starlingx/docs
Code Issues Proposed changes

Added topics upstream for Re-host Upstream Registry

Browse Source 
Created new chapter in System Configuration Guide

Acted on Greg's comments

Changed the AWS occurences and hostnames

Fixed merge conflict

https://review.opendev.org/c/starlingx/docs/+/788616

Signed-off-by: Adil <mohamed.adilassakkali@windriver.com>
Change-Id: Id4406152d108326125b32911b7d73e805068cf5e
This commit is contained in:
Adil 2021-05-31 18:05:38 -03:00
parent aef988d020
commit 8cef686cf8
12 changed files with 1073 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/source/admintasks/index.rst
View File

@ -15,6 +15,7 @@ StarlingX Kubernetes
:maxdepth: 1
about-the-admin-tutorials
installing-and-running-cpu-manager-for-kubernetes
----------------------
Application management

239
doc/source/admintasks/installing-and-running-cpu-manager-for-kubernetes.rst Normal file
View File

@ -0,0 +1,239 @@
.. jme1561551450093
.. _installing-and-running-cpu-manager-for-kubernetes:
==========================================
Install and Run CPU Manager for Kubernetes
==========================================
You must install Helm charts and label worker nodes appropriately before using
CMK.
.. rubric:: |context|
Perform the following steps to enable CMK on a cluster.
.. rubric:: |proc|
#. Apply the **cmk-node** label to each worker node to be managed using CMK.
For example:
.. code-block:: none
~(keystone)admin)$ system host-lock worker-0
~(keystone)admin)$ system host-label-assign worker-0 cmk-node=enabled
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 2909d775-cd6c-4bc1-8268-27499fe38d5e |
| host_uuid | 1f00d8a4-f520-41ee-b608-1b50054b1cd8 |
| label_key | cmk-node |
| label_value | enabled |
+-------------+--------------------------------------+
~(keystone)admin)$ system host-unlock worker-0
#. Perform the following steps if you have not specified CMK at Ansible
Bootstrap in the localhost.yml file:
#. On the active controller, run the following command to generate the
username and password to be used for Docker login.
This command generates the username and password to be used for Docker
login.
.. code-block:: none
$ sudo python /usr/share/ansible/stx-ansible/playbooks/roles/common/push-docker-images/files/get_registry_auth.py 625619392498.dkr.ecr.us-west-2.amazonaws.com <Access_Key_ID_from_Wind_Share> <Secret_Access_Key_from_Wind_Share>
#. Run the Docker login command:
.. code-block:: none
~(keystone)admin)$ sudo docker login 625619392498.dkr.ecr.us-west-2.amazonaws.com -u AWS -p <password_returned_from_first_cmd>
#. Pull the CMK image from the AWS registry.
.. code-block:: none
~(keystone)admin)$ sudo docker pull 625619392498.dkr.ecr.us-west-2.amazonaws.com/docker.io/starlingx/master/latest_image_build
#. Tag the image, by using the following command:
.. code-block:: none
~(keystone)admin)$ sudo docker image tag 625619392498.dkr.ecr.us-west-2.amazonaws.com/docker.io/starlingx/master/latest_image_build
#. Authenticate the local registry, by using the following command:
.. code-block:: none
~(keystone)admin)$ sudo docker login registry.local:9001 -u admin -p <admin_passwd>
#. Push the image, by using the following command:
.. code-block:: none
~(keystone)admin)$ sudo docker image push registry.local:9001/docker.io/wind-river/cmk:WRCP.20.01-v1.3.1-15-ge3df769-1
#. On all configurations with two controllers, after the CMK Docker image has
been pulled, tagged \(with the local registry\), and pushed \(to the local
registry\), the admin user should log in to the inactive controller and run
the following commands:
For example:
.. code-block:: none
~(keystone)admin)$ sudo docker login registry.local:9001 -u admin -p <admin_passwd>
~(keystone)admin)$ sudo docker image pull tis-lab-registry.cumulus.wrs.com:9001/wrcp-staging/docker.io/wind-river/cmk:WRCP.20.01-v1.3.1-15-ge3df769-1
#. Configure any isolated CPUs on worker nodes in order to reduce host OS
impacts on latency for tasks running on Isolated CPUs.
Any container tasks running on isolated CPUs will have to explicitly manage
their own affinity, the process scheduler will ignore them completely.
.. note::
The following commands are examples only, the admin user must specify
the number of CPUs per processor based on the node CPU topology.
.. code-block:: none
~(keystone)admin)$ system host-lock worker-1
~(keystone)admin)$ system host-cpu-modify -f platform -p0 1 worker-1
~(keystone)admin)$ system host-cpu-modify -f application-isolated -p0 15 worker-1
~(keystone)admin)$ system host-cpu-modify -f application-isolated -p1 15 worker-1
~(keystone)admin)$ system host-unlock worker-1
