fix: Various improvement and fixes found in 1st test deployment

README.md

@@ -23,18 +23,36 @@ You must have the following installed:
 - `kustomize` (5.x versions)
 - `helm` (3.8 or newer)
 - `kubeseal`
+- `cmctl`
+
+Alternatively, if you don't have those dependencies you can use the dedicated
+development environment including those tools by launching `nix-shell` in the
+project directory. If you don't have `nix-shell` on your machine, it can be
+[downloaded here](https://nixos.org/download.html).
 
 ### Bootstrapping and Operators
 
-There's a handful of base required components to get a cluster ready to accept traffic
-and utilize ArgoCD to deploy the rest of the stack. We'll call that "bootstrap". Below
-is the easy one liner but you can look at [./bootstrap/README.md](./bootstrap/README.md)
-for detailed info.
+There's a handful of base required components to get a cluster ready to accept
+traffic and utilize ArgoCD to deploy the rest of the stack. We'll call that
+"bootstrap". Below is the easy one liner but you can look at
+[./bootstrap/README.md](./bootstrap/README.md) for detailed info.
 
 ```bash
 kubectl kustomize --enable-helm bootstrap | kubectl apply --server-side -f -
 ```
 
+If you get following error:
+
+```
+error: resource mapping not found for name: "selfsigned-cluster-issuer"
+namespace: "kube-system" from "STDIN": no matches for kind "ClusterIssuer" in
+version "cert-manager.io/v1"
+```
+
+then you may need to rerun the same command as the CRDs are not [always fully
+established](https://github.com/kubernetes/kubectl/issues/1117)
+before when they are needed.
+
 At this point ArgoCD can start doing the heavy lifting.
 
 ```bash

bootstrap/cert-manager/kustomization.yaml

@@ -1,7 +1,26 @@
----
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
 - https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
 - issuer-kube-system-self-signed.yaml
+
+patches:
+- patch: |-
+    - op: replace
+      path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret
+      value: kube-system/cert-manager-webhook-ca
+  target:
+    group: admissionregistration.k8s.io
+    kind: ValidatingWebhookConfiguration
+    name: cert-manager-webhook
+    version: v1
+- patch: |-
+    - op: replace
+      path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret
+      value: kube-system/cert-manager-webhook-ca
+  target:
+    group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    name: cert-manager-webhook
+    version: v1

components/10-keystone/README.md

@@ -23,6 +23,17 @@ git clone https://github.com/openstack/openstack-helm-infra
 ./scripts/openstack-helm-depend-sync.sh keystone
 ```
 
+## Label the node(s)
+
+In order to deploy Openstack control plane, at least one of the Kubernetes
+nodes has to be labeled with `openstack-control-plane=enabled` label. If you
+don't have a node that meets this condition yet, use command similar to this:
+
+```bash
+❯ kubectl label node argotest-control-plane openstack-control-plane=enabled
+node/argotest-control-plane labeled
+```
+
 ## Deploy Keystone
 
 Since we cannot refer to the secrets by name, we must look them up live from the cluster

scripts/easy-secrets-gen.sh

@@ -4,7 +4,7 @@ cd $(git rev-parse --show-toplevel)
 
 kubectl --namespace openstack \
     create secret generic mariadb \
-    --dry-run \
+    --dry-run=client \
     -o yaml \
     --type Opaque \
     --from-literal=root-password="$(./scripts/pwgen.sh)" \
@@ -13,7 +13,7 @@ kubectl --namespace openstack \
 
 kubectl --namespace nautobot \
     create secret generic nautobot-env \
-    --dry-run \
+    --dry-run=client \
     -o yaml \
     --type Opaque \
     --from-literal=NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" \
@@ -23,7 +23,7 @@ kubectl --namespace nautobot \
 
 kubectl --namespace nautobot \
     create secret generic nautobot-redis \
-    --dry-run \
+    --dry-run=client \
     -o yaml \
     --type Opaque \
     --from-literal=redis-password="$(./scripts/pwgen.sh)" \
@@ -34,25 +34,25 @@ kubectl --namespace openstack \
     --type Opaque \
     --from-literal=username="keystone" \
     --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \
-    --dry-run -o yaml \
+    --dry-run=client -o yaml \
     > secret-keystone-rabbitmq-password.yaml
 kubectl --namespace openstack \
     create secret generic keystone-db-password \
     --type Opaque \
     --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \
-    --dry-run -o yaml \
+    --dry-run=client -o yaml \
     > secret-keystone-db-password.yaml
 kubectl --namespace openstack \
     create secret generic keystone-admin \
     --type Opaque \
     --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \
-    --dry-run -o yaml \
+    --dry-run=client -o yaml \
     > secret-keystone-admin.yaml
 kubectl --namespace openstack \
     create secret generic keystone-credential-keys \
     --type Opaque \
     --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \
-    --dry-run -o yaml \
+    --dry-run=client -o yaml \
     > secret-keystone-credential-keys.yaml
 
 kubeseal \
@@ -76,7 +76,7 @@ kubeseal \
     -f secret-nautobot-redis.yaml \
     -w components/01-secrets/encrypted-nautobot-redis.yaml
 
-for skrt in $(find . -name "secret-keystone*.yaml" -depth 1); do
+for skrt in $(find . -maxdepth 1 -name "secret-keystone*.yaml"); do
     encskrt=$(echo "${skrt}" | sed -e 's/secret-/components\/01-secrets\/encrypted-/')
     kubeseal \
         --scope cluster-wide \

shell.nix

@@ -0,0 +1,18 @@
+let
+  nixpkgs = fetchTarball {
+  name = "nixos-unstable-2024-02-20";
+  url = "https://github.com/NixOS/nixpkgs/archive/8a8350636615bb49841af183cf9399289e570738.tar.gz";
+  };
+  pkgs = import nixpkgs { config = {}; overlays = []; };
+in
+
+pkgs.mkShellNoCC {
+  packages = with pkgs; [
+    cmctl
+    kubectl
+    kubernetes-helm
+    kubeseal
+    kustomize
+    yq
+  ];
+}