starlingx/docs
Code Issues Proposed changes

Merge "Platform Application Components Up-version - Portieris (dsR8)"

Browse Source
This commit is contained in:
Zuul 2023-05-10 17:32:02 +00:00 committed by Gerrit Code Review
commit 2804b5bb82
15 changed files with 67 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst
View File

@ -182,6 +182,8 @@ Bootstrap system on controller-0
url: myprivateregistry.abc.com:9001/docker.io url: myprivateregistry.abc.com:9001/docker.io
registry.k8s.io: registry.k8s.io:
url: myprivateregistry.abc.com:9001/registry.k8s.io url: myprivateregistry.abc.com:9001/registry.k8s.io
icr.io:
url: myprivateregistry.abc.com:9001/icr.io
defaults: defaults:
type: docker type: docker
username: <your_myprivateregistry.abc.com_username> username: <your_myprivateregistry.abc.com_username>

2
doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst
View File

@ -182,6 +182,8 @@ Bootstrap system on controller-0
url: myprivateregistry.abc.com:9001/docker.io url: myprivateregistry.abc.com:9001/docker.io
registry.k8s.io registry.k8s.io
url: myprivateregistry.abc.com:9001/registry.k8s.io url: myprivateregistry.abc.com:9001/registry.k8s.io
icr.io:
url: myprivateregistry.abc.com:9001/icr.io
defaults: defaults:
type: docker type: docker
username: <your_myprivateregistry.abc.com_username> username: <your_myprivateregistry.abc.com_username>

2
doc/source/deploy_install_guides/release/bare_metal/bootstrapping-from-a-private-docker-registry.rst
View File

@ -36,6 +36,8 @@ your server is isolated from the public Internet.
url: <my-registry.io>/docker.elastic.co url: <my-registry.io>/docker.elastic.co
registry.k8s.io: registry.k8s.io:
url: <my-registry.io>/registry.k8s.io url: <my-registry.io>/registry.k8s.io
icr.io:
url: <my-registry.io>/icr.io
defaults: defaults:
type: docker type: docker
username: <your_my-registry.io_username> username: <your_my-registry.io_username>

2
doc/source/deploy_install_guides/release/bare_metal/controller_storage_install_kubernetes.rst
View File

@ -245,6 +245,8 @@ Bootstrap system on controller-0
url: myprivateregistry.abc.com:9001/docker.io url: myprivateregistry.abc.com:9001/docker.io
registry.k8s.io: registry.k8s.io:
url: myprivateregistry.abc.com:9001/registry.k8s.io url: myprivateregistry.abc.com:9001/registry.k8s.io
icr.io:
url: myprivateregistry.abc.com:9001/icr.io
defaults: defaults:
type: docker type: docker
username: <your_myprivateregistry.abc.com_username> username: <your_myprivateregistry.abc.com_username>

2
doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst
View File

@ -285,6 +285,8 @@ subcloud, the subcloud installation has these phases:
url: registry.central:9001/docker.elastic.co url: registry.central:9001/docker.elastic.co
registry.k8s.io: registry.k8s.io:
url: registry.central:9001/registry.k8s.io url: registry.central:9001/registry.k8s.io
icr.io:
url: registry.central:9001/icr.io
defaults: defaults:
username: sysinv username: sysinv
password: <sysinv_password> password: <sysinv_password>

2
doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst
View File

@ -199,6 +199,8 @@ subcloud, the subcloud installation process has two phases:
url: registry.central:9001/docker.elastic.co url: registry.central:9001/docker.elastic.co
registry.k8s.io: registry.k8s.io:
url: registry.central:9001/registry.k8s.io url: registry.central:9001/registry.k8s.io
icr.io:
url: registry.central:9001/icr.io
defaults: defaults:
username: sysinv username: sysinv
password: <sysinv_password> password: <sysinv_password>

