starlingx/docs
Code Issues Proposed changes

Platform Application Components updates ingress-nginx

Browse Source 
Story: 2009836
Task: 45655

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I93eb5e8e873c29d01d5311a45c252d481c306243
This commit is contained in:
Elisamara Aoki Goncalves 2022-06-21 10:57:10 -03:00
parent ca28c7b1fe
commit 1e0a190aa6
1 changed files with 20 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
doc/source/security/kubernetes/the-cert-manager-bootstrap-process.rst
View File

@ -2,41 +2,22 @@
.. gks1588335341933 .. gks1588335341933
.. _the-cert-manager-bootstrap-process: .. _the-cert-manager-bootstrap-process:
===================================== ===================================
Configure cert-manager at Bootstrap Configure cert-manager at Bootstrap
===================================== ===================================
Both nginx-ingress-controller and cert-manager are installed at bootstrap time Both ``nginx-ingress-controller`` and ``cert-manager`` are packaged as |prod|
with defaults appropriate to most use cases, but their configuration can be system applications. They are uploaded and applied, by default at bootstrap
modified at bootstrap. time with defaults appropriate to most use cases, but their configuration can
be modified at bootstrap.
Nginx-ingress-controller and cert-manager are packaged as armada system To override the default configuration add an applications section in
applications. ``$HOME/localhost.yml``, as shown below:
Both system applications are uploaded and applied, by default, as part of
the bootstrap phase of the |prod-long| installation.
/usr/share/ansible/stx-ansible/playbooks/host\_vars/bootstrap/default.yml
contains the following definition:
.. code-block:: none
...
applications:
- /usr/local/share/applications/helm/nginx-ingress-controller-1.0-0.tgz:
- /usr/local/share/applications/helm/cert-manager-1.0-0.tgz:
...
As with other parameters in default.yml, you can override this definition in
$HOME/localhost.yml. In the case of the ``applications``: parameter, do this to
change the application helm overrides for an application.
The full general syntax for the ``applications:`` structure is:
.. code-block:: none .. code-block:: none
applications: applications:
- /full/path/to/appOne-1.0-0.tgz: - usr/local/share/applications/helm/nginx-ingress-controller-{version}.tgz:
overrides: overrides:
- chart: appOne-ChartOne - chart: appOne-ChartOne
namespace: kube-system namespace: kube-system
@ -44,33 +25,23 @@ The full general syntax for the ``applications:`` structure is:
- chart: appOne-ChartTwo - chart: appOne-ChartTwo
namespace: kube-system namespace: kube-system
values-path: /home/sysinv/appOne-ChartTwo-overrides.yaml values-path: /home/sysinv/appOne-ChartTwo-overrides.yaml
- /full/path/to/appTwo-1.0-0.tgz: - /usr/local/share/applications/helm/cert-manager-{version}.tgz:
overrides: overrides:
- chart: appTwo-ChartOne - chart: appTwo-ChartOne
namespace: kube-system namespace: kube-system
values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml
If you do override ``applications:`` in $HOME/localhost.yml, note the following: .. note::
Semantically, ``nginx-ingress-controller`` and ``cert-manager`` are
.. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb: mandatory and must be in this order, otherwise bootstrap fails.
- The applications: definition in localhost.yml replaces rather than
augments the definition in default.yml.
- Semantically, nginx-ingress-controller and cert-manager are mandatory
and must be in this order, otherwise bootstrap fails.
|org| recommends that you copy ``applications:`` from default.yml and add in
any required overrides.
At a high-level, the default configuration for the two mandatory applications is: At a high-level, the default configuration for the two mandatory applications is:
.. _the-cert-manager-bootstrap-process-ul-dxm-q2v-nlb: .. _the-cert-manager-bootstrap-process-ul-dxm-q2v-nlb:
- nginx-ingress-controller - ``nginx-ingress-controller``
- Runs as a DaemonSet only on controllers. - Runs as a DaemonSet only on controllers.
@ -82,7 +53,7 @@ At a high-level, the default configuration for the two mandatory applications is
- Has a default backend. - Has a default backend.
- cert-manager - ``cert-manager``
- Runs as a Deployment only on controllers. - Runs as a Deployment only on controllers.
@ -93,6 +64,7 @@ At a high-level, the default configuration for the two mandatory applications is
- The deployment replicaCount is set to 1 for bootstrap. - The deployment replicaCount is set to 1 for bootstrap.
.. note:: .. note::
replicaCount can NOT be changed at bootstrap time. The second controller replicaCount can NOT be changed at bootstrap time. The second controller
must be configured and unlocked before replicaCount can be set to 2. must be configured and unlocked before replicaCount can be set to 2.
@ -102,12 +74,10 @@ web pages:
.. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb: .. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb:
- Nginx-ingress-controller - ``nginx-ingress-controller``
`https://github.com/kubernetes/ingress-nginx/tree/controller-v0.41.2 <https://github.com/kubernetes/ingress-nginx/tree/controller-v0.41.2>`__ `https://github.com/kubernetes/ingress-nginx/blob/controller-v1.1.1/charts/ingress-nginx/values.yaml <https://github.com/kubernetes/ingress-nginx/blob/controller-v1.1.1/charts/ingress-nginx/values.yaml>`__
- cert-manager
`https://github.com/jetstack/cert-manager/blob/release-0.15/deploy/charts/cert-manager/README.template.md <https://github.com/jetstack/cert-manager/blob/release-0.15/deploy/charts/cert-manager/README.template.md>`__
- ``cert-manager``
`https://github.com/cert-manager/cert-manager/blob/release-1.7/deploy/charts/cert-manager/values.yaml <https://github.com/cert-manager/cert-manager/blob/release-1.7/deploy/charts/cert-manager/values.yaml>`__