starlingx/docs
Code Issues Proposed changes

Adjustment for the kubernetes 1.24 behavior change

Browse Source 
In K8s 1.24, when a ServiceAccount is created, no
more Secret is created automatically. Need to add
extra steps for secret creation.

Closes-bug: 1997750

Signed-off-by: Litao Gao <litao.gao@windriver.com>
Change-Id: Iffa965717b35c55e129e21eca79bfbb1f6668f5d
This commit is contained in:
Litao Gao
2022-11-24 06:47:11 -05:00
parent c66d66783b
commit 22f58200f6
3 changed files with 83 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst
View File

@@ -29,7 +29,7 @@ application:
- Istio-cni - Kubernetes |CNI| plugin - Istio-cni - Kubernetes |CNI| plugin
The Kiali (`https://kiali.io/ <https://kiali.io/>`__) management console for The Kiali (`https://kiali.io/ <https://kiali.io/>`__) management console for
Istio is also integrated with |prod|, in the Istio system application. Istio is also integrated with |prod| in the Istio system application.
It provides management functions and visualizations to the service mesh It provides management functions and visualizations to the service mesh
operation. Metrics and tracing functionalities are not supported at this time. operation. Metrics and tracing functionalities are not supported at this time.
@@ -37,19 +37,19 @@ operation. Metrics and tracing functionalities are not supported at this time.
You can install Istio and Kiali on |prod| from the command line. You can install Istio and Kiali on |prod| from the command line.
#. Locate the Istio tarball in ``/usr/local/share/application/helm``. #. Locate the Istio tarball in ``/usr/local/share/applications/helm``.
For example: For example:
.. code-block:: none .. code-block:: none
/usr/local/share/application/helm/istio-<version>.tgz /usr/local/share/applications/helm/istio-<version>.tgz
#. Upload the application. #. Upload the application.
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/istio-<version>.tgz ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-<version>.tgz
#. Apply the application. #. Apply the application.
@@ -81,8 +81,8 @@ You can install Istio and Kiali on |prod| from the command line.
EOF EOF
kubectl apply -f istio-cni-nad.yaml kubectl apply -f istio-cni-nad.yaml
|CNI| is managed by Multus. The NetworkAttachmentDefinition is required in |CNI| is managed by Multus. The ``NetworkAttachmentDefinition`` is required
the application namespace in order to invoke the ``istio-cni`` plugin. in the application namespace in order to invoke the ``istio-cni`` plugin.
#. Enable side car for a particular namespace. #. Enable side car for a particular namespace.
@@ -95,28 +95,30 @@ You can install Istio and Kiali on |prod| from the command line.
injection webhook is enabled, any new pods that are created in that injection webhook is enabled, any new pods that are created in that
namespace will automatically have a sidecar added to them. namespace will automatically have a sidecar added to them.
#. At this point, you may launch services in the above namespace. .. rubric:: |result|
When the user application is deployed, the sidecar container At this point, you may have launched services in the above namespace.
``istio-proxy`` is injected into the user application pod:
Events: When the user application is deployed, the sidecar container
``istio-proxy`` is injected into the user application pod:
.. code-block:: none Events:
Type Reason Age From Message .. code-block:: none
---- ------ ---- ---- -------
...
Normal Created 10s kubelet Created container <user app>
Normal Started 10s kubelet Started container <user app>
...
Normal Created 9s kubelet Created container istio-proxy
Normal Started 8s kubelet Started container istio-proxy
The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress Type Reason Age From Message
traffic of the user application that can be monitored and available for ---- ------ ---- ---- -------
display in Kiali, and it mediates all ingress and egress traffic of the ...
user application by enforcing policy decisions. Normal Created 10s kubelet Created container <user app>
Normal Started 10s kubelet Started container <user app>
...
Normal Created 9s kubelet Created container istio-proxy
Normal Started 8s kubelet Started container istio-proxy
The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress
traffic of the user application that can be monitored and available for
display in Kiali, and it mediates all ingress and egress traffic of the
user application by enforcing policy decisions.
--------- ---------
Use Kiali Use Kiali