This sets one platform core and 15 application-isolated cores on NUMA node
0, and 15 application-isolated cores on NUMA node 1. At least one CPU must
be left unspecified, which will cause it to be an application CPU.
#. Run the /opt/extracharts/cpu-manager-k8s-setup.sh helper script to install
the CMK Helm charts used to configure the system for CMK.
#. Before running this command, untar files listed in /opt/extracharts.
.. code-block:: none
~(keystone)admin)$ cd /opt/extracharts
~(keystone)admin)$ sudo tar -xvf cpu-manager-k8s-init-1.3.1.tgz
~(keystone)admin)$ sudo tar -xvf cpu-manager-k8s-webhook-1.3.1.tgz
~(keystone)admin)$ sudo tar -xvf cpu-manager-k8s-1.3.1.tgz
#. Run the script.
The script is located in the /opt/extracharts directory of the active
controller.
For example:
.. code-block:: none
~(keystone)admin)$ cd /opt/extracharts
~(keystone)admin)$ ./cpu-manager-k8s-setup.sh
The following actions are performed:
- The **cpu-manager-k8s-init** chart is installed. This will create a
service account and set up rules-based access control.
- A webhook is created to insert the appropriate resources into pods
that request CMK resources. \(This will result in one pod running.\)
- A daemonset is created for the per-CMK-node pod that will handle
all CMK operations on that node.
- **cmk-webhook-deployment** is launched on the controller and
**cpu-manager-k8s-cmk-default** is launched on the worker.
By default, each node will have one available CPU allocated to the
shared pool, and all the rest allocated to the exclusive pool. The
platform CPUs will be ignored.
#. Add more CPUs to the shared pool.
#. Override the allocation via per-node Helm chart overrides on the
**cpu-manager-k8s** Helm chart.
.. code-block:: none
$ cat <<EOF > /home/sysadmin/worker-0-cmk-overrides.yml
# For NUM_EXCLUSIVE_CORES a value of -1 means
# "all available cores after infra and shared
# cores have been allocated".
# NUM_SHARED_CORES must be at least 1.
conf:
cmk:
NUM_EXCLUSIVE_CORES: -1
NUM_SHARED_CORES: 1
overrides:
cpu-manager-k8s_cmk:
hosts:
- name: worker-0
conf:
cmk:
NUM_SHARED_CORES: 2
EOF
#. Apply the override.
.. code-block:: none
$ helm upgrade cpu-manager cpu-manager-k8s --reuse-values -f /home/sysadmin/worker-0-cmk-overrides.yml
#. After CMK has been installed, run the following command to patch the
webhook to pull the image, if required for future use:
.. code-block:: none
~(keystone)admin)$ kubectl -n kube-system patch deploy cmk-webhook-deployment \
-p '{"spec":{"template":{"spec":{"containers":[{"name":"cmk-webhook",\
"imagePullPolicy":"IfNotPresent"}]}}}}'
.. rubric:: |postreq|
Once CMK is set up, you can run workloads as described at `https://github.com/intel/CPU-Manager-for-Kubernetes <https://github.com/intel/CPU-Manager-for-Kubernetes>`__,
with the following caveats:
- When using CMK, the application pods should not specify requests or limits
for the **cpu** resource.
When running a container with :command:`cmk isolate --pool=exclusive`, the
**cpu** resource should be superseded by the
:command:`cmk.intel.com/exclusive-cores` resource.
When running a container with :command:`cmk isolate --pool=shared` or
:command:`cmk isolate --pool=infra`, the **cpu** resource has no meaning as
Kubelet assumes it has access to all the CPUs rather than just the
**infra** or **shared** ones and this confuses the resource tracking.
- There is a known issue with resource tracking if a node with running
CMK-isolated applications suffers an uncontrolled reboot. The suggested
workaround is to wait for it to come back up, then lock/unlock the node.
- When using the :command:`cmk isolate --socket-id` command to run an
application on a particular socket, there can be complications with
scheduling because the Kubernetes scheduler isn't NUMA-aware. A pod can be
scheduled to a kubernetes node that has enough resources across all NUMA
nodes, but then a container trying to run :command:`cmk isolate --socket-id=<X>`
can lead to a run-time error if there are not enough resources on that
particular NUMA node:
.. code-block:: none
~(keystone)admin)$ kubectl logs cmk-isolate-pod
[6] Failed to execute script cmk
Traceback (most recent call last):
File "cmk.py", line 162, in <module> main()
File "cmk.py", line 127, in main args["--socket-id"])
File "intel/isolate.py", line 57, in isolate.format(pool_name))
SystemError: Not enough free cpu lists in pool
.. From step 1
.. xbooklink For more information on node labeling, see |node-doc|: :ref:`Configure Node Labels from the CLI <assigning-node-labels-from-the-cli>`.
.. From step 2
.. xreflink For more information, see |inst-doc|: :ref:`Bootstrap and Deploy Cloud Platform <bootstrapping-and-deploying-starlingx>`.