14
doc/source/security/kubernetes/install-portieris.rst
View File

@ -10,6 +10,19 @@ You can install Portieris on |prod| from the command line.
.. rubric:: |proc| .. rubric:: |proc|
.. note::
For systems upgraded from a previous release, please add service parameters
for the new icr registry that will contain images used by Portieris. You
will need to add 1 service parameter for the URL at a minimum: ``system
service-parameter-add docker icr-registry
url=myprivateregistry.abc.com:9001/icr.io``.
Refer to :ref:`About Changing External Registries for StarlingX
Installation
<about-changing-external-registries-for-starlingx-installation>` for more
details.
#. Locate the Portieris tarball in /usr/local/share/applications/helm. #. Locate the Portieris tarball in /usr/local/share/applications/helm.
For example: For example:
@ -44,7 +57,6 @@ You can install Portieris on |prod| from the command line.
~(keystone_admin)]$ system helm-override-update portieris portieris-certs portieris --values caCert.yaml ~(keystone_admin)]$ system helm-override-update portieris portieris-certs portieris --values caCert.yaml
#. Apply the application. #. Apply the application.
.. code-block:: none .. code-block:: none

4
doc/source/security/kubernetes/portieris-clusterimagepolicy-and-imagepolicy-configuration.rst
View File

@ -56,7 +56,7 @@ registry+notary server
.. code-block:: none .. code-block:: none
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 apiVersion: portieris.cloud.ibm.com/v1
kind: ImagePolicy kind: ImagePolicy
metadata: metadata:
name: allow-all-icrio name: allow-all-icrio
@ -69,7 +69,7 @@ registry+notary server
.. code-block:: none .. code-block:: none
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 apiVersion: portieris.cloud.ibm.com/v1
kind: ImagePolicy kind: ImagePolicy
metadata: metadata:
name: allow-custom name: allow-custom

27
doc/source/security/kubernetes/remove-portieris.rst
View File

@ -17,33 +17,6 @@ system.
~(keystone_admin)]$ system application-remove portieris ~(keystone_admin)]$ system application-remove portieris
#. Delete kubernetes resources not automatically removed in the previous step.
This is required if you plan to reapply the application.
.. code-block:: none
~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris
~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook
~(keystone_admin)]$ kubectl delete -n portieris cm/image-policy-crds
~(keystone_admin)]$ kubectl delete -n portieris serviceaccounts/portieris
.. note::
If this step is done before removing the application in step 1, the
removal will fail, leaving the application in the **remove-failed**
state. In such cases you will need to issue the following commands
to recover:
.. code-block:: none
~(keystone_admin)]$ kubectl delete MutatingWebhookConfiguration image-admission-config --ignore-not-found=true
~(keystone_admin)]$ kubectl delete ValidatingWebhookConfiguration image-admission-config --ignore-not-found=true
~(keystone_admin)]$ kubectl delete crd clusterimagepolicies.securityenforcement.admission.cloud.ibm.com imagepolicies.securityenforcement.admission.cloud.ibm.com --ignore-not-found=true
~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris --ignore-not-found=true
~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook --ignore-not-found=true
~(keystone_admin)]$ kubectl delete ns/portieris --ignore-not-found=true
~(keystone_admin)]$ helm delete portieris-portieris --purge --no-hooks
~(keystone_admin)]$ system application-remove portieris
#. Delete the application. #. Delete the application.

11
doc/source/system_configuration/kubernetes/about-changing-external-registries-for-starlingx-installation.rst
View File

@ -11,11 +11,12 @@ and application updates.
When installing and upgrading |prod| or applying and updating |prod| When installing and upgrading |prod| or applying and updating |prod|
applications, container images are pulled from external registries, for various applications, container images are pulled from external registries, for various
services. By default, these container images are pulled from the following services. By default, these container images are pulled from the following
public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, and ``docker.io``. public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, ``docker.io``,
During installation, specifically during the bootstrap step, these external registries ``icr.io``, ``ghcr.io``, and ``registry.k8s.io``. During installation,
can be overridden using the 'docker_registries' variable in the bootstrap specifically during the bootstrap step, these external registries can be
override file. This task provides a procedure for changing these external overridden using the 'docker_registries' variable in the bootstrap override
registries **after** installing |prod|. file. This task provides a procedure for changing these external registries
**after** installing |prod|.
.. rubric:: |context| .. rubric:: |context|

2
doc/source/system_configuration/kubernetes/change-the-registry-url.rst
View File

