Adjustment for the kubernetes 1.24 behavior change
In K8s 1.24, when a ServiceAccount is created, no more Secret is created automatically. Need to add extra steps for secret creation. Closes-bug: 1997750 Signed-off-by: Litao Gao <litao.gao@windriver.com> Change-Id: Iffa965717b35c55e129e21eca79bfbb1f6668f5d
This commit is contained in:
parent
c66d66783b
commit
22f58200f6
@ -29,7 +29,7 @@ application:
|
||||
- Istio-cni - Kubernetes |CNI| plugin
|
||||
|
||||
The Kiali (`https://kiali.io/ <https://kiali.io/>`__) management console for
|
||||
Istio is also integrated with |prod|, in the Istio system application.
|
||||
Istio is also integrated with |prod| in the Istio system application.
|
||||
It provides management functions and visualizations to the service mesh
|
||||
operation. Metrics and tracing functionalities are not supported at this time.
|
||||
|
||||
@ -37,19 +37,19 @@ operation. Metrics and tracing functionalities are not supported at this time.
|
||||
|
||||
You can install Istio and Kiali on |prod| from the command line.
|
||||
|
||||
#. Locate the Istio tarball in ``/usr/local/share/application/helm``.
|
||||
#. Locate the Istio tarball in ``/usr/local/share/applications/helm``.
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
/usr/local/share/application/helm/istio-<version>.tgz
|
||||
/usr/local/share/applications/helm/istio-<version>.tgz
|
||||
|
||||
#. Upload the application.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/istio-<version>.tgz
|
||||
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-<version>.tgz
|
||||
|
||||
#. Apply the application.
|
||||
|
||||
@ -81,8 +81,8 @@ You can install Istio and Kiali on |prod| from the command line.
|
||||
EOF
|
||||
kubectl apply -f istio-cni-nad.yaml
|
||||
|
||||
|CNI| is managed by Multus. The NetworkAttachmentDefinition is required in
|
||||
the application namespace in order to invoke the ``istio-cni`` plugin.
|
||||
|CNI| is managed by Multus. The ``NetworkAttachmentDefinition`` is required
|
||||
in the application namespace in order to invoke the ``istio-cni`` plugin.
|
||||
|
||||
#. Enable side car for a particular namespace.
|
||||
|
||||
@ -95,28 +95,30 @@ You can install Istio and Kiali on |prod| from the command line.
|
||||
injection webhook is enabled, any new pods that are created in that
|
||||
namespace will automatically have a sidecar added to them.
|
||||
|
||||
#. At this point, you may launch services in the above namespace.
|
||||
.. rubric:: |result|
|
||||
|
||||
When the user application is deployed, the sidecar container
|
||||
``istio-proxy`` is injected into the user application pod:
|
||||
At this point, you may have launched services in the above namespace.
|
||||
|
||||
Events:
|
||||
When the user application is deployed, the sidecar container
|
||||
``istio-proxy`` is injected into the user application pod:
|
||||
|
||||
.. code-block:: none
|
||||
Events:
|
||||
|
||||
Type Reason Age From Message
|
||||
---- ------ ---- ---- -------
|
||||
...
|
||||
Normal Created 10s kubelet Created container <user app>
|
||||
Normal Started 10s kubelet Started container <user app>
|
||||
...
|
||||
Normal Created 9s kubelet Created container istio-proxy
|
||||
Normal Started 8s kubelet Started container istio-proxy
|
||||
.. code-block:: none
|
||||
|
||||
The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress
|
||||
traffic of the user application that can be monitored and available for
|
||||
display in Kiali, and it mediates all ingress and egress traffic of the
|
||||
user application by enforcing policy decisions.
|
||||
Type Reason Age From Message
|
||||
---- ------ ---- ---- -------
|
||||
...
|
||||
Normal Created 10s kubelet Created container <user app>
|
||||
Normal Started 10s kubelet Started container <user app>
|
||||
...
|
||||
Normal Created 9s kubelet Created container istio-proxy
|
||||
Normal Started 8s kubelet Started container istio-proxy
|
||||
|
||||
The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress
|
||||
traffic of the user application that can be monitored and available for
|
||||
display in Kiali, and it mediates all ingress and egress traffic of the
|
||||
user application by enforcing policy decisions.
|
||||
|
||||
---------
|
||||
Use Kiali
|
||||
|
@ -36,21 +36,23 @@ Install
|
||||
|
||||
Configure the internal Ceph storage for the O2 application persistent storage,
|
||||
see |stor-doc|: :ref:`Configure the Internal Ceph Storage Backend
|
||||
<configure-the-internal-ceph-storage-backend>` and enable |PVC| support in
|
||||
``oran-o2`` namespace, see |stor-doc|: :ref:`Enable ReadWriteOnce PVC Support in
|
||||
Additional Namespaces <enable-readwriteonce-pvc-support-in-additional-namespaces>`.
|
||||
<configure-the-internal-ceph-storage-backend>`.
|
||||
|
||||
Enable |PVC| support in ``oran-o2`` namespace, see |stor-doc|: :ref:`Enable
|
||||
ReadWriteOnce PVC Support in Additional Namespaces
|
||||
<enable-readwriteonce-pvc-support-in-additional-namespaces>`.
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
You can install |O-RAN| O2 application on |prod| from the command line.
|
||||
|
||||
#. Locate the O2 application tarball in ``/usr/local/share/application/helm``.
|
||||
#. Locate the O2 application tarball in ``/usr/local/share/applications/helm``.