59
doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst
View File

@@ -36,21 +36,23 @@ Install
Configure the internal Ceph storage for the O2 application persistent storage, Configure the internal Ceph storage for the O2 application persistent storage,
see |stor-doc|: :ref:`Configure the Internal Ceph Storage Backend see |stor-doc|: :ref:`Configure the Internal Ceph Storage Backend
<configure-the-internal-ceph-storage-backend>` and enable |PVC| support in <configure-the-internal-ceph-storage-backend>`.
``oran-o2`` namespace, see |stor-doc|: :ref:`Enable ReadWriteOnce PVC Support in
Additional Namespaces <enable-readwriteonce-pvc-support-in-additional-namespaces>`. Enable |PVC| support in ``oran-o2`` namespace, see |stor-doc|: :ref:`Enable
ReadWriteOnce PVC Support in Additional Namespaces
<enable-readwriteonce-pvc-support-in-additional-namespaces>`.
.. rubric:: |proc| .. rubric:: |proc|
You can install |O-RAN| O2 application on |prod| from the command line. You can install |O-RAN| O2 application on |prod| from the command line.
#. Locate the O2 application tarball in ``/usr/local/share/application/helm``. #. Locate the O2 application tarball in ``/usr/local/share/applications/helm``.
For example: For example:
.. code-block:: bash .. code-block:: bash
/usr/local/share/application/helm/oran-o2-<version>.tgz /usr/local/share/applications/helm/oran-o2-<version>.tgz
#. Download ``admin_openrc.sh`` from the |prod| admin dashboard. #. Download ``admin_openrc.sh`` from the |prod| admin dashboard.
@@ -71,20 +73,20 @@ You can install |O-RAN| O2 application on |prod| from the command line.
.. code-block:: bash .. code-block:: bash
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/oran-o2-<version>.tgz ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/oran-o2-<version>.tgz
#. Prepare the override ``yaml`` file. #. Prepare the override ``yaml`` file.
#. Create a service account for |SMO| and obtain an access token. #. Create a service account for |SMO| application.
Create a ServiceAccount which can be used to provide |SMO| with minimal Create a `ServiceAccount` which can be used to provide |SMO| application with
access permission credentials. minimal access permission credentials.
.. code-block:: bash .. code-block:: bash
export SMO_SERVICEACCOUNT=smo1 export SMO_SERVICEACCOUNT=smo1
cat <<EOF >smo-serviceaccount.yaml cat <<EOF > smo-serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@@ -118,7 +120,27 @@ You can install |O-RAN| O2 application on |prod| from the command line.
kubectl apply -f smo-serviceaccount.yaml kubectl apply -f smo-serviceaccount.yaml
export SMO_SECRET=$(kubectl get serviceaccounts $SMO_SERVICEACCOUNT -o jsonpath='{.secrets[0].name}') #. Create a secret for service account and obtain an access token.
Create a secret with the type `service-account-token` and pass the
`ServiceAccount` in the annotation section as shown below:
.. code-block:: bash
export SMO_SECRET=smo1-secret
cat <<EOF > smo-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: ${SMO_SECRET}
annotations:
kubernetes.io/service-account.name: ${SMO_SERVICEACCOUNT}
type: kubernetes.io/service-account-token
EOF
kubectl apply -f smo-secret.yaml
export SMO_TOKEN_DATA=$(kubectl get secrets $SMO_SECRET -o jsonpath='{.data.token}' | base64 -d -w 0) export SMO_TOKEN_DATA=$(kubectl get secrets $SMO_SECRET -o jsonpath='{.data.token}' | base64 -d -w 0)
#. Create certificates for the O2 service. #. Create certificates for the O2 service.
@@ -212,8 +234,8 @@ You can install |O-RAN| O2 application on |prod| from the command line.
EOF EOF
To deploy other versions of an image required for a quick solution, to To deploy other versions of an image required for a quick solution, to
have early access to the features (eg. o-ran-sc/pti-o2imsdms:2.0.1), and to have early access to the features (eg. oranscinf/pti-o2imsdms:2.0.1), and
authenticate images that are hosted by a private registry, follow the to authenticate images that are hosted by a private registry, follow the
steps below: steps below:
#. Create a `docker-registry` secret in ``oran-o2`` namespace. #. Create a `docker-registry` secret in ``oran-o2`` namespace.
@@ -238,7 +260,7 @@ You can install |O-RAN| O2 application on |prod| from the command line.
serviceaccountname: admin-oran-o2 serviceaccountname: admin-oran-o2
images: images:
tags: tags:
o2service: ${O2SERVICE_IMAGE_REG}/o-ran-sc/pti-o2imsdms:2.0.1 o2service: ${O2SERVICE_IMAGE_REG}/docker.io/oranscinf/pti-o2imsdms:2.0.1
postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6 postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6
redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@@ -278,9 +300,12 @@ You can install |O-RAN| O2 application on |prod| from the command line.
~(keystone_admin)]$ watch kubectl get all -n oran-o2 ~(keystone_admin)]$ watch kubectl get all -n oran-o2
.. rubric:: |result|
You have launched services in the above namespace.
.. rubric:: |postreq| .. rubric:: |postreq|
At this point, you have launched services in the above namespace.
You will need to integrate |prod| with an |SMO| application that performs You will need to integrate |prod| with an |SMO| application that performs
management of O-Cloud infrastructure and the deployment life cycle management management of O-Cloud infrastructure and the deployment life cycle management
of O-RAN cloudified |NFs|. See the following API reference for details: of O-RAN cloudified |NFs|. See the following API reference for details:
@@ -311,3 +336,7 @@ You can uninstall the |O-RAN| O2 application on |prod| from the command line.
.. code-block:: bash .. code-block:: bash
~(keystone_admin)]$ system application-delete oran-o2 ~(keystone_admin)]$ system application-delete oran-o2
.. rubric:: |result|
You have uninstalled the O2 application from the system.

14
doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst
View File

@@ -207,4 +207,18 @@ application-specific namespaces to access the |RBD| provisioner's **general stor
You can now create and mount PVCs from the default |RBD| provisioner's You can now create and mount PVCs from the default |RBD| provisioner's
**general storage class**, from within these application-specific namespaces. **general storage class**, from within these application-specific namespaces.
#. Apply the secret to the new rbd-provisioner namespace.
Check if the secret has been created in the new namespace by running the
following command:
.. code-block:: none
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n <namespace>
If the secret has not been created in the new namespace, create it by
running the following command:
.. code-block:: none
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n default -o yaml | grep -v '^\s*namespace:\s' | kubectl apply -n <namespace> -f -