64
doc/source/system_configuration/kubernetes/about-changing-external-registries-for-starlingx-installation.rst Normal file
View File

@ -0,0 +1,64 @@
..
.. _about-changing-external-registries-for-starlingx-installation:
=============================================================
About Changing External Registries for StarlingX Installation
=============================================================
You can reassign the external registries used for |prod| installs, upgrades,
and application updates.
When installing and upgrading |prod| or applying and updating |prod|
applications, container images are pulled from external registries, for various
services. By default, these container images are pulled from the following
public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, and ``docker.io``.
During installation, specifically during the bootstrap step, these external registries
can be overridden using the 'docker_registries' variable in the bootstrap
override file. This task provides a procedure for changing these external
registries **after** installing |prod|.
.. rubric:: |context|
For convenience, many of the procedures are implemented in bash loops. If during
the loops errors occur the procedure will fail. |prod| recommends to
capture the existing settings before running the commands.
.. rubric:: |prereq|
Make sure the following conditions are true:
* no alarm is present
* both controllers are online and unlocked
* all applications required are properly applied
* in the case of a subcloud in a distributed cloud deployment, the subcloud is in
sync with the system controller
* the auth-secret, Url, and type exist for: ``system service-parameter-list | grep registry``
This is an example of the output:
.. code-block:: none
| 16485f1e-757c-46a9-a366-0820b0f2ab77 | docker | docker-registry | auth-secret | d76d3a01-7d28-4e17-a614-f10b7eb49438 | None | None |
| 4436a7ab-11bc-4adb-aa9a-d15fe7a5a337 | docker | docker-registry | type | docker | None | None |
| e9ac3877-bc1c-4bd0-8d4e-6ead5a09b07c | docker | docker-registry | url | old-registry.domain.com:5001/product-abc/starlingx/docker.io | None | None |
| 3f44da5a-020d-42af-a15c-bf54da1e4c94 | docker | elastic-registry | auth-secret | de5195da-a791-4d05-9bb2-0a106d65dd33 | None | None |
| afbc4d14-5359-4b54-9431-01fe83440cf6 | docker | elastic-registry | type | docker | None | None |
| 05644812-daee-43a0-89e3-45006a6807fd | docker | elastic-registry | url | old-registry.domain.com:5001/product-abc/starlingx/docker.elastic.co| None | None |
| 76c15302-62ec-44d8-8352-ae8e681dfb02 | docker | gcr-registry | auth-secret | 772f88cb-3355-4663-8a95-026409b629cb | None | None |
| 5d4004ed-c212-4cb0-b309-82225cc011a9 | docker | gcr-registry | type | docker | None | None |
| 18d8a51b-99b1-4caf-8e98-740dc3bdfd74 | docker | gcr-registry | url | old-registry.domain.com:5001/product-abc/starlingx/gcr.io | None | None |
| 64e8a11f-3be9-4086-992a-948a92f8441b | docker | k8s-registry | auth-secret | 4ba49153-fb12-4db6-9509-779ac4f1f2fa | None | None |
| eca50140-b082-4229-8ca3-562abd6e3693 | docker | k8s-registry | type | docker | None | None |
| 497a935c-c8fc-422e-88d3-e9cbd6d12a95 | docker | k8s-registry | url | old-registry.domain.com:5001/product-abc/starlingx/k8s.gcr.io | None | None |
| a84328a0-3219-4b54-b4fa-5903f25f70ea | docker | quay-registry | auth-secret | c293a43d-0e4b-4dec-a5f4-baffb65e07f0 | None | None |
| 96b6eb45-b101-4bcb-8168-3f9f79baaa7d | docker | quay-registry | type | docker | None | None |
| 0fe2e1b9-8005-4ff8-98c2-ba0ad66103b9 | docker | quay-registry | url | old-registry.domain.com:5001/product-abc/starlingx/quay.io | None | None |
The new registry uses **username** and **password** authentication. Its path is
the same as the existing registry path. For example if ``docker.io`` path is
`old-registry.domain.com:5001/product-abc/starlingx/docker.io`
on the existing registry, then the new registry must be
`new-registry.domain.com:9001/product-abc/starlingx/docker.io`.
To change a registry, see :ref:`Change the Registries' URLs
<change-the-registry-url>`.

