diff --git a/README.md b/README.md index df05a1a1..e8eff663 100644 --- a/README.md +++ b/README.md @@ -23,18 +23,36 @@ You must have the following installed: - `kustomize` (5.x versions) - `helm` (3.8 or newer) - `kubeseal` +- `cmctl` + +Alternatively, if you don't have those dependencies you can use the dedicated +development environment including those tools by launching `nix-shell` in the +project directory. If you don't have `nix-shell` on your machine, it can be +[downloaded here](https://nixos.org/download.html). ### Bootstrapping and Operators -There's a handful of base required components to get a cluster ready to accept traffic -and utilize ArgoCD to deploy the rest of the stack. We'll call that "bootstrap". Below -is the easy one liner but you can look at [./bootstrap/README.md](./bootstrap/README.md) -for detailed info. +There's a handful of base required components to get a cluster ready to accept +traffic and utilize ArgoCD to deploy the rest of the stack. We'll call that +"bootstrap". Below is the easy one liner but you can look at +[./bootstrap/README.md](./bootstrap/README.md) for detailed info. ```bash kubectl kustomize --enable-helm bootstrap | kubectl apply --server-side -f - ``` +If you get following error: + +``` +error: resource mapping not found for name: "selfsigned-cluster-issuer" +namespace: "kube-system" from "STDIN": no matches for kind "ClusterIssuer" in +version "cert-manager.io/v1" +``` + +then you may need to rerun the same command as the CRDs are not [always fully +established](https://github.com/kubernetes/kubectl/issues/1117) +before when they are needed. + At this point ArgoCD can start doing the heavy lifting. ```bash diff --git a/bootstrap/cert-manager/kustomization.yaml b/bootstrap/cert-manager/kustomization.yaml index 9956eb67..9bba6fce 100644 --- a/bootstrap/cert-manager/kustomization.yaml +++ b/bootstrap/cert-manager/kustomization.yaml @@ -1,7 +1,26 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml - issuer-kube-system-self-signed.yaml + +patches: +- patch: |- + - op: replace + path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret + value: kube-system/cert-manager-webhook-ca + target: + group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: cert-manager-webhook + version: v1 +- patch: |- + - op: replace + path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret + value: kube-system/cert-manager-webhook-ca + target: + group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + name: cert-manager-webhook + version: v1 diff --git a/components/10-keystone/README.md b/components/10-keystone/README.md index 521991e2..1f5a2d79 100644 --- a/components/10-keystone/README.md +++ b/components/10-keystone/README.md @@ -23,6 +23,17 @@ git clone https://github.com/openstack/openstack-helm-infra ./scripts/openstack-helm-depend-sync.sh keystone ``` +## Label the node(s) + +In order to deploy Openstack control plane, at least one of the Kubernetes +nodes has to be labeled with `openstack-control-plane=enabled` label. If you +don't have a node that meets this condition yet, use command similar to this: + +```bash +❯ kubectl label node argotest-control-plane openstack-control-plane=enabled +node/argotest-control-plane labeled +``` + ## Deploy Keystone Since we cannot refer to the secrets by name, we must look them up live from the cluster diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index 37761957..9d8d6cd1 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -4,7 +4,7 @@ cd $(git rev-parse --show-toplevel) kubectl --namespace openstack \ create secret generic mariadb \ - --dry-run \ + --dry-run=client \ -o yaml \ --type Opaque \ --from-literal=root-password="$(./scripts/pwgen.sh)" \ @@ -13,7 +13,7 @@ kubectl --namespace openstack \ kubectl --namespace nautobot \ create secret generic nautobot-env \ - --dry-run \ + --dry-run=client \ -o yaml \ --type Opaque \ --from-literal=NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" \ @@ -23,7 +23,7 @@ kubectl --namespace nautobot \ kubectl --namespace nautobot \ create secret generic nautobot-redis \ - --dry-run \ + --dry-run=client \ -o yaml \ --type Opaque \ --from-literal=redis-password="$(./scripts/pwgen.sh)" \ @@ -34,25 +34,25 @@ kubectl --namespace openstack \ --type Opaque \ --from-literal=username="keystone" \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-rabbitmq-password.yaml kubectl --namespace openstack \ create secret generic keystone-db-password \ --type Opaque \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-db-password.yaml kubectl --namespace openstack \ create secret generic keystone-admin \ --type Opaque \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-admin.yaml kubectl --namespace openstack \ create secret generic keystone-credential-keys \ --type Opaque \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-credential-keys.yaml kubeseal \ @@ -76,7 +76,7 @@ kubeseal \ -f secret-nautobot-redis.yaml \ -w components/01-secrets/encrypted-nautobot-redis.yaml -for skrt in $(find . -name "secret-keystone*.yaml" -depth 1); do +for skrt in $(find . -maxdepth 1 -name "secret-keystone*.yaml"); do encskrt=$(echo "${skrt}" | sed -e 's/secret-/components\/01-secrets\/encrypted-/') kubeseal \ --scope cluster-wide \ diff --git a/shell.nix b/shell.nix new file mode 100644 index 00000000..21402cdf --- /dev/null +++ b/shell.nix @@ -0,0 +1,18 @@ +let + nixpkgs = fetchTarball { + name = "nixos-unstable-2024-02-20"; + url = "https://github.com/NixOS/nixpkgs/archive/8a8350636615bb49841af183cf9399289e570738.tar.gz"; + }; + pkgs = import nixpkgs { config = {}; overlays = []; }; +in + +pkgs.mkShellNoCC { + packages = with pkgs; [ + cmctl + kubectl + kubernetes-helm + kubeseal + kustomize + yq + ]; +}