@ -12,7 +12,7 @@ registries' URLs using the following command:
.. code-block:: none .. code-block:: none
NEW_URL_START=new-registry.domain.com:9001 NEW_URL_START=new-registry.domain.com:9001
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do do
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'` uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}' | cut -d '/' -f 2-` url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}' | cut -d '/' -f 2-`

2
doc/source/system_configuration/kubernetes/create-the-registry-secrets.rst
View File

@ -17,7 +17,7 @@ To create the auth-secrets for the new registries, use the following command:
NEW_USERNAME_PASSWORD="username:docker password:********" NEW_USERNAME_PASSWORD="username:docker password:********"
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do do
openstack secret store -n ${registry}-secret -p "${NEW_USERNAME_PASSWORD}" openstack secret store -n ${registry}-secret -p "${NEW_USERNAME_PASSWORD}"
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}' | awk -F/ '{print $6}'` secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}' | awk -F/ '{print $6}'`

2
doc/source/system_configuration/kubernetes/update-the-registry-secrets.rst
View File

@ -18,7 +18,7 @@ To update the auth-secrets for the new registries, use the following command:
NEW_USERNAME_PASSWORD="username:docker password:********" NEW_USERNAME_PASSWORD="username:docker password:********"
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do do
secret=`openstack secret list | grep ${registry}-secret | awk '{print $2}'` secret=`openstack secret list | grep ${registry}-secret | awk '{print $2}'`
openstack secret delete ${secret} openstack secret delete ${secret}

4
doc/source/system_configuration/kubernetes/validate-existing-registry-and-new-url.rst
View File

@ -10,7 +10,7 @@ To display the updated URLs, use the following command:
.. code-block:: none .. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do do
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'` uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}'` url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}'`
@ -23,6 +23,8 @@ You will get the following output:
docker-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.io docker-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.io
quay-registry URL is new-registry.domain.com:9001/product-abc/starlingx/quay.io quay-registry URL is new-registry.domain.com:9001/product-abc/starlingx/quay.io
icr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/icr.io
ghcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/ghcr.io
elastic-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.elastic.co elastic-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.elastic.co
gcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/gcr.io gcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/gcr.io
k8s-registry URL is new-registry.domain.com:9001/product-abc/starlingx/k8s.gcr.io k8s-registry URL is new-registry.domain.com:9001/product-abc/starlingx/k8s.gcr.io

30
doc/source/system_configuration/kubernetes/verify-the-registry-secret-changes-and-secret-key-in-system-database.rst
View File

@ -9,7 +9,7 @@ To verify the registries' secret configuration changes, use the following comman
.. code-block:: none .. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do do
echo $registry echo $registry
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}'` secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}'`
@ -64,6 +64,28 @@ gcr-registry
k8s-registry k8s-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
icr-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
ghcr-registry
.. table:: .. table::
:widths: auto :widths: auto
@ -78,7 +100,7 @@ registry entries in the service parameter table, use the following command:
.. code-block:: none .. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry
do do
echo $registry echo $registry
uuid=`system service-parameter-list |grep $registry | grep auth-secret | awk '{print $2}'` uuid=`system service-parameter-list |grep $registry | grep auth-secret | awk '{print $2}'`
@ -104,6 +126,10 @@ You will get the following output:
4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1
k8s-registry k8s-registry
96d722e6-ab97-4185-9b97-64ee90c6162c 96d722e6-ab97-4185-9b97-64ee90c6162c 96d722e6-ab97-4185-9b97-64ee90c6162c 96d722e6-ab97-4185-9b97-64ee90c6162c
icr-registry
6fdaf773-a253-4b48-b9ff-d9dce1401c33 6fdaf773-a253-4b48-b9ff-d9dce1401c33
ghcr-registry
56b03b2b-7685-449d-ade4-3d8c4e73649f 56b03b2b-7685-449d-ade4-3d8c4e73649f
To add the CA Certificate, go to :ref:`Add the CA Certificate for New Registry To add the CA Certificate, go to :ref:`Add the CA Certificate for New Registry
<add-the-ca-certificate-for-new-registry>`. <add-the-ca-certificate-for-new-registry>`.