33
doc/source/system_configuration/kubernetes/add-the-ca-certificate-for-new-registry.rst Normal file
View File

@ -0,0 +1,33 @@
..
.. _add-the-ca-certificate-for-new-registry:
=======================================
Add the CA Certificate for New Registry
=======================================
.. rubric:: |proc|
#. Copy the certificate of the |CA| that signed the new registries' certificate to the active controller.
#. Install the |CA| certificate as a Trusted |CA| for StarlingX. This is an
example with the filename **ca.crt** containing the |CA| certificate:
.. code-block:: none
system certificate-install -m ssl_ca ca.crt
WARNING: For security reasons, the original certificate,
containing the private key, will be removed,
once the private key is processed.
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | da397ac8-24c2-474c-98fd-5afade15aea2 |
| certtype | ssl_ca |
| signature | ssl_ca_10872957681153283553 |
| start_date | 2020-09-03 21:56:16+00:00 |
| expiry_date | 2021-06-30 21:56:16+00:00 |
+-------------+--------------------------------------+
To verify a new a registry and reapply the application, see :ref:`Check New
Registry and Reapply Application <check-new-registry-and-reapply-application>`.

32
doc/source/system_configuration/kubernetes/application-commands-and-helm-overrides.rst
View File

@ -62,15 +62,15 @@ commands to manage containerized applications provided as part of |prod|.
| active | False |
| app_version | 1.0-18 |
| created_at | 2019-09-06T15:34:03.194150+00:00 |
| manifest_file | |prefix|-openstack.yaml |s| |
| manifest_file | |prefix|-openstack.yaml |s| |
| manifest_name | armada-manifest |
| name | |prefix|-openstack |s| |
| name | |prefix|-openstack |s| |
| progress | completed |
| status | uploaded |
| updated_at | 2019-09-06T15:34:46.995929+00:00 |
+---------------+----------------------------------+
- Use the following command to upload application helm chart\(s\) and
- Use the following command to upload application Helm chart\(s\) and
manifest.
.. code-block:: none
@ -102,16 +102,16 @@ commands to manage containerized applications provided as part of |prod|.
| active | False |
| app_version | 1.0-18 |
| created_at | 2019-09-06T15:34:03.194150+00:00 |
| manifest_file | |prefix|-openstack.yaml |
| manifest_file | |prefix|-openstack.yaml |
| manifest_name | armada-manifest |
| name | |prefix|-openstack |
| name | |prefix|-openstack |
| progress | None |
| status | uploading |
| updated_at | None |
+---------------+----------------------------------+
Please use 'system application-list' or 'system application-show |prefix|-openstack' to view the current progress.
- To list the helm chart overrides for the |prod|, use the following
- To list the Helm chart overrides for the |prod|, use the following
command:
.. code-block:: none
@ -219,18 +219,18 @@ commands to manage containerized applications provided as part of |prod|.
and the following are optional arguments:
``--reuse-values``
Reuse existing helm chart user override values. If reset-values is
Reuse existing Helm chart user override values. If reset-values is
used, reuse-values is ignored.
``--reset-values``
Replace any existing helm chart overrides with the ones specified.
Replace any existing Helm chart overrides with the ones specified.
``--values``
Specify a **yaml** file containing helm chart override values. You can
Specify a **yaml** file containing Helm chart override values. You can
specify this value multiple times.
``--set``
Set helm chart override values using the command line. Multiple
Set Helm chart override values using the command line. Multiple
override values can be specified with multiple :command:`set`
arguments. These are processed after files passed through the
values argument.
@ -256,10 +256,10 @@ commands to manage containerized applications provided as part of |prod|.
**Property** column.
.. note::
To apply the updated helm chart ovverrides to the running application,
To apply the updated Helm chart ovverrides to the running application,
use the :command:`system application-apply` command.
- To enable or disable the installation of a particular helm chart within an
- To enable or disable the installation of a particular Helm chart within an
application manifest, use the :command:`helm-chart-attribute-modify`
command. This command does not modify a chart or modify chart overrides,
which are managed through the :command:`helm-override-update` command.
@ -343,9 +343,9 @@ commands to manage containerized applications provided as part of |prod|.
| active | False |
| app_version | 1.0-18 |
| created_at | 2019-09-06T15:34:03.194150+00:00 |
| manifest_file | |prefix|-openstack.yaml |s| |
| manifest_file | |prefix|-openstack.yaml |s| |
| manifest_name | armada-manifest |
| name | |prefix|-openstack |s| |
| name | |prefix|-openstack |s| |
| progress | None |
| status | applying |
| updated_at | 2019-09-06T15:34:46.995929+00:00 |
@ -436,9 +436,9 @@ commands to manage containerized applications provided as part of |prod|.
| active | False |
| app_version | 1.0-18 |
| created_at | 2019-09-06T15:34:03.194150+00:00 |
| manifest_file | |prefix|-openstack.yaml |s| |
| manifest_file | |prefix|-openstack.yaml |s| |
| manifest_name | armada-manifest |
| name | |prefix|-openstack |s| |
| name | |prefix|-openstack |s| |
| progress | None |
| status | removing |
| updated_at | 2019-09-06T17:39:19.813754+00:00 |

