Adds support to deploy cyborg controlplane services by amoralej · Pull Request #1102 · openstack-k8s-operators/nova-operator

amoralej · 2026-04-15T14:38:11Z

Add support for OpenStack Cyborg (accelerator lifecycle management service) in nova-operator, introducing three new CRDs and their controllers.

Define Cyborg, CyborgAPI and CyborgConductor CRDs with full spec/status types, defaulting and validation webhooks, and printer columns for oc get cyborg/cyborgapi/cyborgconductor.
Implement the Cyborg top-level controller: manages RBAC, MariaDB database and account, RabbitMQ TransportURL, Keystone service registration, DB sync job, and creates a sub-level secret that aggregates credentials (DB, transport URL, service password) for consumption by the child CRs.
Implement the CyborgAPI controller: renders WSGI/httpd configuration, creates a StatefulSet for cyborg-api pods with TLS support, and registers Keystone public/internal endpoints.
Implement the CyborgConductor controller: renders conductor configuration and creates a StatefulSet for cyborg-conductor.
All controllers are gated behind the ENABLE_CYBORG=true environment variable.
Add kuttl end-to-end tests validating CR conditions, sub-level secret content, config-data secrets, DB sync job completion, StatefulSet readiness, Services, and pod volume mounts.

Assisted-By: Claude

Jira: OSPRH-27674

Depends-On: #1121

openshift-ci · 2026-04-15T14:38:19Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: amoralej
Once this PR has been reviewed and has the lgtm label, please assign stuggi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

softwarefactory-project-zuul · 2026-04-15T17:38:15Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3a20fb346aa44e9d80abc0ba1ff8cdf5

✔️ openstack-meta-content-provider SUCCESS in 2h 58m 29s
✔️ nova-operator-kuttl SUCCESS in 53m 19s
❌ nova-operator-tempest-multinode RETRY_LIMIT in 3m 43s
✔️ nova-operator-tempest-multinode-ceph SUCCESS in 2h 41m 14s

amoralej · 2026-04-16T08:39:48Z

check-rdo

cescgina · 2026-05-04T08:56:54Z

+  labels:
+    app.kubernetes.io/name: nova-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: cyborg-cyborg-admin-role


the existing roles for nova do not repeat the service name, e.g nova_admin_role, novaconductor_admin_role. If possible I think it would be good to use the same pattern for the cyborg roles

cescgina · 2026-05-04T11:12:35Z

+// ensureTopology - when a Topology CR is referenced, remove the
+// finalizer from a previous referenced Topology (if any), and retrieve the
+// newly referenced topology object
+func ensureTopology(


this function seems to be an exact duplicate of

nova-operator/internal/controller/nova/common.go

Line 201 in 123b74b

func ensureTopology(

. This might be a question more for the nova-operator maintainers, but is there a way to reuse code between the controllers of different services?

IIUC the approach is to not share code among the different groups in the operator (nova, placement and cyborg). Let's see what nova-operator maintainers think about it.

Using operator-sdk command: operator-sdk create api --group cyborg --version v1beta1 --kind Cyborg --resource --controller operator-sdk create api --group cyborg --version v1beta1 --kind CyborgAPI --resource --controller operator-sdk create api --group cyborg --version v1beta1 --kind CyborgConductor --resource --controller Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Define CRD specs for Cyborg, CyborgAPI and CyborgConductor resources: - Add CyborgSpec with DB, RabbitMQ, Keystone and TLS configuration - Add CyborgAPISpec and CyborgConductorSpec with configSecret, replicas, resources, nodeSelector and TLS fields - Implement defaulting and validation webhooks for all three CRDs - Register CRDs in the operator scheme - Update CRD YAML manifests and CSV for OLM Reconcile and configuration logic will be created in next commits. Assisted-By: Claude Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Add full reconcile logic for the Cyborg CR: - Manage RBAC resources (ServiceAccount, Role, RoleBinding) - Validate input password secret and RabbitMQ TransportURL secret - Create MariaDB database and run DB sync job via a batch Job - Register Cyborg service in Keystone - Create a sub-level secret aggregating DB credentials, transport URL and service password to be consumed by CyborgAPI and CyborgConductor - Track readiness via structured conditions on CyborgStatus - Add functional tests covering the full reconcile flow Assisted-By: Claude Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Add full reconcile logic for the CyborgConductor CR: - Validate input from the config secret created by the Cyborg controller - Generate conductor config from templates (00-default.conf) - Create a StatefulSet to run cyborg-conductor pods - Track readiness (ReadyCount, conditions, hash, topology) - Expose IsReady and topology helpers on CyborgConductor type - Update CyborgConductorStatus with structured conditions and hash - Extend Cyborg controller to propagate conductor and check readiness upwards - Add functional tests for the conductor reconcile loop Assisted-By: Claude Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Add full reconcile logic for the CyborgAPI CR: - Validate input from config secret provided by the Cyborg controller - Render WSGI/httpd and cyborg-api configuration templates - Create a StatefulSet for cyborg-api pods with TLS support - Register Keystone endpoints (public and internal) for the API - Track readiness (ReadyCount, conditions, hash, topology) - Expose IsReady and topology helpers on CyborgAPI type - Extend Cyborg controller to create CyborgAPI and check readiness upwards - Add functional tests covering the full API reconcile flow Assisted-By: Claude Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Add an end-to-end kuttl test suite for the Cyborg operator: - Cleanup step to delete any pre-existing Cyborg CR before the test - Deploy step creating a full Cyborg CR (cyborg-kuttl) - Assert step verifying all conditions are True on Cyborg, CyborgAPI, CyborgConductor and MariaDBDatabase CRs - Error step covering missing-dependency failure scenarios - Register cyborg container images (api, conductor, agent) as default RELATED_IMAGE env vars in the manager deployment - Enable ENABLE_CYBORG=true in the CI webhook deploy script Assisted-By: Claude Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Deployment using httpd is not longer supported in kolla upstream images since 2026.1 release [1]. [1] https://review.opendev.org/c/openstack/kolla/+/986488 Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Similar to for CyborgAPI and CyborgConductor and other OpenStack CRDs. Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

