starlingx/docs
Code Issues Proposed changes

Adjustment for the kubernetes 1.24 behavior change

Browse Source 
In K8s 1.24, when a ServiceAccount is created, no
more Secret is created automatically. Need to add
extra steps for secret creation.

Closes-bug: 1997750

Signed-off-by: Litao Gao <litao.gao@windriver.com>
Change-Id: Iffa965717b35c55e129e21eca79bfbb1f6668f5d
This commit is contained in:
Litao Gao 2022-11-24 06:47:11 -05:00
parent c66d66783b
commit 22f58200f6
3 changed files with 83 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst
View File

@ -29,7 +29,7 @@ application:
- Istio-cni - Kubernetes |CNI| plugin
The Kiali (`https://kiali.io/ <https://kiali.io/>`__) management console for
Istio is also integrated with |prod|, in the Istio system application.
Istio is also integrated with |prod| in the Istio system application.
It provides management functions and visualizations to the service mesh
operation. Metrics and tracing functionalities are not supported at this time.
@ -37,19 +37,19 @@ operation. Metrics and tracing functionalities are not supported at this time.
You can install Istio and Kiali on |prod| from the command line.
#. Locate the Istio tarball in ``/usr/local/share/application/helm``.
#. Locate the Istio tarball in ``/usr/local/share/applications/helm``.
For example:
.. code-block:: none
/usr/local/share/application/helm/istio-<version>.tgz
/usr/local/share/applications/helm/istio-<version>.tgz
#. Upload the application.
.. code-block:: none
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/istio-<version>.tgz
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-<version>.tgz
#. Apply the application.
@ -81,8 +81,8 @@ You can install Istio and Kiali on |prod| from the command line.
EOF
kubectl apply -f istio-cni-nad.yaml
|CNI| is managed by Multus. The NetworkAttachmentDefinition is required in
the application namespace in order to invoke the ``istio-cni`` plugin.
|CNI| is managed by Multus. The ``NetworkAttachmentDefinition`` is required
in the application namespace in order to invoke the ``istio-cni`` plugin.
#. Enable side car for a particular namespace.
@ -95,28 +95,30 @@ You can install Istio and Kiali on |prod| from the command line.
injection webhook is enabled, any new pods that are created in that
namespace will automatically have a sidecar added to them.
#. At this point, you may launch services in the above namespace.
.. rubric:: |result|
When the user application is deployed, the sidecar container
``istio-proxy`` is injected into the user application pod:
At this point, you may have launched services in the above namespace.
Events:
When the user application is deployed, the sidecar container
``istio-proxy`` is injected into the user application pod:
.. code-block:: none
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
...
Normal Created 10s kubelet Created container <user app>
Normal Started 10s kubelet Started container <user app>
...
Normal Created 9s kubelet Created container istio-proxy
Normal Started 8s kubelet Started container istio-proxy
.. code-block:: none
The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress
traffic of the user application that can be monitored and available for
display in Kiali, and it mediates all ingress and egress traffic of the
user application by enforcing policy decisions.
Type Reason Age From Message
---- ------ ---- ---- -------
...
Normal Created 10s kubelet Created container <user app>
Normal Started 10s kubelet Started container <user app>
...
Normal Created 9s kubelet Created container istio-proxy
Normal Started 8s kubelet Started container istio-proxy
The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress
traffic of the user application that can be monitored and available for
display in Kiali, and it mediates all ingress and egress traffic of the
user application by enforcing policy decisions.
---------
Use Kiali

