starlingx/docs
Code Issues Proposed changes

Adjustment for the kubernetes 1.24 behavior change

Browse Source 
In K8s 1.24, when a ServiceAccount is created, no
more Secret is created automatically. Need to add
extra steps for secret creation.

Closes-bug: 1997750

Signed-off-by: Litao Gao <litao.gao@windriver.com>
Change-Id: Iffa965717b35c55e129e21eca79bfbb1f6668f5d
This commit is contained in:
Litao Gao 2022-11-24 06:47:11 -05:00
parent c66d66783b
commit 22f58200f6
3 changed files with 83 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/source/admintasks/kubernetes/istio-service-mesh-application-eee5ebb3d3c4.rst
View File

@ -29,7 +29,7 @@ application:
- Istio-cni - Kubernetes |CNI| plugin
The Kiali (`https://kiali.io/ <https://kiali.io/>`__) management console for
Istio is also integrated with |prod|, in the Istio system application.
Istio is also integrated with |prod| in the Istio system application.
It provides management functions and visualizations to the service mesh
operation. Metrics and tracing functionalities are not supported at this time.
@ -37,19 +37,19 @@ operation. Metrics and tracing functionalities are not supported at this time.
You can install Istio and Kiali on |prod| from the command line.
#. Locate the Istio tarball in ``/usr/local/share/application/helm``.
#. Locate the Istio tarball in ``/usr/local/share/applications/helm``.
For example:
.. code-block:: none
/usr/local/share/application/helm/istio-<version>.tgz
/usr/local/share/applications/helm/istio-<version>.tgz
#. Upload the application.
.. code-block:: none
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/istio-<version>.tgz
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-<version>.tgz
#. Apply the application.
@ -81,8 +81,8 @@ You can install Istio and Kiali on |prod| from the command line.
EOF
kubectl apply -f istio-cni-nad.yaml
|CNI| is managed by Multus. The NetworkAttachmentDefinition is required in
the application namespace in order to invoke the ``istio-cni`` plugin.
|CNI| is managed by Multus. The ``NetworkAttachmentDefinition`` is required
in the application namespace in order to invoke the ``istio-cni`` plugin.
#. Enable side car for a particular namespace.
@ -95,7 +95,9 @@ You can install Istio and Kiali on |prod| from the command line.
injection webhook is enabled, any new pods that are created in that
namespace will automatically have a sidecar added to them.
#. At this point, you may launch services in the above namespace.
.. rubric:: |result|
At this point, you may have launched services in the above namespace.
When the user application is deployed, the sidecar container
``istio-proxy`` is injected into the user application pod:

