Merge "Augment subcloud enrollment docs with certificates prerequisites (dsr10, r10)"
This commit is contained in:
Zuul
@@ -12,6 +12,12 @@ subcloud of a |DC|. For factory pre-installation, standalone systems must be
|
||||
able to be installed locally in the factory, and later deployed and configured
|
||||
on-site as a |DC| subcloud without re-installing the system.
|
||||
|
||||
A factory pre-installed system can remain staged up to 1 year before
|
||||
enrollment. This is a limitation related to certificate recovery, where
|
||||
recovery is possible but it requires manual steps. It is recommended to avoid a
|
||||
staging period longer than 1 year. However, future versions will support a longer
|
||||
staging period.
|
||||
|
||||
.. rubric:: |prereq|
|
||||
|
||||
The following requirements must be met for factory installation of a system:
|
||||
@@ -119,16 +125,21 @@ requirements must be met:
|
||||
- The subcloud platform networks should be configured with the expected IP
|
||||
family (IPv4 or IPv6) because the IP family of a subcloud cannot be updated.
|
||||
|
||||
- SSL_CA certs (system_local_ca_cert, system_local_ca_key, and
|
||||
system_root_ca_cert) need to be installed on the factory installed subclouds
|
||||
in ``localhost.yaml`` to enable the |SSL| communication via |OAM| connection during
|
||||
enrollment. The system controller performing the subcloud enrollment needs to
|
||||
have a trusted |CA| that can validate the server certificates used for the
|
||||
factory installed systems. For more details, see :ref:`add-a-trusted-ca`.
|
||||
- System local |CA| (system_local_ca_cert, system_local_ca_key, and
|
||||
system_root_ca_cert) needs to be installed on the factory installed subclouds
|
||||
in ``localhost.yaml`` to enable the |SSL| communication via |OAM| connection
|
||||
during enrollment. The System Controller performing the subcloud enrollment
|
||||
needs to have a trusted |CA| that can validate the server certificates used
|
||||
for the factory installed systems. For more details, see
|
||||
:ref:`ansible_bootstrap_configs_platform_issuer`. Ensure that the |CA|
|
||||
certificate used is long lasting and will still be valid at the time of
|
||||
enrollment.
|
||||
|
||||
- Kubernetes RootCA certs need to be specified during the factory installation
|
||||
process in ``localhost.yaml``, otherwise, the kube-rootca endpoint will be
|
||||
out of sync and a kube-rootca-strategy is needed to make it in sync.
|
||||
- Kubernetes Root |CA| certs need to be specified during the factory
|
||||
installation process in ``localhost.yaml``, otherwise, the kube-rootca endpoint
|
||||
will be out of sync and a kube-rootca-strategy is needed to make it in sync.
|
||||
Ensure that the |CA| certificate used is long lasting and will still be
|
||||
valid at the time of enrollment.
|
||||
|
||||
- Additional applications should not be installed on the factory installed
|
||||
system before completing the enrollment process.
|
||||
@@ -324,16 +335,16 @@ Example:
|
||||
|
||||
# The password for factory install stage, need to be aligned with user-data
|
||||
# The admin password will not be updated during the enrollment. However, it
|
||||
# will be synchronized with the system controller after managing the subcloud.
|
||||
# will be synchronized with the System Controller after managing the subcloud.
|
||||
admin_password:
|
||||
# password for factory install stage, need to be align with the admin_password
|
||||
ansible_become_pass:
|
||||
# optional, need to install the same cert with the system controller, otherwise
|
||||
# optional, need to install the same cert with the System Controller, otherwise
|
||||
# the k8s-rootca endpoint will be out-of-sync after enrollment, but can use
|
||||
# k8s-rootca-update ochestration to sync it
|
||||
k8s_root_ca_cert:
|
||||
k8s_root_ca_key:
|
||||
# system SSL CA certs are required, and need to align with the system controllers
|
||||
# system SSL CA certs are required, and need to align with the System Controllers
|
||||
system_root_ca_cert:
|
||||
system_local_ca_cert:
|
||||
system_local_ca_key
|
||||
@@ -635,8 +646,8 @@ should be similar to the original deployment.
|
||||
not specified during factory installation.
|
||||
|
||||
- As a subcloud, static routes from the hosts' admin/management gateway to the
|
||||
system controller’s management subnet should be added to establish the
|
||||
communication between the system controllers and the subcloud hosts.
|
||||
System Controller’s management subnet should be added to establish the
|
||||
communication between the System Controllers and the subcloud hosts.
|
||||
|
||||
- Hosts should be administratively unlocked in this configuration.
|
||||
|
||||
@@ -655,8 +666,11 @@ Perform Subcloud Enrollment
|
||||
- The software ISO and signature files need to be uploaded on the System
|
||||
Controller before the subcloud enrollment.
|
||||
|
||||
- Power on the factory-installed server and wait for controller-0 to be
|
||||
enabled and alarm-free.
|
||||
- Power on the factory-installed server and wait for controller-0 to be enabled
|
||||
and controller-0 to be free from the 250.XXX and 260.XXX alarms.
|
||||
|
||||
- Wait for cert-manager to renew certificates marked as `Automatic [Managed by
|
||||
Cert-Manager]`. Verify with `sudo show-certs.sh` before continuing.
|
||||
|
||||
Perform subcloud enrollment using the following command:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user