89
doc/source/system_configuration/kubernetes/change-the-registry-url.rst Normal file
View File

@ -0,0 +1,89 @@
..
.. _change-the-registry-url:
===========================
Change the Registries' URLs
===========================
Set the variable NEW_URL_START to the new registry and port, and change the
registries' URLs using the following command:
.. code-block:: none
NEW_URL_START=new-registry.domain.com:9001
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
do
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}' | cut -d '/' -f 2-`
system service-parameter-modify docker $registry url=$NEW_URL_START/$url_path
done
.. rubric:: |result|
You will get the following output:
.. code-block:: none
+-------------+--------------------------------------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------------------------------------+
| uuid | 1f88c265-60a9-49b7-860b-785be9d832fc |
| service | docker |
| section | docker-registry |
| name | url |
| value | new-registry.domain.com:9001/product-abc/starlingx/docker.io |
| personality | None |
| resource | None |
+-------------+--------------------------------------------------------------------------+
+-------------+------------------------------------------------------------------------+
| Property | Value |
+-------------+------------------------------------------------------------------------+
| uuid | 459fde69-ee5f-4375-9817-cc7bc2bb06cb |
| service | docker |
| section | quay-registry |
| name | url |
| value | new-registry.domain.com:9001/product-abc/starlingx/quay.io |
| personality | None |
| resource | None |
+-------------+------------------------------------------------------------------------+
+-------------+----------------------------------------------------------------------------------+
| Property | Value |
+-------------+----------------------------------------------------------------------------------+
| uuid | c7537ee4-1dff-4627-9f99-3380a54a51e0 |
| service | docker |
| section | elastic-registry |
| name | url |
| value | new-registry.domain.com:9001/product-abc/starlingx/docker.elastic.co |
| personality | None |
| resource | None |
+-------------+----------------------------------------------------------------------------------+
+-------------+-----------------------------------------------------------------------+
| Property | Value |
+-------------+-----------------------------------------------------------------------+
| uuid | 144194d1-9c03-4db0-a336-c1a32467b1bd |
| service | docker |
| section | gcr-registry |
| name | url |
| value | new-registry.domain.com:9001/product-abc/starlingx/gcr.io |
| personality | None |
| resource | None |
+-------------+-----------------------------------------------------------------------+
+-------------+---------------------------------------------------------------------------+
| Property | Value |
+-------------+---------------------------------------------------------------------------+
| uuid | 99800eff-c681-4dbd-8897-c5c5636f5fa1 |
| service | docker |
| section | k8s-registry |
| name | url |
| value | new-registry.domain.com:9001/product-abc/starlingx/k8s.gcr.io |
| personality | None |
| resource | None |
+-------------+---------------------------------------------------------------------------+
To validate the registry, see :ref:`Display Updated Registries' URLs and Auth-Secrets
<validate-existing-registry-and-new-url>`.

