Merge "Update docs, clarify the requirements on DNS names registration"
This commit is contained in:
commit
48e7275f2a
@ -179,7 +179,6 @@ Establishing build node environment
|
||||
git clone https://git.openstack.org/openstack/airship-pegleg
|
||||
git clone https://git.openstack.org/openstack/airship-treasuremap
|
||||
|
||||
|
||||
Building Site documents
|
||||
-----------------------
|
||||
|
||||
@ -237,6 +236,64 @@ the order in which you should build your site files is as follows:
|
||||
4. site/$NEW\_SITE/pki/pki-catalog.yaml
|
||||
5. All other site files
|
||||
|
||||
Register DNS names
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Register the following list of DNS names:
|
||||
|
||||
::
|
||||
|
||||
cloudformation.DOMAIN
|
||||
compute.DOMAIN
|
||||
dashboard.DOMAIN
|
||||
grafana.DOMAIN
|
||||
iam.DOMAIN
|
||||
identity.DOMAIN
|
||||
image.DOMAIN
|
||||
kibana.DOMAIN
|
||||
nagios.DOMAIN
|
||||
network.DOMAIN
|
||||
nova-novncproxy.DOMAIN
|
||||
object-store.DOMAIN
|
||||
orchestration.DOMAIN
|
||||
placement.DOMAIN
|
||||
shipyard.DOMAIN
|
||||
volume.DOMAIN
|
||||
|
||||
Here ``DOMAIN`` is a name of ingress domain, you can find it in the
|
||||
``data.dns.ingress_domain`` section of
|
||||
``site/${NEW_SITE}/secrets/certificates/ingress.yaml`` configuration file.
|
||||
|
||||
Run the following command to get up to date list of required DNS names:
|
||||
|
||||
::
|
||||
|
||||
grep -E 'host: .+DOMAIN' site/${NEW_SITE}/software/config/endpoints.yaml | \
|
||||
sort -u | awk '{print $2}'
|
||||
|
||||
Update Secrets
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
Replace passphrases under ``site/${NEW_SITE}/secrets/passphrases/``
|
||||
with random generated ones:
|
||||
|
||||
- Passpharses generation ``openssl rand -hex 10``
|
||||
- UUID generation ``uuidgen`` (e.g. for Ceph filesystem ID)
|
||||
- Update ``secrets/passphrases/ipmi_admin_password.yaml`` with IPMI password
|
||||
- Update ``secrets/passphrases/ubuntu_crypt_password.yaml`` with password hash:
|
||||
|
||||
::
|
||||
|
||||
python3 -c "from crypt import *; print(crypt('<YOUR_PASSWORD>', METHOD_SHA512))"
|
||||
|
||||
Configure certificates in ``site/${NEW_SITE}/secrets/certificates/ingress.yaml``,
|
||||
they need to be issued for the domains configured in ``Register DNS names`` section.
|
||||
|
||||
.. caution::
|
||||
|
||||
It is required to configure valid certificates, self-signed certificates
|
||||
are not supported.
|
||||
|
||||
Control Plane Ceph Cluster Notes
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
@ -335,33 +392,6 @@ The data section of this file would look like:
|
||||
type: block-logical
|
||||
location: /dev/sdc2
|
||||
|
||||
|
||||
Update Passphrases
|
||||
~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Replace passphrases under ``site/${NEW_SITE}/secrets/passphrases/``
|
||||
with random generated ones:
|
||||
|
||||
- Passpharses generation ``openssl rand -hex 10``
|
||||
- UUID generation ``uuidgen`` (e.g. for Ceph filesystem ID)
|
||||
- Update ``secrets/passphrases/ipmi_admin_password.yaml`` with IPMI password
|
||||
- Update ``secrets/passphrases/ubuntu_crypt_password.yaml`` with password hash:
|
||||
|
||||
::
|
||||
|
||||
python3 -c "from crypt import *; print(crypt('<YOUR_PASSWORD>', METHOD_SHA512))"
|
||||
|
||||
Configure certificates in ``site/${NEW_SITE}/secrets/certificates/ingress.yaml``,
|
||||
they need to be issued for domain configured in a section ``data.dns.ingress_domain``
|
||||
of a file ``./site/${NEW_SITE}/networks/common-addresses.yaml``. A list of endpoints
|
||||
which will be used with these certificates can be found in the following file
|
||||
``./site/${NEW_SITE}/software/config/endpoints.yaml``.
|
||||
|
||||
.. caution::
|
||||
|
||||
It's required to configure valid certificates, self-signed certificates
|
||||
are not supported.
|
||||
|
||||
Manifest linting and combining layers
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user