Skip to content

Commit

Permalink
Lab execution improvements (#36)
Browse files Browse the repository at this point in the history
  • Loading branch information
jeho authored Dec 15, 2023
1 parent 4f50e83 commit f8e7a28
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 17 deletions.
13 changes: 7 additions & 6 deletions docs/apps/keycloak.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Group (team) membership is reflected in the user's 'groups' claim. When this aut
When there are different requirements to use Keycloak for business applications, Keycloak's designated "master" and "otomi" realms may not be used, and an additional realm needs to be created. We refer to the keycloak docs for any custom configuration targeting business applications.

## Instructions

### Create a user in Keycloak

To create users in Keycloak, follow these steps:
Expand All @@ -25,15 +26,15 @@ To create users in Keycloak, follow these steps:
2. Click on `Administration Console`
3. Login with admin credentials (using `otomi-admin` user and password provided in the installer log or the `otomi.adminPassword` provided in the initial values)
4. Select the `Otomi` realm
5. Click on `Users` then `Create user`
5. Click on `Users` then `Add user`
6. Fill in a user name in the `Username` field
7. Fill in your email address in the `Email` field
8. Select `Email verified`
9. Click `Join Groups`
10. Add the user to the required group (Team)
11. Click `Create`
10. Choose the `Credentials` tab and then `Set password`
11. Fill in a password
12. Optional: Make te password `Temporary`. This requires the user to change the password at the first login
13. Click on "Save"
14. Click `Save password`
12. Choose the `Credentials` tab and then `Set password`
13. Fill in a password
14. Optional: Make te password `Temporary`. This requires the user to change the password at the first login
15. Click on "Save"
16. Click `Save password`
6 changes: 5 additions & 1 deletion docs/apps/vault.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ title: Hashicorp Vault
sidebar_label: Hashicorp Vault
---

:::note
Hashicorp Vault is being deprecated in Otomi. We are going to replace this app with solution based on SealedSecrets.
:::

HashiCorp Vault is a shared application for securely storing and managing secrets. Read more about Vault [here](https://www.vaultproject.io/docs/what-is-vault).
Vault has been made tenant aware in Otomi. When it is enabled, a space will automatically be created for each team, and only team members are allowed access. Vault is automatically configured to use Otomi's Keycloak OIDC settings to login users through Otomi's SSO.

Expand All @@ -23,4 +27,4 @@ kubectl get secret -n vault vault-unseal-keys -o jsonpath='{.data.vault-root}' |

2. Open Vault and sign in with method `token`

3. Paste the token generated in step 1.
3. Paste the token generated in step 1.
12 changes: 4 additions & 8 deletions docs/for-devs/get-started/lab-1.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,11 @@ We assume the platform administrator has:
- Trivy Operator
- Gatekeeper (with option `Disable validating webhook` set to true)

For the [Use OpenTelemery](lab-27) Lab, the following additional apps need to be activated:
For the [Use OpenTelemery](lab-27) Lab, the Tempo app needs to be enabled together with tracing at `Istio` and `Nginx Ingress` apps.

- Tempo

And tracing for `Istio` and `Nginx Ingress` needs to be enabled.

2. Created a team for you on the platform. In the labs we'll be using a team called `demo`
3. [Created an account](/docs/apps/keycloak#create-a-user-in-keycloak) and added you as a team member to the team group in KeyCloak
4. Provided you with the following information:
1. Created a team called `demo`
2. [Created an account](/docs/apps/keycloak#create-a-user-in-keycloak) and added your user the team group in Keycloak
3. Provided you with the following information:

- The URL to access the Otomi web UI (Otomi Console)
- Your login credentials
Expand Down
6 changes: 4 additions & 2 deletions docs/for-devs/get-started/lab-8.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ sidebar_label: Create secrets
Hashicorp Vault needs to be activated for this lab.
:::

:::note
Hashicorp Vault is being deprecated in Otomi. We are going to replace this app with solution based on SealedSecrets.
:::

When the platform administrator has enabled Vault, you can use Vault to store and manage secrets. Secrets in Vault can be synchronized to your team namespace as Kubernetes secrets. In this part we'll first create a secret in Vault and then sync the secret to your team namespace using the Secrets option in Otomi Console.

## Create a secret in Vault
Expand Down Expand Up @@ -59,11 +63,9 @@ The secret is now created in vault. Now we need to synchronize the secret in Vau

- Now click on `Deploy Changes` on top of the left menu


The secret in Vault will now be synchronized to Kubernetes and can be used by the team in any workload. Otomi Console makes this easy by offering a secret selector during the creation of services.

:::info

In this part we only covered using generic secrets. See [here](../console/secrets) to see how you can create TLS and pull secrets
:::

5 changes: 5 additions & 0 deletions docs/for-ops/sre/troubleshooting.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,11 @@ The external-dns service is registering DNS names to makes sure that the service

Check available storage classes `std` and `fast` exist

### The otomi-pipeline pipeline failure

In the otomi-pipeline execution failure, read carefully last few lines from the ` PipelineRun`` output.
Errors containing: `unable to build kubernetes objects from release manifest: Get "https://10.32.0.1:443/openapi/v2?timeout=32s": net/http: request canceled`string, indicates that the kube-api was not available. Admin can restart the pipeline by triggering webhook from Gitea app. Go to otomi/values repository -> click `Settings`-> select `Webhooks`tab -> click the `Test Delivery` button.

### Advanced

- Describe pv and pvc, check if pv's are `rwo` or `rwx` and look for conflicts
Expand Down

0 comments on commit f8e7a28

Please sign in to comment.