99
doc/source/system_configuration/kubernetes/check-new-registry-and-reapply-application.rst Normal file
View File

@ -0,0 +1,99 @@
..
.. _check-new-registry-and-reapply-application:
==========================================
Check New Registry and Reapply Application
==========================================
Perform these steps on both controllers. Use controller-0 first and then swact
to controller-1 and perform the same steps.
.. rubric:: |proc|
#. Run this command to login:
.. code-block:: none
sudo docker login new-registry.domain.com:9001
#. Run this command to do a test pull of the image:
.. code-block:: none
sudo docker image pull new-registry.domain.com:9001/product-abc/starlingx/docker.io/alpine:latest
crictl pull --creds docker:****** new-registry.domain.com:9001/product-abc/starlingx/docker.io/alpine:latest
sudo docker image rm new-registry.domain.com:9001/product-abc/starlingx/docker.io/alpine:latest
crictl rmi new-registry.domain.com:9001/product-abc/starlingx/docker.io/alpine:latest
#. Check if an application re-apply will now properly pull from the registries.
First, remove the images for an application, such as
nginx-ingress-controller, from the registry.local and the local image cache
for all nodes \(assuming AIO-SX\), in order to force the next re-apply of
the application to re-pull these images.
.. code-block:: none
system registry-image-tags quay.io/kubernetes-ingress-controller/nginx-ingress-controller
+-----------+
| Image Tag |
+-----------+
| 0.23.0 |
+-----------+
system registry-image-delete quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0
system registry-garbage-collect
crictl images ls | grep quay.io/kubernetes-ingress-controller/nginx-ingress-controller
registry.local:9001/quay.io/kubernetes-ingress-controller/nginx-ingress-controller 0.23.0 42d47fe0c78f5 242MB
crictl rmi registry.local:9001/quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0
# Note an error on this step means there is no image in the cache
# SSH to controller-1 (or the standby controller)
crictl rmi registry.local:9001/quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0
#. To reapply the application run the following command:
.. code-block:: none
system application-apply nginx-ingress-controller
#. Then, debug tail ``-f /var/log/sysinv.log`` and look for the following information:
.. code-block:: none
sysinv 2020-09-09 23:42:23.476 14930 INFO sysinv.conductor.kube_app [-] Image registry.local:9001/quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0 is not available in local registry, download started from public/private registry
sysinv 2020-09-09 23:42:23.526 14930 INFO sysinv.conductor.kube_app [-] Image registry.local:9001/k8s.gcr.io/defaultbackend:1.4 download succeeded in 0 seconds
sysinv 2020-09-09 23:43:10.226 14930 INFO sysinv.conductor.kube_app [-] Remove image <hostname>:5001/<quay.io path>/quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0 after push to local registry.
sysinv 2020-09-09 23:43:10.595 14930 INFO sysinv.conductor.kube_app [-] Image registry.local:9001/quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0 download succeeded in 47 seconds
sysinv 2020-09-09 23:43:10.596 14930 INFO sysinv.conductor.kube_app [-] All docker images for application nginx-ingress-controller were successfully downloaded in 50 seconds
#. Validate that the application is running:
.. code-block:: none
system application-list
+--------------------------+----------+-----------------------------------+---------------------------------+----------+-----------+
| application | version | manifest name | manifest file | status | progress |
+--------------------------+----------+-----------------------------------+---------------------------------+----------+-----------+
| cert-manager | 20.06-4 | cert-manager-manifest | certmanager-manifest.yaml | applied | completed |
--> | nginx-ingress-controller | 20.06-0 | nginx-ingress-controller-manifest | nginx_ingress_controller_manife | applied | completed |
| | | | st.yaml | | |
| | | | | | |
| oidc-auth-apps | 20.06-26 | oidc-auth-manifest | manifest.yaml | uploaded | completed |
| platform-integ-apps | 20.06-9 | platform-integration-manifest | manifest.yaml | uploaded | completed |
+--------------------------+----------+-----------------------------------+---------------------------------+----------+-----------+
#. Validate that the image is in the local registry:
.. code-block:: none
system registry-image-tags quay.io/kubernetes-ingress-controller/nginx-ingress-controller
+-----------+
| Image Tag |
+-----------+
| 0.23.0 |
+-----------+

167
doc/source/system_configuration/kubernetes/create-the-registry-secrets.rst Normal file
View File

