From 551409bf4bd33bdbded3014f6e99c0bf0347cf17 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Tue, 20 Feb 2024 10:09:41 +0000 Subject: [PATCH 1/7] add nix declarative shell environment This optional environment provides all the necessary tools with just a single command. --- shell.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 shell.nix diff --git a/shell.nix b/shell.nix new file mode 100644 index 00000000..cc14e660 --- /dev/null +++ b/shell.nix @@ -0,0 +1,15 @@ +let + nixpkgs = fetchTarball "https://github.com/NixOS/nixpkgs/tarball/nixos-23.11"; + pkgs = import nixpkgs { config = {}; overlays = []; }; +in + +pkgs.mkShellNoCC { + packages = with pkgs; [ + cmctl + kubectl + kubernetes-helm + kubeseal + kustomize + yq + ]; +} From 238e11f6f453c2bdccf620fd3bfce40d20827e1f Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Wed, 21 Feb 2024 10:33:03 +0000 Subject: [PATCH 2/7] add info about nix to README --- README.md | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index df05a1a1..e8eff663 100644 --- a/README.md +++ b/README.md @@ -23,18 +23,36 @@ You must have the following installed: - `kustomize` (5.x versions) - `helm` (3.8 or newer) - `kubeseal` +- `cmctl` + +Alternatively, if you don't have those dependencies you can use the dedicated +development environment including those tools by launching `nix-shell` in the +project directory. If you don't have `nix-shell` on your machine, it can be +[downloaded here](https://nixos.org/download.html). ### Bootstrapping and Operators -There's a handful of base required components to get a cluster ready to accept traffic -and utilize ArgoCD to deploy the rest of the stack. We'll call that "bootstrap". Below -is the easy one liner but you can look at [./bootstrap/README.md](./bootstrap/README.md) -for detailed info. +There's a handful of base required components to get a cluster ready to accept +traffic and utilize ArgoCD to deploy the rest of the stack. We'll call that +"bootstrap". Below is the easy one liner but you can look at +[./bootstrap/README.md](./bootstrap/README.md) for detailed info. ```bash kubectl kustomize --enable-helm bootstrap | kubectl apply --server-side -f - ``` +If you get following error: + +``` +error: resource mapping not found for name: "selfsigned-cluster-issuer" +namespace: "kube-system" from "STDIN": no matches for kind "ClusterIssuer" in +version "cert-manager.io/v1" +``` + +then you may need to rerun the same command as the CRDs are not [always fully +established](https://github.com/kubernetes/kubectl/issues/1117) +before when they are needed. + At this point ArgoCD can start doing the heavy lifting. ```bash From 3ec8577bb1d601d49c182ed04af31e78c0de1baf Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Tue, 20 Feb 2024 10:54:06 +0000 Subject: [PATCH 3/7] nix: pin to specific version otherwise helm misbehaves --- shell.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shell.nix b/shell.nix index cc14e660..21402cdf 100644 --- a/shell.nix +++ b/shell.nix @@ -1,5 +1,8 @@ let - nixpkgs = fetchTarball "https://github.com/NixOS/nixpkgs/tarball/nixos-23.11"; + nixpkgs = fetchTarball { + name = "nixos-unstable-2024-02-20"; + url = "https://github.com/NixOS/nixpkgs/archive/8a8350636615bb49841af183cf9399289e570738.tar.gz"; + }; pkgs = import nixpkgs { config = {}; overlays = []; }; in From d6001e3854f87b222c8f71cbf6eb99de2bcf9974 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Tue, 20 Feb 2024 13:35:42 +0000 Subject: [PATCH 4/7] bootstrap/cert-manager: add patch to inject CA cert into correct namespace With the bootstrap/cert-manager/kustomization.yaml we have overriden the namespace of all the resources to be `kube-system`, but the cert-manager still has the annotation `cert-manager.io/inject-ca-from-secret` that refers to the default `cert-manager` namespace. As a result, it is not possible for the cainjector to inject the secret. This patch updates the annotation to use `kube-system` instead. --- bootstrap/cert-manager/kustomization.yaml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/bootstrap/cert-manager/kustomization.yaml b/bootstrap/cert-manager/kustomization.yaml index 9956eb67..9bba6fce 100644 --- a/bootstrap/cert-manager/kustomization.yaml +++ b/bootstrap/cert-manager/kustomization.yaml @@ -1,7 +1,26 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml - issuer-kube-system-self-signed.yaml + +patches: +- patch: |- + - op: replace + path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret + value: kube-system/cert-manager-webhook-ca + target: + group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: cert-manager-webhook + version: v1 +- patch: |- + - op: replace + path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret + value: kube-system/cert-manager-webhook-ca + target: + group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + name: cert-manager-webhook + version: v1 From 404c0680b01f6574a433f85788d7f6dbace4ab68 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Wed, 21 Feb 2024 10:42:31 +0000 Subject: [PATCH 5/7] easy-secrets-gen.sh: stop using deprecated --dry-run --- scripts/easy-secrets-gen.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index 37761957..52feeea5 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -4,7 +4,7 @@ cd $(git rev-parse --show-toplevel) kubectl --namespace openstack \ create secret generic mariadb \ - --dry-run \ + --dry-run=client \ -o yaml \ --type Opaque \ --from-literal=root-password="$(./scripts/pwgen.sh)" \ @@ -13,7 +13,7 @@ kubectl --namespace openstack \ kubectl --namespace nautobot \ create secret generic nautobot-env \ - --dry-run \ + --dry-run=client \ -o yaml \ --type Opaque \ --from-literal=NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" \ @@ -23,7 +23,7 @@ kubectl --namespace nautobot \ kubectl --namespace nautobot \ create secret generic nautobot-redis \ - --dry-run \ + --dry-run=client \ -o yaml \ --type Opaque \ --from-literal=redis-password="$(./scripts/pwgen.sh)" \ @@ -34,25 +34,25 @@ kubectl --namespace openstack \ --type Opaque \ --from-literal=username="keystone" \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-rabbitmq-password.yaml kubectl --namespace openstack \ create secret generic keystone-db-password \ --type Opaque \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-db-password.yaml kubectl --namespace openstack \ create secret generic keystone-admin \ --type Opaque \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-admin.yaml kubectl --namespace openstack \ create secret generic keystone-credential-keys \ --type Opaque \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml \ + --dry-run=client -o yaml \ > secret-keystone-credential-keys.yaml kubeseal \ From 57ad0553d4888428215494f872dca5ad675eac88 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Wed, 21 Feb 2024 11:05:52 +0000 Subject: [PATCH 6/7] easy-secrets-gen fix find Prior to this commit, the find command did not work because the '-depth' parameter: - cannot be placed before the name - is a boolean flag that does not accept arguments. I believe the intention was to use `-maxdepth 1` here. --- scripts/easy-secrets-gen.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index 52feeea5..9d8d6cd1 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -76,7 +76,7 @@ kubeseal \ -f secret-nautobot-redis.yaml \ -w components/01-secrets/encrypted-nautobot-redis.yaml -for skrt in $(find . -name "secret-keystone*.yaml" -depth 1); do +for skrt in $(find . -maxdepth 1 -name "secret-keystone*.yaml"); do encskrt=$(echo "${skrt}" | sed -e 's/secret-/components\/01-secrets\/encrypted-/') kubeseal \ --scope cluster-wide \ From 9a471073472f0284c1871b5225303b7a703c3d29 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Wed, 21 Feb 2024 12:07:52 +0000 Subject: [PATCH 7/7] keystone README: node labelling --- components/10-keystone/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/components/10-keystone/README.md b/components/10-keystone/README.md index 521991e2..1f5a2d79 100644 --- a/components/10-keystone/README.md +++ b/components/10-keystone/README.md @@ -23,6 +23,17 @@ git clone https://github.com/openstack/openstack-helm-infra ./scripts/openstack-helm-depend-sync.sh keystone ``` +## Label the node(s) + +In order to deploy Openstack control plane, at least one of the Kubernetes +nodes has to be labeled with `openstack-control-plane=enabled` label. If you +don't have a node that meets this condition yet, use command similar to this: + +```bash +❯ kubectl label node argotest-control-plane openstack-control-plane=enabled +node/argotest-control-plane labeled +``` + ## Deploy Keystone Since we cannot refer to the secrets by name, we must look them up live from the cluster