OVHcloud
The OVH plugin enables formae to manage OVH Public Cloud resources. It uses the OpenStack APIs via gophercloud for compute, networking, and storage, and the OVH API for managed services like databases, Kubernetes, and the container registry.
Configuration
Target
Configure an OVH target in your Forma file:
import "@formae/formae.pkl"
import "@ovh/ovh.pkl"
target: formae.Target = new formae.Target {
label = "ovh-target"
config = new ovh.Config {
authURL = "https://auth.cloud.ovh.net/v3" // EU regions
// authURL = "https://auth.cloud.ovh.us/v3" // US regions
region = "GRA7"
}
}Config field mutability:
| Field | Mutable | Description |
|---|---|---|
ovhEndpoint |
Yes | Changing the OVH endpoint updates the target in place |
applicationKey |
Yes | Changing the application key updates the target in place |
applicationSecret |
Yes | Changing the application secret updates the target in place |
consumerKey |
Yes | Changing the consumer key updates the target in place |
region |
No | Changing the region triggers a full target replace |
projectId |
No | Changing the project ID triggers a full target replace |
See Per-field config mutability for details.
Supported regions:
| Region | Location |
|---|---|
BHS5 |
Beauharnois, Canada |
DE1 |
Frankfurt, Germany |
GRA7, GRA9 |
Gravelines, France |
SBG5 |
Strasbourg, France |
UK1 |
London, UK |
WAW1 |
Warsaw, Poland |
US-EAST-VA-1 |
Virginia, USA |
Credentials
The plugin uses OpenStack environment variables for authentication. Credentials are never stored in the target config.
Required environment variables:
export OS_USERNAME="your-openstack-username"
export OS_PASSWORD="your-openstack-password"
export OS_PROJECT_ID="your-project-id"
export OS_USER_DOMAIN_NAME="Default" # Optional, defaults to "Default"Getting credentials from OVH:
- Go to the OVH Control Panel.
- Navigate to Public Cloud > Project > Users & Roles.
- Create a new user or use an existing one.
- Download the OpenStack RC file or note the credentials.
Managed services (Databases, Kubernetes, Container Registry, DNS) additionally use the OVH API. Set these if you plan to manage those resources:
export OVH_APPLICATION_KEY="your-application-key"
export OVH_APPLICATION_SECRET="your-application-secret"
export OVH_CONSUMER_KEY="your-consumer-key"Examples
Examples are bundled with formae at /opt/pel/formae/examples/formae-plugin-ovh/.
Before running any example, resolve the Pkl dependencies:
pkl project resolve /opt/pel/formae/examples/formae-plugin-ovhAvailable examples:
| Example | Description |
|---|---|
| lifeline | Network, subnet, router, floating IP, and security groups |
The lifeline example creates foundational infrastructure equivalent to:
- Network (VPC in AWS)
- Subnet with DHCP
- Router with external gateway (Internet Gateway + Route Table in AWS)
- Floating IP (Elastic IP in AWS)
- Security groups for web and SSH access
# Evaluate an example
formae eval /opt/pel/formae/examples/formae-plugin-ovh/lifeline/basic_infrastructure.pkl
# Apply resources
formae apply --mode reconcile --watch /opt/pel/formae/examples/formae-plugin-ovh/lifeline/basic_infrastructure.pklSupported Resources
All types are discoverable and extractable.
Compute
| Type | Description |
|---|---|
OVH::Compute::Instance |
Virtual machine backed by an image and flavor, with optional user data and SSH key |
OVH::Compute::SSHKey |
Public SSH key registered on the project for instance login |
OVH::Compute::Volume |
Block storage volume that can be attached to an instance |
OVH::Compute::VolumeAttachment |
Attachment that binds a volume to an instance |
OVH::Compute::VolumeSnapshot |
Point-in-time snapshot of a volume |
DNS
| Type | Description |
|---|---|
OVH::DNS::Zone |
Authoritative DNS zone (e.g. example.com) with optional DNSSEC |
OVH::DNS::Record |
Record within a zone (A, AAAA, CNAME, MX, TXT, SRV, NS, CAA, and more) |
OVH::DNS::Redirection |
HTTP redirection for a subdomain (visible, visible permanent, or invisible) |
Database
OVH Managed Databases support PostgreSQL, MySQL, MongoDB, Redis, Kafka, Cassandra, M3DB, OpenSearch, and Grafana.
| Type | Description |
|---|---|
OVH::Database::Service |
Managed database cluster for any supported engine, with plan tier and network type |
OVH::Database::Database |
Database or schema within a PostgreSQL or MySQL service |
OVH::Database::User |
Database user with engine-specific roles |
OVH::Database::IpRestriction |
IP allowlist entry controlling network access to a service |
OVH::Database::Integration |
Link between services (e.g. Kafka Connect, Kafka MirrorMaker, OpenSearch logs, Grafana dashboards) |
OVH::Database::KafkaTopic |
Kafka topic with partition, replication, and retention settings |
OVH::Database::KafkaAcl |
Kafka ACL granting read, write, readwrite, or admin on a topic |
OVH::Database::PostgresqlConnectionPool |
PgBouncer connection pool with session, transaction, or statement mode |
Kubernetes
| Type | Description |
|---|---|
OVH::Kube::Cluster |
Managed Kubernetes control plane with configurable update policy and kube-proxy mode |
OVH::Kube::NodePool |
Worker node pool with flavor, autoscaling, taints, and labels |
OVH::Kube::IpRestriction |
IP allowlist for the Kubernetes API server |
OVH::Kube::Oidc |
OIDC provider configuration for cluster authentication |
Network
| Type | Description |
|---|---|
OVH::Network::Network |
Neutron network (OpenStack) |
OVH::Network::Subnet |
Subnet within a Neutron network, with CIDR, gateway, and DHCP settings |
OVH::Network::Port |
Neutron port on a network, typically attached to an instance or router |
OVH::Network::Router |
Neutron router with an external gateway and static routes |
OVH::Network::FloatingIP |
Public IP that can be associated with a port or instance |
OVH::Network::Gateway |
OVH managed gateway (model s, m, or l) on a private subnet for outbound and VPN |
OVH::Network::PrivateNetwork |
OVH vRack private network with a VLAN ID |
OVH::Network::PrivateSubnet |
Subnet attached to an OVH private network |
OVH::Network::SecurityGroup |
Security group for instance traffic filtering |
OVH::Network::SecurityGroupRule |
Ingress or egress rule on a security group |
Container Registry
| Type | Description |
|---|---|
OVH::Registry::Registry |
Managed Harbor registry with a plan tier (SMALL, MEDIUM, LARGE) |
OVH::Registry::User |
Harbor user with generated credentials |
OVH::Registry::IpRestriction |
IP allowlist for management or registry endpoints |
OVH::Registry::Oidc |
OIDC authentication configuration for the Harbor instance |
Storage
| Type | Description |
|---|---|
OVH::Storage::Container |
Swift object storage container |
OVH::Storage::S3Bucket |
S3-compatible bucket with optional versioning and encryption |
Release notes
See release notes for changes per version.