@ -0,0 +1,167 @@
..
.. _create-the-registry-secrets:
===================================
Create the Registries' Auth-Secrets
===================================
This step must be performed only if no entries were listed when displaying the
registries' auth-secrets. When required, use the appropriate username and
password.
.. rubric:: |proc|
To create the auth-secrets for the new registries, use the following command:
.. code-block:: none
NEW_USERNAME_PASSWORD="username:docker password:********"
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
do
openstack secret store -n ${registry}-secret -p "${NEW_USERNAME_PASSWORD}"
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}' | awk -F/ '{print $6}'`
system service-parameter-add docker ${registry} auth-secret=${secret_uuid}
done
You will get the following output:
.. code-block:: none
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/d82f1653-4718-429c-b6d5-0fc3e27d32f9 |
| Name | docker-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 68d68fec-36a7-445a-9b2e-4fdae5f24d16 |
| service | docker |
| section | docker-registry |
| name | auth-secret |
| value | d82f1653-4718-429c-b6d5-0fc3e27d32f9 |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/69219fb7-4072-4391-ac13-fe429e8f1e2f |
| Name | quay-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 8f153a9a-b249-4e50-8789-19a66b3f6f72 |
| service | docker |
| section | quay-registry |
| name | auth-secret |
| value | 69219fb7-4072-4391-ac13-fe429e8f1e2f |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/60369415-00be-4777-b16d-f2f8641cb079 |
| Name | elastic-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 6ed71e2c-b845-43a0-8827-fff8520135cf |
| service | docker |
| section | elastic-registry |
| name | auth-secret |
| value | 60369415-00be-4777-b16d-f2f8641cb079 |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/6c45003f-29c3-4353-a55d-05bc55e278a7 |
| Name | gcr-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 43934f0f-08c4-48b8-92b5-14d2504f8053 |
| service | docker |
| section | gcr-registry |
| name | auth-secret |
| value | 6c45003f-29c3-4353-a55d-05bc55e278a7 |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/dc79fe94-598d-4776-af59-9879f4253082 |
| Name | k8s-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 4e531e3d-9c8f-47e2-8919-68b50ba06a74 |
| service | docker |
| section | k8s-registry |
| name | auth-secret |
| value | dc79fe94-598d-4776-af59-9879f4253082 |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
To update the registry secrets, go to :ref:`Update
the Registries' Auth-Secrets <update-the-registry-secrets>`.

16
doc/source/system_configuration/kubernetes/index.rst
View File

@ -117,3 +117,19 @@ Kubernetes Configuration
:maxdepth: 2
limit-number-of-processes-per-pod
about-changing-external-registries-for-starlingx-installation
*************************************
Apply Registries' Auth-Secret Changes
*************************************
.. toctree::
:maxdepth: 1
change-the-registry-url
validate-existing-registry-and-new-url
create-the-registry-secrets
update-the-registry-secrets
verify-the-registry-secret-changes-and-secret-key-in-system-database
add-the-ca-certificate-for-new-registry
check-new-registry-and-reapply-application

189
doc/source/system_configuration/kubernetes/update-the-registry-secrets.rst Normal file
View File

@ -0,0 +1,189 @@
..
.. _update-the-registry-secrets:
===================================
Update the Registries' Auth-Secrets
===================================
This step must be performed only if there are existing entries when displaying
the registries' auth-secrets.
When required, use the appropriate username and password.
.. rubric:: |proc|
To update the auth-secrets for the new registries, use the following command:
.. code-block:: none
NEW_USERNAME_PASSWORD="username:docker password:********"
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
do
secret=`openstack secret list | grep ${registry}-secret | awk '{print $2}'`
openstack secret delete ${secret}
openstack secret store -n ${registry}-secret -p "${NEW_USERNAME_PASSWORD}"
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}' | awk -F/ '{print $6}'`
system service-parameter-modify docker ${registry} auth-secret=${secret_uuid}
done
You will get the following output:
.. code-block:: none
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/d71b2577-1204-4c65-89b3-a29562343b2c |
| Name | docker-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
.. code-block:: none
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 9c268c25-e971-4e2c-927e-78f2f0332b63 |
| service | docker |
| section | docker-registry |
| name | auth-secret |
| value | d71b2577-1204-4c65-89b3-a29562343b2c |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
.. code-block:: none
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/7d7c0bff-eaed-4a5a-8877-dbedc7491c95 |
| Name | quay-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
.. code-block:: none
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | fa85e427-1f97-4e4c-9ab8-f048344b0fd0 |
| service | docker |
| section | quay-registry |
| name | auth-secret |
| value | 7d7c0bff-eaed-4a5a-8877-dbedc7491c95 |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
.. code-block:: none
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/40e6f308-62b5-4f90-b457-b6770864de8d |
| Name | elastic-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
.. code-block:: none
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 009eff20-ed1a-4259-998e-616dd40fb3da |
| service | docker |
| section | elastic-registry |
| name | auth-secret |
| value | 40e6f308-62b5-4f90-b457-b6770864de8d |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
.. code-block:: none
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/a7d4319d-a6b9-41c1-9de1-ad7c56678a48 |
| Name | gcr-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
.. code-block:: none
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 665e3183-f27a-4fc6-a2a5-59cd041ee00e |
| service | docker |
| section | gcr-registry |
| name | auth-secret |
| value | a7d4319d-a6b9-41c1-9de1-ad7c56678a48 |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
.. code-block:: none
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/52126ffe-6e1c-4295-b4b0-6095787c87ed |
| Name | k8s-registry-secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
.. code-block:: none
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 0b02bf15-e830-4196-a867-6e52bcbd0c6e |
| service | docker |
| section | k8s-registry |
| name | auth-secret |
| value | 52126ffe-6e1c-4295-b4b0-6095787c87ed |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
To verify the registry secret changes, go to :ref:`Verify the Registries'
Secret Configuration Changes
<verify-the-registry-secret-changes-and-secret-key-in-system-database>`.

