From 22f58200f6e675063bc596177c0d6e844c3307c9 Mon Sep 17 00:00:00 2001 From: Litao Gao Date: Thu, 24 Nov 2022 06:47:11 -0500 Subject: [PATCH] Adjustment for the kubernetes 1.24 behavior change In K8s 1.24, when a ServiceAccount is created, no more Secret is created automatically. Need to add extra steps for secret creation. Closes-bug: 1997750 Signed-off-by: Litao Gao Change-Id: Iffa965717b35c55e129e21eca79bfbb1f6668f5d --- ...-service-mesh-application-eee5ebb3d3c4.rst | 48 +++++++-------- .../oran-o2-application-b50a0c899e66.rst | 59 ++++++++++++++----- ...e-pvc-support-in-additional-namespaces.rst | 14 +++++ 3 files changed, 83 insertions(+), 38 deletions(-) diff --git a/doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst b/doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst index eb25b6018..58af0477d 100644 --- a/doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst +++ b/doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst @@ -29,7 +29,7 @@ application: - Istio-cni - Kubernetes |CNI| plugin The Kiali (`https://kiali.io/ `__) management console for -Istio is also integrated with |prod|, in the Istio system application. +Istio is also integrated with |prod| in the Istio system application. It provides management functions and visualizations to the service mesh operation. Metrics and tracing functionalities are not supported at this time. @@ -37,19 +37,19 @@ operation. Metrics and tracing functionalities are not supported at this time. You can install Istio and Kiali on |prod| from the command line. -#. Locate the Istio tarball in ``/usr/local/share/application/helm``. +#. Locate the Istio tarball in ``/usr/local/share/applications/helm``. For example: .. code-block:: none - /usr/local/share/application/helm/istio-.tgz + /usr/local/share/applications/helm/istio-.tgz #. Upload the application. .. code-block:: none - ~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/istio-.tgz + ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-.tgz #. Apply the application. @@ -81,8 +81,8 @@ You can install Istio and Kiali on |prod| from the command line. EOF kubectl apply -f istio-cni-nad.yaml - |CNI| is managed by Multus. The NetworkAttachmentDefinition is required in - the application namespace in order to invoke the ``istio-cni`` plugin. + |CNI| is managed by Multus. The ``NetworkAttachmentDefinition`` is required + in the application namespace in order to invoke the ``istio-cni`` plugin. #. Enable side car for a particular namespace. @@ -95,28 +95,30 @@ You can install Istio and Kiali on |prod| from the command line. injection webhook is enabled, any new pods that are created in that namespace will automatically have a sidecar added to them. -#. At this point, you may launch services in the above namespace. +.. rubric:: |result| - When the user application is deployed, the sidecar container - ``istio-proxy`` is injected into the user application pod: +At this point, you may have launched services in the above namespace. - Events: +When the user application is deployed, the sidecar container +``istio-proxy`` is injected into the user application pod: - .. code-block:: none +Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - ... - Normal Created 10s kubelet Created container - Normal Started 10s kubelet Started container - ... - Normal Created 9s kubelet Created container istio-proxy - Normal Started 8s kubelet Started container istio-proxy +.. code-block:: none - The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress - traffic of the user application that can be monitored and available for - display in Kiali, and it mediates all ingress and egress traffic of the - user application by enforcing policy decisions. + Type Reason Age From Message + ---- ------ ---- ---- ------- + ... + Normal Created 10s kubelet Created container + Normal Started 10s kubelet Started container + ... + Normal Created 9s kubelet Created container istio-proxy + Normal Started 8s kubelet Started container istio-proxy + +The ``istio-proxy`` sidecar extracts telemetry of all ingress and egress +traffic of the user application that can be monitored and available for +display in Kiali, and it mediates all ingress and egress traffic of the +user application by enforcing policy decisions. --------- Use Kiali diff --git a/doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst b/doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst index 9075c6cb6..92ed7e0a3 100644 --- a/doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst +++ b/doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst @@ -36,21 +36,23 @@ Install Configure the internal Ceph storage for the O2 application persistent storage, see |stor-doc|: :ref:`Configure the Internal Ceph Storage Backend -` and enable |PVC| support in -``oran-o2`` namespace, see |stor-doc|: :ref:`Enable ReadWriteOnce PVC Support in -Additional Namespaces `. +`. + +Enable |PVC| support in ``oran-o2`` namespace, see |stor-doc|: :ref:`Enable +ReadWriteOnce PVC