From f8e7a28fcfc2c87703eace8801fff3b6d54180bd Mon Sep 17 00:00:00 2001 From: jeho Date: Fri, 15 Dec 2023 08:43:10 +0100 Subject: [PATCH] Lab execution improvements (#36) --- docs/apps/keycloak.md | 13 +++++++------ docs/apps/vault.md | 6 +++++- docs/for-devs/get-started/lab-1.md | 12 ++++-------- docs/for-devs/get-started/lab-8.md | 6 ++++-- docs/for-ops/sre/troubleshooting.md | 5 +++++ 5 files changed, 25 insertions(+), 17 deletions(-) diff --git a/docs/apps/keycloak.md b/docs/apps/keycloak.md index f24e35697..eb8c7b4e1 100644 --- a/docs/apps/keycloak.md +++ b/docs/apps/keycloak.md @@ -17,6 +17,7 @@ Group (team) membership is reflected in the user's 'groups' claim. When this aut When there are different requirements to use Keycloak for business applications, Keycloak's designated "master" and "otomi" realms may not be used, and an additional realm needs to be created. We refer to the keycloak docs for any custom configuration targeting business applications. ## Instructions + ### Create a user in Keycloak To create users in Keycloak, follow these steps: @@ -25,15 +26,15 @@ To create users in Keycloak, follow these steps: 2. Click on `Administration Console` 3. Login with admin credentials (using `otomi-admin` user and password provided in the installer log or the `otomi.adminPassword` provided in the initial values) 4. Select the `Otomi` realm -5. Click on `Users` then `Create user` +5. Click on `Users` then `Add user` 6. Fill in a user name in the `Username` field 7. Fill in your email address in the `Email` field 8. Select `Email verified` 9. Click `Join Groups` 10. Add the user to the required group (Team) 11. Click `Create` -10. Choose the `Credentials` tab and then `Set password` -11. Fill in a password -12. Optional: Make te password `Temporary`. This requires the user to change the password at the first login -13. Click on "Save" -14. Click `Save password` +12. Choose the `Credentials` tab and then `Set password` +13. Fill in a password +14. Optional: Make te password `Temporary`. This requires the user to change the password at the first login +15. Click on "Save" +16. Click `Save password` diff --git a/docs/apps/vault.md b/docs/apps/vault.md index 0f1ac9e9a..5be349326 100644 --- a/docs/apps/vault.md +++ b/docs/apps/vault.md @@ -4,6 +4,10 @@ title: Hashicorp Vault sidebar_label: Hashicorp Vault --- +:::note +Hashicorp Vault is being deprecated in Otomi. We are going to replace this app with solution based on SealedSecrets. +::: + HashiCorp Vault is a shared application for securely storing and managing secrets. Read more about Vault [here](https://www.vaultproject.io/docs/what-is-vault). Vault has been made tenant aware in Otomi. When it is enabled, a space will automatically be created for each team, and only team members are allowed access. Vault is automatically configured to use Otomi's Keycloak OIDC settings to login users through Otomi's SSO. @@ -23,4 +27,4 @@ kubectl get secret -n vault vault-unseal-keys -o jsonpath='{.data.vault-root}' | 2. Open Vault and sign in with method `token` -3. Paste the token generated in step 1. \ No newline at end of file +3. Paste the token generated in step 1. diff --git a/docs/for-devs/get-started/lab-1.md b/docs/for-devs/get-started/lab-1.md index 3d15dc433..1695ea11a 100644 --- a/docs/for-devs/get-started/lab-1.md +++ b/docs/for-devs/get-started/lab-1.md @@ -18,15 +18,11 @@ We assume the platform administrator has: - Trivy Operator - Gatekeeper (with option `Disable validating webhook` set to true) -For the [Use OpenTelemery](lab-27) Lab, the following additional apps need to be activated: +For the [Use OpenTelemery](lab-27) Lab, the Tempo app needs to be enabled together with tracing at `Istio` and `Nginx Ingress` apps. -- Tempo - -And tracing for `Istio` and `Nginx Ingress` needs to be enabled. - -2. Created a team for you on the platform. In the labs we'll be using a team called `demo` -3. [Created an account](/docs/apps/keycloak#create-a-user-in-keycloak) and added you as a team member to the team group in KeyCloak -4. Provided you with the following information: +1. Created a team called `demo` +2. [Created an account](/docs/apps/keycloak#create-a-user-in-keycloak) and added your user the team group in Keycloak +3. Provided you with the following information: - The URL to access the Otomi web UI (Otomi Console) - Your login credentials diff --git a/docs/for-devs/get-started/lab-8.md b/docs/for-devs/get-started/lab-8.md index 29c28e0c9..ec5427987 100644 --- a/docs/for-devs/get-started/lab-8.md +++ b/docs/for-devs/get-started/lab-8.md @@ -8,6 +8,10 @@ sidebar_label: Create secrets Hashicorp Vault needs to be activated for this lab. ::: +:::note +Hashicorp Vault is being deprecated in Otomi. We are going to replace this app with solution based on SealedSecrets. +::: + When the platform administrator has enabled Vault, you can use Vault to store and manage secrets. Secrets in Vault can be synchronized to your team namespace as Kubernetes secrets. In this part we'll first create a secret in Vault and then sync the secret to your team namespace using the Secrets option in Otomi Console. ## Create a secret in Vault @@ -59,11 +63,9 @@ The secret is now created in vault. Now we need to synchronize the secret in Vau - Now click on `Deploy Changes` on top of the left menu - The secret in Vault will now be synchronized to Kubernetes and can be used by the team in any workload. Otomi Console makes this easy by offering a secret selector during the creation of services. :::info In this part we only covered using generic secrets. See [here](../console/secrets) to see how you can create TLS and pull secrets ::: - diff --git a/docs/for-ops/sre/troubleshooting.md b/docs/for-ops/sre/troubleshooting.md index 47cefcd55..0a3bc2f67 100644 --- a/docs/for-ops/sre/troubleshooting.md +++ b/docs/for-ops/sre/troubleshooting.md @@ -105,6 +105,11 @@ The external-dns service is registering DNS names to makes sure that the service Check available storage classes `std` and `fast` exist +### The otomi-pipeline pipeline failure + +In the otomi-pipeline execution failure, read carefully last few lines from the ` PipelineRun`` output. +Errors containing: `unable to build kubernetes objects from release manifest: Get "https://10.32.0.1:443/openapi/v2?timeout=32s": net/http: request canceled`string, indicates that the kube-api was not available. Admin can restart the pipeline by triggering webhook from Gitea app. Go to otomi/values repository -> click `Settings`-> select `Webhooks`tab -> click the `Test Delivery` button. + ### Advanced - Describe pv and pvc, check if pv's are `rwo` or `rwx` and look for conflicts