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
/usr/local/share/application/helm/oran-o2-<version>.tgz
|
||||
/usr/local/share/applications/helm/oran-o2-<version>.tgz
|
||||
|
||||
|
||||
#. Download ``admin_openrc.sh`` from the |prod| admin dashboard.
|
||||
@ -71,20 +73,20 @@ You can install |O-RAN| O2 application on |prod| from the command line.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/oran-o2-<version>.tgz
|
||||
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/oran-o2-<version>.tgz
|
||||
|
||||
#. Prepare the override ``yaml`` file.
|
||||
|
||||
#. Create a service account for |SMO| and obtain an access token.
|
||||
#. Create a service account for |SMO| application.
|
||||
|
||||
Create a ServiceAccount which can be used to provide |SMO| with minimal
|
||||
access permission credentials.
|
||||
Create a `ServiceAccount` which can be used to provide |SMO| application with
|
||||
minimal access permission credentials.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
export SMO_SERVICEACCOUNT=smo1
|
||||
|
||||
cat <<EOF >smo-serviceaccount.yaml
|
||||
cat <<EOF > smo-serviceaccount.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
@ -118,7 +120,27 @@ You can install |O-RAN| O2 application on |prod| from the command line.
|
||||
|
||||
kubectl apply -f smo-serviceaccount.yaml
|
||||
|
||||
export SMO_SECRET=$(kubectl get serviceaccounts $SMO_SERVICEACCOUNT -o jsonpath='{.secrets[0].name}')
|
||||
#. Create a secret for service account and obtain an access token.
|
||||
|
||||
Create a secret with the type `service-account-token` and pass the
|
||||
`ServiceAccount` in the annotation section as shown below:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
export SMO_SECRET=smo1-secret
|
||||
|
||||
cat <<EOF > smo-secret.yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ${SMO_SECRET}
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: ${SMO_SERVICEACCOUNT}
|
||||
type: kubernetes.io/service-account-token
|
||||
EOF
|
||||
|
||||
kubectl apply -f smo-secret.yaml
|
||||
|
||||
export SMO_TOKEN_DATA=$(kubectl get secrets $SMO_SECRET -o jsonpath='{.data.token}' | base64 -d -w 0)
|
||||
|
||||
#. Create certificates for the O2 service.
|
||||
@ -212,8 +234,8 @@ You can install |O-RAN| O2 application on |prod| from the command line.
|
||||
EOF
|
||||
|
||||
To deploy other versions of an image required for a quick solution, to
|
||||
have early access to the features (eg. o-ran-sc/pti-o2imsdms:2.0.1), and to
|
||||
authenticate images that are hosted by a private registry, follow the
|
||||
have early access to the features (eg. oranscinf/pti-o2imsdms:2.0.1), and
|
||||
to authenticate images that are hosted by a private registry, follow the
|
||||
steps below:
|
||||
|
||||
#. Create a `docker-registry` secret in ``oran-o2`` namespace.
|
||||
@ -238,7 +260,7 @@ You can install |O-RAN| O2 application on |prod| from the command line.
|
||||
serviceaccountname: admin-oran-o2
|
||||
images:
|
||||
tags:
|
||||
o2service: ${O2SERVICE_IMAGE_REG}/o-ran-sc/pti-o2imsdms:2.0.1
|
||||
o2service: ${O2SERVICE_IMAGE_REG}/docker.io/oranscinf/pti-o2imsdms:2.0.1
|
||||
postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6
|
||||
redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine
|
||||
pullPolicy: IfNotPresent
|
||||
@ -278,9 +300,12 @@ You can install |O-RAN| O2 application on |prod| from the command line.
|
||||
|
||||
~(keystone_admin)]$ watch kubectl get all -n oran-o2
|
||||
|
||||
.. rubric:: |result|
|
||||
|
||||
You have launched services in the above namespace.
|
||||
|
||||
.. rubric:: |postreq|
|
||||
|
||||
At this point, you have launched services in the above namespace.
|
||||
You will need to integrate |prod| with an |SMO| application that performs
|
||||
management of O-Cloud infrastructure and the deployment life cycle management
|
||||
of O-RAN cloudified |NFs|. See the following API reference for details:
|
||||
@ -311,3 +336,7 @@ You can uninstall the |O-RAN| O2 application on |prod| from the command line.
|
||||
.. code-block:: bash
|
||||
|
||||
~(keystone_admin)]$ system application-delete oran-o2
|
||||
|
||||
.. rubric:: |result|
|
||||
|
||||
You have uninstalled the O2 application from the system.
|
||||
|
@ -207,4 +207,18 @@ application-specific namespaces to access the |RBD| provisioner's **general stor
|
||||
You can now create and mount PVCs from the default |RBD| provisioner's
|
||||
**general storage class**, from within these application-specific namespaces.
|
||||
|
||||
#. Apply the secret to the new rbd-provisioner namespace.
|
||||
|
||||
Check if the secret has been created in the new namespace by running the
|
||||
following command:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n <namespace>
|
||||
|
||||
If the secret has not been created in the new namespace, create it by
|
||||
running the following command:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n default -o yaml | grep -v '^\s*namespace:\s' | kubectl apply -n <namespace> -f -
|
||||
|
Loading…
x
Reference in New Issue
Block a user