From 41631c390a1af98617b16da3f2424ff283a25e84 Mon Sep 17 00:00:00 2001 From: Evgeny L Date: Mon, 22 Apr 2019 16:36:48 +0000 Subject: [PATCH] Update docs, clarify the requirements on DNS names registration Airship Seaworthy installation requires a set of valid DNS names to be configured, ensure that the user register these names prior to running the deployment. Change-Id: I7846e5bdcaf55560f8a0d841fd3dc1db7c912490 --- doc/source/authoring_and_deployment.rst | 86 +++++++++++++++++-------- 1 file changed, 58 insertions(+), 28 deletions(-) diff --git a/doc/source/authoring_and_deployment.rst b/doc/source/authoring_and_deployment.rst index 3ae899972..81388b478 100644 --- a/doc/source/authoring_and_deployment.rst +++ b/doc/source/authoring_and_deployment.rst @@ -179,7 +179,6 @@ Establishing build node environment git clone https://git.openstack.org/openstack/airship-pegleg git clone https://git.openstack.org/openstack/airship-treasuremap - Building Site documents ----------------------- @@ -237,6 +236,64 @@ the order in which you should build your site files is as follows: 4. site/$NEW\_SITE/pki/pki-catalog.yaml 5. All other site files +Register DNS names +~~~~~~~~~~~~~~~~~~ + +Register the following list of DNS names: + +:: + + cloudformation.DOMAIN + compute.DOMAIN + dashboard.DOMAIN + grafana.DOMAIN + iam.DOMAIN + identity.DOMAIN + image.DOMAIN + kibana.DOMAIN + nagios.DOMAIN + network.DOMAIN + nova-novncproxy.DOMAIN + object-store.DOMAIN + orchestration.DOMAIN + placement.DOMAIN + shipyard.DOMAIN + volume.DOMAIN + +Here ``DOMAIN`` is a name of ingress domain, you can find it in the +``data.dns.ingress_domain`` section of +``site/${NEW_SITE}/secrets/certificates/ingress.yaml`` configuration file. + +Run the following command to get up to date list of required DNS names: + +:: + + grep -E 'host: .+DOMAIN' site/${NEW_SITE}/software/config/endpoints.yaml | \ + sort -u | awk '{print $2}' + +Update Secrets +~~~~~~~~~~~~~~ + +Replace passphrases under ``site/${NEW_SITE}/secrets/passphrases/`` +with random generated ones: + +- Passpharses generation ``openssl rand -hex 10`` +- UUID generation ``uuidgen`` (e.g. for Ceph filesystem ID) +- Update ``secrets/passphrases/ipmi_admin_password.yaml`` with IPMI password +- Update ``secrets/passphrases/ubuntu_crypt_password.yaml`` with password hash: + +:: + + python3 -c "from crypt import *; print(crypt('', METHOD_SHA512))" + +Configure certificates in ``site/${NEW_SITE}/secrets/certificates/ingress.yaml``, +they need to be issued for the domains configured in ``Register DNS names`` section. + +.. caution:: + + It is required to configure valid certificates, self-signed certificates + are not supported. + Control Plane Ceph Cluster Notes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -335,33 +392,6 @@ The data section of this file would look like: type: block-logical location: /dev/sdc2 - -Update Passphrases -~~~~~~~~~~~~~~~~~~~~ - -Replace passphrases under ``site/${NEW_SITE}/secrets/passphrases/`` -with random generated ones: - -- Passpharses generation ``openssl rand -hex 10`` -- UUID generation ``uuidgen`` (e.g. for Ceph filesystem ID) -- Update ``secrets/passphrases/ipmi_admin_password.yaml`` with IPMI password -- Update ``secrets/passphrases/ubuntu_crypt_password.yaml`` with password hash: - -:: - - python3 -c "from crypt import *; print(crypt('', METHOD_SHA512))" - -Configure certificates in ``site/${NEW_SITE}/secrets/certificates/ingress.yaml``, -they need to be issued for domain configured in a section ``data.dns.ingress_domain`` -of a file ``./site/${NEW_SITE}/networks/common-addresses.yaml``. A list of endpoints -which will be used with these certificates can be found in the following file -``./site/${NEW_SITE}/software/config/endpoints.yaml``. - -.. caution:: - - It's required to configure valid certificates, self-signed certificates - are not supported. - Manifest linting and combining layers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~