e5522e62f6
Substitutions will not expand in code-blocks and abbrevs are not appropriate within literal content. Removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I3e2c47dbd34abd5fefbead9d9a5261297d5410d3
11 KiB
Kubernetes Root CA Certificate Update for Distributed Cloud Orchestration
Warning
During the Kubernetes Root update, deployments,
daemonsets, and statefulsets present in the
cluster are rolling restarted. This impacts services provided by the
application. It is highly recommended to schedule a Kubernetes Root
update during planned maintenance windows.
You can use the dcmanager command to orchestrate the update of the
Kubernetes Root certificate(s) for one or more subclouds in a
Distributed Cloud Environment.
The Kubernetes Root update Distributed Cloud Orchestration commands
for DCManager use the keyword kube-rootca-update-strategy
and provide the same five subcommands as the other orchestrations: create, delete, apply,
abort, show.
DCManager Kubernetes Root update orchestration considers a subcloud
to be 'out of sync' that needs to be orchestrated based on the
kube-rootca_sync_status field, which is updated based on
the presence of alarms in the subcloud related to the Kubernetes Root
certificate expiring soon (or expired) status.
Use the
dcmanager subcloud show subcloud1command to see synchronization details for a subcloud.~(keystone_admin)]$ dcmanager subcloud show subcloud1 +-----------------------------+----------------------------+ | Field | Value | +-----------------------------+----------------------------+ |id | 1 | | name | subcloud1 | | description | Ottawa Site | | location | YOW | | software_version | nn.nn | | management | managed | | availability | online | | deploy_status | complete | | management_subnet | 192.168.101.0/24 | | management_start_ip | 192.168.101.2 | | management_end_ip | 192.168.101.50 | | management_gateway_ip | 192.168.101.1 | | systemcontroller_gateway_ip | 192.168.204.101 | | group_id | 1 | | created_at | 2021-10-04 15:04:13.045076 | | updated_at | 2021-10-25 21:16:23.713858 | | dc-cert_sync_status | in-sync | | firmware_sync_status | in-sync | | identity_sync_status | in-sync | | kubernetes_sync_status | in-sync | | kube-rootca_sync_status | in-sync | | load_sync_status | in-sync | | patching_sync_status | in-sync | | platform_sync_status | in-sync | +-----------------------------+----------------------------+A user can pass
helpto see all the arguments for thestrategy createcommand.~(keystone_admin)]$ dcmanager help kube-rootca-update-strategy create usage: dcmanager kube-rootca-update-strategy create [-h] [-f \{json,shell,table,value,yaml}] [-c COLUMN] [--max-width <integer>] [--fit-width] [--print-empty] [--noindent] [--prefix PREFIX] [--subcloud-apply-type \{parallel,serial}] [--max-parallel-subclouds MAX_PARALLEL_SUBCLOUDS] [--stop-on-failure] [--force] [--group GROUP] [--subject SUBJECT] [--expiry-date EXPIRY_DATE] [--cert-file CERT_FILE] [cloud_name] Create a Kubernetes Root CA update strategy. This strategy supports expiry-date, subject and cert-file parameters. positional arguments: cloud_name Name of a single subcloud to update. optional arguments: -h, --help show this help message and exit --subcloud-apply-type {parallel,serial} Subcloud apply type (parallel or serial). --max-parallel-subclouds MAX_PARALLEL_SUBCLOUDS Maximum number of parallel subclouds. --stop-on-failure Do not update any additional subclouds after a failure. --force Disregard subcloud availability status, intended for some upgrade recovery scenarios. Subcloud name can be specified. --group GROUP Name or ID of subcloud group to update. --subject 'C=CA ST=ON L=OTT O=WR OU=STX CN=OTHER' Only applicable if not specifying '--cert-file', this will be the subject for the auto-generated rootca certificate. --expiry-date YYYY-MM-DD Only applicable if not specifying '--cert-file', this will be the expiry date for the auto-generated rootca certificate; expected format is YYYY-MM-DD. --cert-file CERT_FILE Path to a certificate to upload.
A subcloud can have its Kubernetes Root updated by the orchestrator
even if it is 'in-sync' by using the --force command.
The --force
command can be used to orchestrate all subclouds, or used with other
arguments to orchestrate just one subcloud or subcloud group.
This is an example of how to orchestrate a new certificate for all subclouds, including those that are in-sync that will expire in one year.
Create a Kubernetes Root update strategy.
~(keystone_admin)]$ dcmanager kube-rootca-update-strategy create --force --expiry-date YYYY-MM-DD +-----------------------------+----------------------------+ | Field | Value | +-----------------------------+----------------------------+ | strategy type | kube-rootca-update | | subcloud apply type | None | | max parallel subclouds | None | | stop on failure | False | | state | initial | | created_at | 2021-10-26T14:35:50.675988 | | updated_at | None | +-----------------------------+----------------------------+Verify that the strategy will orchestrate the subcloud(s).
~(keystone_admin)]$ dcmanager strategy-step list +-----------+-------+---------+---------+------------+-------------+ | cloud | stage | state | details | started_at | finished_at | +-----------+-------+---------+---------+------------+-------------+ | subcloud1 | 2 | initial | | None | None | +-----------+-------+---------+---------+------------+-------------+Apply the strategy.
~(keystone_admin)]$ dcmanager kube-rootca-update-strategy apply +-----------------------------+----------------------------+ | Field | Value | +-----------------------------+----------------------------+ | strategy type | kube-rootca-update | | subcloud apply type | None | | max parallel subclouds | None | | stop on failure | False | | state | applying | | created_at | 2021-10-26T14:36:30.327317 | | updated_at | 2021-10-26T14:37:36.865776 | +-----------------------------+----------------------------+You can view the status of the strategy using the following command.
~(keystone_admin)]$ dcmanager kube-rootca-update-strategy show +-----------------------------+----------------------------+ | Field | Value | +-----------------------------+----------------------------+ | strategy type | kube-rootca-update | | subcloud apply type | None | | max parallel subclouds | None | | stop on failure | False | | state | applying | | created_at | 2021-10-26 14:36:30.327317 | | updated_at | 2021-10-26 14:37:36.865776 | +-----------------------------+----------------------------+It is typically more useful to monitor the progress of the strategy as it runs in the subclouds.
In example below, the strategy runs the VIM strategy in the subcloud.
~(keystone_admin)]$ dcmanager strategy-step list +-----------+-------+------------------------------------------+----------------------------+----------------------------+-------------+ | cloud | stage | state | details | started_at | finished_at | +-----------+-------+------------------------------------------+----------------------------+----------------------------+-------------+ | subcloud1 | 2 | applying vim kube rootca update strategy | apply phase is 0% complete | 2021-10-26 14:37:46.404736 | None | +-----------+-------+------------------------------------------+----------------------------+----------------------------+-------------+Wait for the strategy to complete. If there are failures, the
showcommand in the previous step indicates where the failure occurred.Only one type of DCManager strategy can exist at a time. Once completed, remember to delete it.
~(keystone_admin)]$ dcmanager kube-rootca-update-strategy delete +-----------------------------+----------------------------+ | Field | Value | +-----------------------------+----------------------------+ | strategy type | kube-rootca-update | | subcloud apply type | None | | max parallel subclouds | None | | stop on failure | False | | state | deleting | | created_at | 2021-10-26T14:27:44.856345 | | updated_at | 2021-10-26T14:30:53.557978 | +-----------------------------+----------------------------+