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 26m 30s |
Adds the ability to run the rhos-mcps MCP server as a sidecar container inside the openstackclient pod, exposed via a k8s Service. This allows the OpenStackAssistant (Goose) to execute read-only OpenStack CLI commands through the MCP protocol. OpenStackClient changes: - New MCPConfig struct (enabled, containerImage) on the CR spec - When enabled, adds an mcp-server sidecar container sharing the same clouds.yaml/secure.yaml credential mounts - Controller creates a ConfigMap with rhos-mcps config (openstack enabled, openshift disabled, allow_write: false) - Controller creates a Service on port 8080 for the MCP endpoint OpenStackAssistant changes: - New MCPServerRef (name, url) and mcpServers field on GooseConfig - Each MCP server is passed as MCP_SERVER_<name> env var to the pod - Entrypoint script generates Goose streamable_http extension entries from these env vars Users can create a second OpenStackClient instance with reader-only credentials for credential-level read-only enforcement in addition to the rhos-mcps allow_write:false guardrail.
Enable TLS on the MCP sidecar service using cert-manager with the internal CA issuer. When CaBundleSecretName is set (indicating TLS is active on the control plane), the controller provisions a TLS certificate for the MCP service DNS names via certmanager.EnsureCert(), mounts the cert secret into the MCP sidecar container at /etc/pki/tls/mcp/, and switches the service port from 8080 to 8443. The rhos-mcps config is updated to include TLS cert/key paths and use https for allowed origins. Changes: - internal/openstackclient/funcs.go: Add mcpTLSSecretName param to ClientPodSpec() for TLS secret volume mount; add tlsEnabled param to MCPConfigYAML() for TLS cert/key config and port selection - config/rbac/role.yaml, bindata/: Regenerated via make manifests and make bindata
|
Build failed (check pipeline). Post ❌ openstack-k8s-operators-content-provider FAILURE in 6m 42s |
1 participant
Add OpenStackAssistant CRD for AI-powered cluster management
Introduce a new OpenStackAssistant custom resource that deploys an AI
agent (Goose) as a Kubernetes pod with read only access to the OpenStack
control plane. The assistant connects to a Lightspeed Stack AI backend
and is configured with operator credentials, recipes, and hints for
cluster diagnostics and management tasks.
Key components:
Goose configuration, CA bundles, and provider secrets