The Cyborg controller now generates a `{name}-agent-config` secret containing the rendered configuration for the cyborg-agent service running on EDPM compute nodes. This secret is consumed by the edpm-ansible cyborg role to configure the agent on the dataplane. The shared 00-default.conf template is updated to guard the [database] section with a conditional, allowing reuse for the agent config without a separate template. Assisted-By: claude Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

centosinfra-prod-github-app · 2026-05-20T19:20:02Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/45788455066242d0a1b9031b5e3e69b0

✔️ openstack-meta-content-provider SUCCESS in 3h 45m 37s
❌ nova-operator-kuttl FAILURE in 57m 35s
✔️ nova-operator-tempest-multinode SUCCESS in 2h 24m 25s
✔️ nova-operator-tempest-multinode-ceph SUCCESS in 2h 40m 05s

amoralej · 2026-05-21T08:11:07Z

check-rdo

centosinfra-prod-github-app · 2026-05-21T08:22:31Z

This change depends on a change that failed to merge.

Change #1121 is needed.

amoralej · 2026-05-21T08:23:52Z

check-rdo

centosinfra-prod-github-app · 2026-05-21T09:12:48Z

This change depends on a change that failed to merge.

Change #1121 is needed.

amoralej · 2026-05-21T11:27:56Z

check-rdo

centosinfra-prod-github-app · 2026-05-21T15:53:58Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/e2d6654f54f84a62a45f7c5357f14590

✔️ openstack-meta-content-provider SUCCESS in 4h 23m 58s
❌ nova-operator-kuttl FAILURE in 1h 03m 58s
✔️ nova-operator-tempest-multinode SUCCESS in 2h 17m 14s
❌ nova-operator-tempest-multinode-ceph TIMED_OUT in 3h 29m 59s

openshift-ci Bot requested review from gibizer and jamepark4 April 15, 2026 14:38

cescgina reviewed May 4, 2026

View reviewed changes

Comment thread templates/cyborg/00-default.conf Outdated

cescgina reviewed May 4, 2026

View reviewed changes

Comment thread test/functional/cyborg/base_test.go Outdated

cescgina reviewed May 4, 2026

View reviewed changes

Comment thread test/kuttl/test-suites/default/cyborg-tests/01-assert.yaml Outdated

openshift-ci Bot added the needs-rebase label May 15, 2026

amoralej added 9 commits May 20, 2026 17:05

Use cyborg images from 2025.2 by default

d3b087e

Deployment using httpd is not longer supported in kolla upstream images since 2026.1 release [1]. [1] https://review.opendev.org/c/openstack/kolla/+/986488 Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Print Status and Message on Cyborg objects

215bdb2

Similar to for CyborgAPI and CyborgConductor and other OpenStack CRDs. Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

amoralej force-pushed the add-cyborg branch from 12d6771 to 5837c1a Compare May 20, 2026 15:11

openshift-ci Bot removed the needs-rebase label May 20, 2026

Conversation

amoralej commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci Bot commented Apr 15, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Apr 15, 2026

Uh oh!

amoralej commented Apr 16, 2026

Uh oh!

cescgina May 4, 2026

Choose a reason for hiding this comment

Uh oh!

cescgina May 4, 2026

Choose a reason for hiding this comment

Uh oh!

amoralej May 20, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

centosinfra-prod-github-app Bot commented May 20, 2026

Uh oh!

amoralej commented May 21, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 21, 2026

Uh oh!

amoralej commented May 21, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 21, 2026

Uh oh!

amoralej commented May 21, 2026

Uh oh!

centosinfra-prod-github-app Bot commented May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

amoralej commented Apr 15, 2026 •

edited

Loading