59
doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst
View File

@ -36,21 +36,23 @@ Install
Configure the internal Ceph storage for the O2 application persistent storage,
see |stor-doc|: :ref:`Configure the Internal Ceph Storage Backend
<configure-the-internal-ceph-storage-backend>` and enable |PVC| support in
``oran-o2`` namespace, see |stor-doc|: :ref:`Enable ReadWriteOnce PVC Support in
Additional Namespaces <enable-readwriteonce-pvc-support-in-additional-namespaces>`.
<configure-the-internal-ceph-storage-backend>`.
Enable |PVC| support in ``oran-o2`` namespace, see |stor-doc|: :ref:`Enable
ReadWriteOnce PVC Support in Additional Namespaces
<enable-readwriteonce-pvc-support-in-additional-namespaces>`.
.. rubric:: |proc|
You can install |O-RAN| O2 application on |prod| from the command line.
#. Locate the O2 application tarball in ``/usr/local/share/application/helm``.
#. Locate the O2 application tarball in ``/usr/local/share/applications/helm``.
For example:
.. code-block:: bash
/usr/local/share/application/helm/oran-o2-<version>.tgz
/usr/local/share/applications/helm/oran-o2-<version>.tgz
#. Download ``admin_openrc.sh`` from the |prod| admin dashboard.
@ -71,20 +73,20 @@ You can install |O-RAN| O2 application on |prod| from the command line.
.. code-block:: bash
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/oran-o2-<version>.tgz
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/oran-o2-<version>.tgz
#. Prepare the override ``yaml`` file.
#. Create a service account for |SMO| and obtain an access token.
#. Create a service account for |SMO| application.
Create a ServiceAccount which can be used to provide |SMO| with minimal
access permission credentials.
Create a `ServiceAccount` which can be used to provide |SMO| application with
minimal access permission credentials.
.. code-block:: bash
export SMO_SERVICEACCOUNT=smo1
cat <<EOF >smo-serviceaccount.yaml
cat <<EOF > smo-serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@ -118,7 +120,27 @@ You can install |O-RAN| O2 application on |prod| from the command line.
kubectl apply -f smo-serviceaccount.yaml
export SMO_SECRET=$(kubectl get serviceaccounts $SMO_SERVICEACCOUNT -o jsonpath='{.secrets[0].name}')
#. Create a secret for service account and obtain an access token.
Create a secret with the type `service-account-token` and pass the
`ServiceAccount` in the annotation section as shown below:
.. code-block:: bash
export SMO_SECRET=smo1-secret
cat <<EOF > smo-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: ${SMO_SECRET}
annotations:
kubernetes.io/service-account.name: ${SMO_SERVICEACCOUNT}
type: kubernetes.io/service-account-token
EOF
kubectl apply -f smo-secret.yaml
export SMO_TOKEN_DATA=$(kubectl get secrets $SMO_SECRET -o jsonpath='{.data.token}' | base64 -d -w 0)
#. Create certificates for the O2 service.
@ -212,8 +234,8 @@ You can install |O-RAN| O2 application on |prod| from the command line.
EOF
To deploy other versions of an image required for a quick solution, to
have early access to the features (eg. o-ran-sc/pti-o2imsdms:2.0.1), and to
authenticate images that are hosted by a private registry, follow the
have early access to the features (eg. oranscinf/pti-o2imsdms:2.0.1), and
to authenticate images that are hosted by a private registry, follow the
steps below:
#. Create a `docker-registry` secret in ``oran-o2`` namespace.
@ -238,7 +260,7 @@ You can install |O-RAN| O2 application on |prod| from the command line.
serviceaccountname: admin-oran-o2
images:
tags:
o2service: ${O2SERVICE_IMAGE_REG}/o-ran-sc/pti-o2imsdms:2.0.1
o2service: ${O2SERVICE_IMAGE_REG}/docker.io/oranscinf/pti-o2imsdms:2.0.1
postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6
redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine
pullPolicy: IfNotPresent
@ -278,9 +300,12 @@ You can install |O-RAN| O2 application on |prod| from the command line.
~(keystone_admin)]$ watch kubectl get all -n oran-o2
.. rubric:: |result|
You have launched services in the above namespace.
.. rubric:: |postreq|
At this point, you have launched services in the above namespace.
You will need to integrate |prod| with an |SMO| application that performs
management of O-Cloud infrastructure and the deployment life cycle management
of O-RAN cloudified |NFs|. See the following API reference for details:
@ -311,3 +336,7 @@ You can uninstall the |O-RAN| O2 application on |prod| from the command line.
.. code-block:: bash
~(keystone_admin)]$ system application-delete oran-o2
.. rubric:: |result|
You have uninstalled the O2 application from the system.

14
doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst
View File

@ -207,4 +207,18 @@ application-specific namespaces to access the |RBD| provisioner's **general stor
You can now create and mount PVCs from the default |RBD| provisioner's
**general storage class**, from within these application-specific namespaces.
#. Apply the secret to the new rbd-provisioner namespace.
Check if the secret has been created in the new namespace by running the
following command:
.. code-block:: none
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n <namespace>
If the secret has not been created in the new namespace, create it by
running the following command:
.. code-block:: none
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n default -o yaml | grep -v '^\s*namespace:\s' | kubectl apply -n <namespace> -f -