Merge "Augment subcloud enrollment docs with certificates prerequisites (dsr10, r10)"
This commit is contained in:
Zuul
@@ -12,6 +12,12 @@ subcloud of a |DC|. For factory pre-installation, standalone systems must be
|
|||||||
able to be installed locally in the factory, and later deployed and configured
|
able to be installed locally in the factory, and later deployed and configured
|
||||||
on-site as a |DC| subcloud without re-installing the system.
|
on-site as a |DC| subcloud without re-installing the system.
|
||||||
|
|
||||||
|
A factory pre-installed system can remain staged up to 1 year before
|
||||||
|
enrollment. This is a limitation related to certificate recovery, where
|
||||||
|
recovery is possible but it requires manual steps. It is recommended to avoid a
|
||||||
|
staging period longer than 1 year. However, future versions will support a longer
|
||||||
|
staging period.
|
||||||
|
|
||||||
.. rubric:: |prereq|
|
.. rubric:: |prereq|
|
||||||
|
|
||||||
The following requirements must be met for factory installation of a system:
|
The following requirements must be met for factory installation of a system:
|
||||||
@@ -119,16 +125,21 @@ requirements must be met:
|
|||||||
- The subcloud platform networks should be configured with the expected IP
|
- The subcloud platform networks should be configured with the expected IP
|
||||||
family (IPv4 or IPv6) because the IP family of a subcloud cannot be updated.
|
family (IPv4 or IPv6) because the IP family of a subcloud cannot be updated.
|
||||||
|
|
||||||
- SSL_CA certs (system_local_ca_cert, system_local_ca_key, and
|
- System local |CA| (system_local_ca_cert, system_local_ca_key, and
|
||||||
system_root_ca_cert) need to be installed on the factory installed subclouds
|
system_root_ca_cert) needs to be installed on the factory installed subclouds
|
||||||
in ``localhost.yaml`` to enable the |SSL| communication via |OAM| connection during
|
in ``localhost.yaml`` to enable the |SSL| communication via |OAM| connection
|
||||||
enrollment. The system controller performing the subcloud enrollment needs to
|
during enrollment. The System Controller performing the subcloud enrollment
|
||||||
have a trusted |CA| that can validate the server certificates used for the
|
needs to have a trusted |CA| that can validate the server certificates used
|
||||||
factory installed systems. For more details, see :ref:`add-a-trusted-ca`.
|
for the factory installed systems. For more details, see
|
||||||
|
:ref:`ansible_bootstrap_configs_platform_issuer`. Ensure that the |CA|
|
||||||
|
certificate used is long lasting and will still be valid at the time of
|
||||||
|
enrollment.
|
||||||
|
|
||||||
- Kubernetes RootCA certs need to be specified during the factory installation
|
- Kubernetes Root |CA| certs need to be specified during the factory
|
||||||
process in ``localhost.yaml``, otherwise, the kube-rootca endpoint will be
|
installation process in ``localhost.yaml``, otherwise, the kube-rootca endpoint
|
||||||
out of sync and a kube-rootca-strategy is needed to make it in sync.
|
will be out of sync and a kube-rootca-strategy is needed to make it in sync.
|
||||||
|
Ensure that the |CA| certificate used is long lasting and will still be
|
||||||
|
valid at the time of enrollment.
|
||||||
|
|
||||||
- Additional applications should not be installed on the factory installed
|
- Additional applications should not be installed on the factory installed
|
||||||
system before completing the enrollment process.
|
system before completing the enrollment process.
|
||||||
@@ -324,16 +335,16 @@ Example:
|
|||||||
|
|
||||||
# The password for factory install stage, need to be aligned with user-data
|
# The password for factory install stage, need to be aligned with user-data
|
||||||
# The admin password will not be updated during the enrollment. However, it
|
# The admin password will not be updated during the enrollment. However, it
|
||||||
# will be synchronized with the system controller after managing the subcloud.
|
# will be synchronized with the System Controller after managing the subcloud.
|
||||||
admin_password:
|
admin_password:
|
||||||
# password for factory install stage, need to be align with the admin_password
|
# password for factory install stage, need to be align with the admin_password
|
||||||
ansible_become_pass:
|
ansible_become_pass:
|
||||||
# optional, need to install the same cert with the system controller, otherwise
|
# optional, need to install the same cert with the System Controller, otherwise
|
||||||
# the k8s-rootca endpoint will be out-of-sync after enrollment, but can use
|
# the k8s-rootca endpoint will be out-of-sync after enrollment, but can use
|
||||||
# k8s-rootca-update ochestration to sync it
|
# k8s-rootca-update ochestration to sync it
|
||||||
k8s_root_ca_cert:
|
k8s_root_ca_cert:
|
||||||
k8s_root_ca_key:
|
k8s_root_ca_key:
|
||||||
# system SSL CA certs are required, and need to align with the system controllers
|
# system SSL CA certs are required, and need to align with the System Controllers
|
||||||
system_root_ca_cert:
|
system_root_ca_cert:
|
||||||
system_local_ca_cert:
|
system_local_ca_cert:
|
||||||
system_local_ca_key
|
system_local_ca_key
|
||||||
@@ -635,8 +646,8 @@ should be similar to the original deployment.
|
|||||||
not specified during factory installation.
|
not specified during factory installation.
|
||||||
|
|
||||||
- As a subcloud, static routes from the hosts' admin/management gateway to the
|
- As a subcloud, static routes from the hosts' admin/management gateway to the
|
||||||
system controller’s management subnet should be added to establish the
|
System Controller’s management subnet should be added to establish the
|
||||||
communication between the system controllers and the subcloud hosts.
|
communication between the System Controllers and the subcloud hosts.
|
||||||
|
|
||||||
- Hosts should be administratively unlocked in this configuration.
|
- Hosts should be administratively unlocked in this configuration.
|
||||||
|
|
||||||
@@ -655,8 +666,11 @@ Perform Subcloud Enrollment
|
|||||||
- The software ISO and signature files need to be uploaded on the System
|
- The software ISO and signature files need to be uploaded on the System
|
||||||
Controller before the subcloud enrollment.
|
Controller before the subcloud enrollment.
|
||||||
|
|
||||||
- Power on the factory-installed server and wait for controller-0 to be
|
- Power on the factory-installed server and wait for controller-0 to be enabled
|
||||||
enabled and alarm-free.
|
and controller-0 to be free from the 250.XXX and 260.XXX alarms.
|
||||||
|
|
||||||
|
- Wait for cert-manager to renew certificates marked as `Automatic [Managed by
|
||||||
|
Cert-Manager]`. Verify with `sudo show-certs.sh` before continuing.
|
||||||
|
|
||||||
Perform subcloud enrollment using the following command:
|
Perform subcloud enrollment using the following command:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user