Adjustment for the kubernetes 1.24 behavior change

In K8s 1.24, when a ServiceAccount is created, no
more Secret is created automatically. Need to add
extra steps for secret creation.

Closes-bug: 1997750

Signed-off-by: Litao Gao <litao.gao@windriver.com>
Change-Id: Iffa965717b35c55e129e21eca79bfbb1f6668f5d

doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst

@@ -29,7 +29,7 @@ application:
 -   Istio-cni - Kubernetes |CNI| plugin
 
 The Kiali (`https://kiali.io/ <https://kiali.io/>`__) management console for
-Istio is also integrated with |prod|, in the Istio system application.
+Istio is also integrated with |prod| in the Istio system application.
 It provides management functions and visualizations to the service mesh
 operation. Metrics and tracing functionalities are not supported at this time.
 
@@ -37,19 +37,19 @@ operation. Metrics and tracing functionalities are not supported at this time.
 
 You can install Istio and Kiali on |prod| from the command line.
 
-#.  Locate the Istio tarball in ``/usr/local/share/application/helm``.
+#.  Locate the Istio tarball in ``/usr/local/share/applications/helm``.
 
     For example:
 
     .. code-block:: none
 
-        /usr/local/share/application/helm/istio-<version>.tgz
+        /usr/local/share/applications/helm/istio-<version>.tgz
 
 #.  Upload the application.
 
     .. code-block:: none
 
-        ~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/istio-<version>.tgz
+        ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-<version>.tgz
 
 #.  Apply the application.
 
@@ -81,8 +81,8 @@ You can install Istio and Kiali on |prod| from the command line.
         EOF
         kubectl apply -f istio-cni-nad.yaml
 
-    |CNI| is managed by Multus. The NetworkAttachmentDefinition is required in
-    the application namespace in order to invoke the ``istio-cni`` plugin.
+    |CNI| is managed by Multus. The ``NetworkAttachmentDefinition`` is required
+    in the application namespace in order to invoke the ``istio-cni`` plugin.
 
 #.  Enable side car for a particular namespace.
 
@@ -95,14 +95,16 @@ You can install Istio and Kiali on |prod| from the command line.
     injection webhook is enabled, any new pods that are created in that
     namespace will automatically have a sidecar added to them.
 
-#.  At this point, you may launch services in the above namespace.
+.. rubric:: |result|
 
-    When the user application is deployed, the sidecar container
-    ``istio-proxy`` is injected into the user application pod:
+At this point, you may have launched services in the above namespace.
 
-    Events:
+When the user application is deployed, the sidecar container
+``istio-proxy`` is injected into the user application pod:
 
-    .. code-block:: none
+Events:
+
+.. code-block:: none
 
     Type    Reason     Age   From               Message
     ----    ------     ----  ----               -------
@@ -113,10 +115,10 @@ You can install Istio and Kiali on |prod| from the command line.
     Normal  Created    9s    kubelet            Created container istio-proxy
     Normal  Started    8s    kubelet            Started container istio-proxy
 
-    The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress
-    traffic of the user application that can be monitored and available for
-    display in Kiali, and it mediates all ingress and egress traffic of the
-    user application by enforcing policy decisions.
+The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress
+traffic of the user application that can be monitored and available for
+display in Kiali, and it mediates all ingress and egress traffic of the
+user application by enforcing policy decisions.
 
 ---------
 Use Kiali

doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst

@@ -36,21 +36,23 @@ Install
 
 Configure the internal Ceph storage for the O2 application persistent storage,
 see |stor-doc|: :ref:`Configure the Internal Ceph Storage Backend
-<configure-the-internal-ceph-storage-backend>` and enable |PVC| support in
-``oran-o2`` namespace, see |stor-doc|: :ref:`Enable ReadWriteOnce PVC Support in
-Additional Namespaces <enable-readwriteonce-pvc-support-in-additional-namespaces>`.
+<configure-the-internal-ceph-storage-backend>`.
+
+Enable |PVC| support in ``oran-o2`` namespace, see |stor-doc|: :ref:`Enable
+ReadWriteOnce PVC Support in Additional Namespaces
+<enable-readwriteonce-pvc-support-in-additional-namespaces>`.
 
 .. rubric:: |proc|
 
 You can install |O-RAN| O2 application on |prod| from the command line.
 
-#. Locate the O2 application tarball in ``/usr/local/share/application/helm``.
+#. Locate the O2 application tarball in ``/usr/local/share/applications/helm``.
 
    For example:
 
    .. code-block:: bash
 
-       /usr/local/share/application/helm/oran-o2-<version>.tgz
+       /usr/local/share/applications/helm/oran-o2-<version>.tgz
 
 
 #. Download ``admin_openrc.sh`` from the |prod| admin dashboard.
@@ -71,20 +73,20 @@ You can install |O-RAN| O2 application on |prod| from the command line.
 