57
doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst
View File

@ -36,21 +36,23 @@ Install
Configure the internal Ceph storage for the O2 application persistent storage,
see |stor-doc|: :ref:`Configure the Internal Ceph Storage Backend
<configure-the-internal-ceph-storage-backend>` and enable |PVC| support in
``oran-o2`` namespace, see |stor-doc|: :ref:`Enable ReadWriteOnce PVC Support in
Additional Namespaces <enable-readwriteonce-pvc-support-in-additional-namespaces>`.
<configure-the-internal-ceph-storage-backend>`.
Enable |PVC| support in ``oran-o2`` namespace, see |stor-doc|: :ref:`Enable
ReadWriteOnce PVC Support in Additional Namespaces
<enable-readwriteonce-pvc-support-in-additional-namespaces>`.
.. rubric:: |proc|
You can install |O-RAN| O2 application on |prod| from the command line.
#. Locate the O2 application tarball in ``/usr/local/share/application/helm``.
#. Locate the O2 application tarball in ``/usr/local/share/applications/helm``.
For example:
.. code-block:: bash
/usr/local/share/application/helm/oran-o2-<version>.tgz
/usr/local/share/applications/helm/oran-o2-<version>.tgz
#. Download ``admin_openrc.sh`` from the |prod| admin dashboard.
@ -71,14 +73,14 @@ You can install |O-RAN| O2 application on |prod| from the command line.
.. code-block:: bash
~(keystone_admin)]$ system application-upload /usr/local/share/application/helm/oran-o2-<version>.tgz
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/oran-o2-<version>.tgz
#. Prepare the override ``yaml`` file.
#. Create a service account for |SMO| and obtain an access token.
#. Create a service account for |SMO| application.
Create a ServiceAccount which can be used to provide |SMO| with minimal
access permission credentials.
Create a `ServiceAccount` which can be used to provide |SMO| application with
minimal access permission credentials.
.. code-block:: bash
@ -118,7 +120,27 @@ You can install |O-RAN| O2 application on |prod| from the command line.
kubectl apply -f smo-serviceaccount.yaml
export SMO_SECRET=$(kubectl get serviceaccounts $SMO_SERVICEACCOUNT -o jsonpath='{.secrets[0].name}')
#. Create a secret for service account and obtain an access token.
Create a secret with the type `service-account-token` and pass the
`ServiceAccount` in the annotation section as shown below:
.. code-block:: bash
export SMO_SECRET=smo1-secret
cat <<EOF > smo-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: ${SMO_SECRET}
annotations:
kubernetes.io/service-account.name: ${SMO_SERVICEACCOUNT}
type: kubernetes.io/service-account-token
EOF
kubectl apply -f smo-secret.yaml
export SMO_TOKEN_DATA=$(kubectl get secrets $SMO_SECRET -o jsonpath='{.data.token}' | base64 -d -w 0)
#. Create certificates for the O2 service.
@ -212,8 +234,8 @@ You can install |O-RAN| O2 application on |prod| from the command line.
EOF
To deploy other versions of an image required for a quick solution, to
have early access to the features (eg. o-ran-sc/pti-o2imsdms:2.0.1), and to
authenticate images that are hosted by a private registry, follow the
have early access to the features (eg. oranscinf/pti-o2imsdms:2.0.1), and
to authenticate images that are hosted by a private registry, follow the
steps below:
#. Create a `docker-registry` secret in ``oran-o2`` namespace.
@ -238,7 +260,7 @@ You can install |O-RAN| O2 application on |prod| from the command line.
serviceaccountname: admin-oran-o2
images:
tags:
o2service: ${O2SERVICE_IMAGE_REG}/o-ran-sc/pti-o2imsdms:2.0.1
o2service: ${O2SERVICE_IMAGE_REG}/docker.io/oranscinf/pti-o2imsdms:2.0.1
postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6
redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine
pullPolicy: IfNotPresent
@ -278,9 +300,12 @@ You can install |O-RAN| O2 application on |prod| from the command line.
~(keystone_admin)]$ watch kubectl get all -n oran-o2
.. rubric:: |result|
You have launched services in the above namespace.
.. rubric:: |postreq|
At this point, you have launched services in the above namespace.
You will need to integrate |prod| with an |SMO| application that performs
management of O-Cloud infrastructure and the deployment life cycle management
of O-RAN cloudified |NFs|. See the following API reference for details:
@ -311,3 +336,7 @@ You can uninstall the |O-RAN| O2 application on |prod| from the command line.
.. code-block:: bash
~(keystone_admin)]$ system application-delete oran-o2
.. rubric:: |result|
You have uninstalled the O2 application from the system.

14
doc/source/storage/kubernetes/enable-readwriteonce-pvc-support-in-additional-namespaces.rst
View File

@ -207,4 +207,18 @@ application-specific namespaces to access the |RBD| provisioner's **general stor
You can now create and mount PVCs from the default |RBD| provisioner's
**general storage class**, from within these application-specific namespaces.
#. Apply the secret to the new rbd-provisioner namespace.
Check if the secret has been created in the new namespace by running the
following command:
.. code-block:: none
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n <namespace>
If the secret has not been created in the new namespace, create it by
running the following command:
.. code-block:: none
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n default -o yaml | grep -v '^\s*namespace:\s' | kubectl apply -n <namespace> -f -