51
doc/source/system_configuration/kubernetes/validate-existing-registry-and-new-url.rst Normal file
View File

@ -0,0 +1,51 @@
..
.. _validate-existing-registry-and-new-url:
=================================================
Display Updated Registries' URLs and Auth-Secrets
=================================================
To display the updated URLs, use the following command:
.. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
do
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}'`
echo $registry URL is $url_path
done
You will get the following output:
.. code-block:: none
docker-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.io
quay-registry URL is new-registry.domain.com:9001/product-abc/starlingx/quay.io
elastic-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.elastic.co
gcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/gcr.io
k8s-registry URL is new-registry.domain.com:9001/product-abc/starlingx/k8s.gcr.io
If the existing registries used authentication, use the following command to
display their auth-secrets:
.. code-block:: none
system service-parameter-list | grep auth-secret
You will get the following output:
.. code-block:: none
| 8dd9200f-5a14-43c0-afb9-941f0c571613 | docker | docker-registry | auth-secret | 19c8700b-0907-4fdb-bb4d-d4c23d9a644b | None | None |
| 44cb60f9-d51a-40d2-a376-c4f019f440ef | docker | elastic-registry | auth-secret | d66dd561-e4a6-499a-b235-72a7e9dd1634 | None | None |
| 24f183c0-bc8c-4d64-90ac-7619c862298c | docker | gcr-registry | auth-secret | 60723957-ab68-44cc-ab94-4a8b09c9e852 | None | None |
| d438b4a1-72ae-459d-9074-76435a545aca | docker | k8s-registry | auth-secret | b2ab23d8-b878-41ae-bb5b-7bdba0f44f64 | None | None |
| 37ac7a03-4bda-4367-9452-a14772958864 | docker | quay-registry | auth-secret | 58150478-c74b-496a-bcaf-98973835cc03 | None | None |
If the output result is similar to the authentication above, go to :ref:`Update the Registries' Auth-Secrets
<update-the-registry-secrets>`.
If the output result is blank, go to :ref:`Create the Registries' Auth-Secrets
<create-the-registry-secrets>`.

109
doc/source/system_configuration/kubernetes/verify-the-registry-secret-changes-and-secret-key-in-system-database.rst Normal file
View File

@ -0,0 +1,109 @@
..
.. _verify-the-registry-secret-changes-and-secret-key-in-system-database:
===================================================
Verify the Registries' Secret Configuration Changes
===================================================
To verify the registries' secret configuration changes, use the following command:
.. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
do
echo $registry
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}'`
openstack secret get -d $secret_uuid
done
You will get the following output:
docker-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
quay-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
elastic-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
gcr-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
k8s-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
To verify if the configured registries' secret is properly linked to the
registry entries in the service parameter table, use the following command:
.. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
do
echo $registry
uuid=`system service-parameter-list |grep $registry | grep auth-secret | awk '{print $2}'`
url=`system service-parameter-show ${uuid} | grep value | awk '{print $4}'`
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}'| awk -F/ '{print $6}'`
echo $url $secret_uuid
if [ "${url}" != "${secret_uuid}" ]; then
echo "**** ${registry} not correct"
fi
done
You will get the following output:
.. code-block:: none
docker-registry
1ee140e8-3246-4435-8dfc-5c37277767a2 1ee140e8-3246-4435-8dfc-5c37277767a2
quay-registry
657b91e8-e214-4fee-b391-0ad2ce9124de 657b91e8-e214-4fee-b391-0ad2ce9124de
elastic-registry
3f816e1c-7892-42e9-b269-f02bc14504fa 3f816e1c-7892-42e9-b269-f02bc14504fa
gcr-registry
4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1
k8s-registry
96d722e6-ab97-4185-9b97-64ee90c6162c 96d722e6-ab97-4185-9b97-64ee90c6162c
To add the CA Certificate, go to :ref:`Add the CA Certificate for New Registry
<add-the-ca-certificate-for-new-registry>`.