Support in Additional Namespaces +`. .. rubric:: |proc| You can install |O-RAN| O2 application on |prod| from the command line. -#. Locate the O2 application tarball in ``/usr/local/share/application/helm``. +#. Locate the O2 application tarball in ``/usr/local/share/applications/helm``. For example: .. code-block:: bash - /usr/local/share/application/helm/oran-o2-.tgz + /usr/local/share/applications/helm/oran-o2-.tgz #. Download ``admin_openrc.sh`` from the |prod| admin dashboard. @@ -71,20 +73,20 @@ You can install |O-RAN| O2 application on |prod| from the command line. .. code-block:: bash - ~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/oran-o2-.tgz + ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/oran-o2-.tgz #. Prepare the override ``yaml`` file. - #. Create a service account for |SMO| and obtain an access token. + #. Create a service account for |SMO| application. - Create a ServiceAccount which can be used to provide |SMO| with minimal - access permission credentials. + Create a `ServiceAccount` which can be used to provide |SMO| application with + minimal access permission credentials. .. code-block:: bash export SMO_SERVICEACCOUNT=smo1 - cat <smo-serviceaccount.yaml + cat < smo-serviceaccount.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -118,7 +120,27 @@ You can install |O-RAN| O2 application on |prod| from the command line. kubectl apply -f smo-serviceaccount.yaml - export SMO_SECRET=$(kubectl get serviceaccounts $SMO_SERVICEACCOUNT -o jsonpath='{.secrets[0].name}') + #. Create a secret for service account and obtain an access token. + + Create a secret with the type `service-account-token` and pass the + `ServiceAccount` in the annotation section as shown below: + + .. code-block:: bash + + export SMO_SECRET=smo1-secret + + cat < smo-secret.yaml + apiVersion: v1 + kind: Secret + metadata: + name: ${SMO_SECRET} + annotations: + kubernetes.io/service-account.name: ${SMO_SERVICEACCOUNT} + type: kubernetes.io/service-account-token + EOF + + kubectl apply -f smo-secret.yaml + export SMO_TOKEN_DATA=$(kubectl get secrets $SMO_SECRET -o jsonpath='{.data.token}' | base64 -d -w 0) #. Create certificates for the O2 service. @@ -212,8 +234,8 @@ You can install |O-RAN| O2 application on |prod| from the command line. EOF To deploy other versions of an image required for a quick solution, to - have early access to the features (eg. o-ran-sc/pti-o2imsdms:2.0.1), and to - authenticate images that are hosted by a private registry, follow the + have early access to the features (eg. oranscinf/pti-o2imsdms:2.0.1), and + to authenticate images that are hosted by a private registry, follow the steps below: #. Create a `docker-registry` secret in ``oran-o2`` namespace. @@ -238,7 +260,7 @@ You can install |O-RAN| O2 application on |prod| from the command line. serviceaccountname: admin-oran-o2 images: tags: - o2service: ${O2SERVICE_IMAGE_REG}/o-ran-sc/pti-o2imsdms:2.0.1 + o2service: ${O2SERVICE_IMAGE_REG}/docker.io/oranscinf/pti-o2imsdms:2.0.1 postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6 redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine pullPolicy: IfNotPresent @@ -278,9 +300,12 @@ You can install |O-RAN| O2 application on |prod| from the command line. ~(keystone_admin)]$ watch kubectl get all -n oran-o2 +.. rubric:: |result| + +You have launched services in the above namespace. + .. rubric:: |postreq| -At this point, you have launched services in the above namespace. You will need to integrate |prod| with an |SMO| application that performs management of O-Cloud infrastructure and the deployment life cycle management of O-RAN cloudified |NFs|. See the following API reference for details: @@ -311,3 +336,7 @@ You can uninstall the |O-RAN| O2 application on |prod| from the command line. .. code-block:: bash ~(keystone_admin)]$ system application-delete oran-o2 + +.. rubric:: |result| + +You have uninstalled the O2 application from the system. diff --git a/doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst b/doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst index 954ff3bc7..81ae1487c 100644 --- a/doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst +++ b/doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst @@ -207,4 +207,18 @@ application-specific namespaces to access the |RBD| provisioner's **general stor You can now create and mount PVCs from the default |RBD| provisioner's **general storage class**, from within these application-specific namespaces. +#. Apply the secret to the new rbd-provisioner namespace. + Check if the secret has been created in the new namespace by running the + following command: + + .. code-block:: none + + ~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n + + If the secret has not been created in the new namespace, create it by + running the following command: + + .. code-block:: none + + ~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n default -o yaml | grep -v '^\s*namespace:\s' | kubectl apply -n -f -