    .. code-block:: bash
 
-       ~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/oran-o2-<version>.tgz
+       ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/oran-o2-<version>.tgz
 
 #. Prepare the override ``yaml`` file.
 
-   #. Create a service account for |SMO| and obtain an access token.
+   #. Create a service account for |SMO| application.
 
-      Create a ServiceAccount which can be used to provide |SMO| with minimal
-      access permission credentials.
+      Create a `ServiceAccount` which can be used to provide |SMO| application with
+      minimal access permission credentials.
 
       .. code-block:: bash
 
           export SMO_SERVICEACCOUNT=smo1
 
-          cat <<EOF >smo-serviceaccount.yaml
+          cat <<EOF > smo-serviceaccount.yaml
           apiVersion: rbac.authorization.k8s.io/v1
           kind: Role
           metadata:
@@ -118,7 +120,27 @@ You can install |O-RAN| O2 application on |prod| from the command line.
 
           kubectl apply -f smo-serviceaccount.yaml
 
-          export SMO_SECRET=$(kubectl get serviceaccounts $SMO_SERVICEACCOUNT -o jsonpath='{.secrets[0].name}')
+   #. Create a secret for service account and obtain an access token.
+
+      Create a secret with the type `service-account-token` and pass the
+      `ServiceAccount` in the annotation section as shown below:
+
+      .. code-block:: bash
+
+          export SMO_SECRET=smo1-secret
+
+          cat <<EOF > smo-secret.yaml
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: ${SMO_SECRET}
+            annotations:
+              kubernetes.io/service-account.name: ${SMO_SERVICEACCOUNT}
+          type: kubernetes.io/service-account-token
+          EOF
+
+          kubectl apply -f smo-secret.yaml
+
           export SMO_TOKEN_DATA=$(kubectl get secrets $SMO_SECRET -o jsonpath='{.data.token}' | base64 -d -w 0)
 
    #. Create certificates for the O2 service.
@@ -212,8 +234,8 @@ You can install |O-RAN| O2 application on |prod| from the command line.
           EOF
 
       To deploy other versions of an image required for a quick solution, to
-      have early access to the features (eg. o-ran-sc/pti-o2imsdms:2.0.1), and to
-      authenticate images that are hosted by a private registry, follow the
+      have early access to the features (eg. oranscinf/pti-o2imsdms:2.0.1), and
+      to authenticate images that are hosted by a private registry, follow the
       steps below:
 
       #. Create a `docker-registry` secret in ``oran-o2`` namespace.
@@ -238,7 +260,7 @@ You can install |O-RAN| O2 application on |prod| from the command line.
                serviceaccountname: admin-oran-o2
                images:
                  tags:
-                   o2service: ${O2SERVICE_IMAGE_REG}/o-ran-sc/pti-o2imsdms:2.0.1
+                   o2service: ${O2SERVICE_IMAGE_REG}/docker.io/oranscinf/pti-o2imsdms:2.0.1
                    postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6
                    redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine
                  pullPolicy: IfNotPresent
@@ -278,9 +300,12 @@ You can install |O-RAN| O2 application on |prod| from the command line.
 
        ~(keystone_admin)]$ watch kubectl get all -n oran-o2
 
+.. rubric:: |result|
+
+You have launched services in the above namespace.
+
 .. rubric:: |postreq|
 
-At this point, you have launched services in the above namespace.
 You will need to integrate |prod| with an |SMO| application that performs
 management of O-Cloud infrastructure and the deployment life cycle management
 of O-RAN cloudified |NFs|. See the following API reference for details:
@@ -311,3 +336,7 @@ You can uninstall the |O-RAN| O2 application on |prod| from the command line.
    .. code-block:: bash
 
        ~(keystone_admin)]$ system application-delete oran-o2
+
+.. rubric:: |result|
+
+You have uninstalled the O2 application from the system.

doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst

@@ -207,4 +207,18 @@ application-specific namespaces to access the |RBD| provisioner's **general stor
     You can now create and mount PVCs from the default |RBD| provisioner's
     **general storage class**, from within these application-specific namespaces.
 
+#.  Apply the secret to the new rbd-provisioner namespace.
 
+    Check if the secret has been created in the new namespace by running the
+    following command:
+
+    .. code-block:: none
+
+        ~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n <namespace>
+
+    If the secret has not been created in the new namespace, create it by
+    running the following command:
+
+    .. code-block:: none
+
+        ~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n default -o yaml | grep -v '^\s*namespace:\s' | kubectl apply -n <namespace> -f -