You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/operator-service-manager/best-practices-onboard-deploy.md
+12-29Lines changed: 12 additions & 29 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -274,56 +274,40 @@ The component name is defined in the NFDV:
274
274
275
275
## Cleanup considerations
276
276
277
-
Delete operator resources in the following order to make sure no orphaned resources are left behind:
278
-
277
+
### Operator Resources
278
+
As the first step towards cleaning up a deployed environment, start by deleting operator resources in the following order:
279
279
- SNS
280
280
- Site
281
281
- CGV
282
282
283
-
> [!IMPORTANT]
284
-
> Make sure SNS is deleted before you delete the NFDV.
283
+
Only once these operator resources are succesfully deleted, should a user proceed to delete other environment resources, such as the NAKS cluster.
285
284
286
-
Delete publisher resources in the following order to make sure no orphaned resources are left behind:
285
+
> [!IMPORTANT]
286
+
> Deleting resources out of order can result in orphaned resources left behind.
287
287
288
-
- CGS
288
+
### Publisher Resources
289
+
As the first step towards cleaning up an onboarded environment, start by deleting publisher resources in the following order:
289
290
- NSDV
290
291
- NSDG
292
+
293
+
> [!IMPORTANT]
294
+
> Make sure SNS is deleted before you delete the NFDV.
295
+
291
296
- NFDV
292
297
- NFDG
293
298
- Artifact Manifest
294
299
- Artifact Store
295
300
- Publisher
296
301
297
-
## Considerations if your NF runs cert-manager
298
-
299
302
> [!IMPORTANT]
300
-
> This guidance applies only to certain releases. Check your version for proper behavior.
301
-
302
-
From release 1.0.2728-50 to release Version 2.0.2777-132, AOSM uses cert-manager to store and rotate certificates. As part of this change, AOSM deploys a cert-manager operator, and associate CRDs, in the azurehybridnetwork namespace. Since having multiple cert-manager operators, even deployed in separate namespaces, will watch across all namespaces, only one cert-manager can be effectively run on the cluster.
303
-
304
-
Any user trying to install cert-manager on the cluster, as part of a workload deployment, will get a deployment failure with an error that the CRD “exists and cannot be imported into the current release.” To avoid this error, the recommendation is to skip installing cert-manager, instead take dependency on cert-manager operator and CRD already installed by AOSM.
305
-
306
-
### Other Configuration Changes to Consider
307
-
308
-
In addition to disabling the NfApp associated with the old user cert-manager, we have found other changes may be needed;
309
-
1. If one NfApp contains both cert-manager and the CA installation, these must broken into two NfApps, so that the partner can disable cert-manager but enable CA installation.
310
-
2. If any other NfApps have DependsOn references to the old user cert-manager NfApp, these will need to be removed.
311
-
3. If any other NfApps reference the old user cert-manager namespace value, this will need to be changed to the new azurehybridnetwork namespace value.
312
-
313
-
### Cert-Manager Version Compatibility & Management
314
-
315
-
For the cert-manager operator, our current deployed version is 1.14.5. Users should test for compatibility with this version. Future cert-manager operator upgrades will be supported via the NFO extension upgrade process.
316
-
317
-
For the CRD resources, our current deployed version is 1.14.5. Users should test for compatibility with this version. Since management of a common cluster CRD is something typically handled by a cluster administrator, we are working to enable CRD resource upgrades via standard Nexus Add-on process.
303
+
> Deleting resources out of order can result in orphaned resources left behind.
318
304
319
305
## NfApp Sequential Ordering Behavior
320
306
321
307
### Overview
322
-
323
308
By default, containerized network function applications (NfApps) are installed or updated based on the sequential order in which they appear in the network function design version (NFDV). For delete, the NfApps are deleted in the reverse order sepcified. Where a publisher needs to define specific ordering of NfApps, different from the default, a dependsOnProfile is used to define a unique sequence for install, update and delete operations.
324
309
325
310
### How to use dependsOnProfile
326
-
327
311
A publisher can use the dependsOnProfile in the NFDV to control the sequence of helm executions for NfApps. Given the following example, on install operation the NfApps will be deployed in the following order: dummyApplication1, dummyApplication2, then dummyApplication. On update operation, the NfApps will be updated in the following order: dummyApplication2, dummyApplication1, then dummyApplication. On delete operation, the NfApps will be deleted in the following order: dummyApplication2, dummyApplication1, then dummyApplication.
328
312
329
313
```json
@@ -373,7 +357,6 @@ A publisher can use the dependsOnProfile in the NFDV to control the sequence of
373
357
```
374
358
375
359
### Common Errors
376
-
377
360
As of today, if dependsOnProfile provided in the NFDV is invalid, the NF operation will fail with a validation error. The validation error message is shown in the operation status resource and looks similar to the following example.
Copy file name to clipboardExpand all lines: articles/operator-service-manager/release-notes.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -75,7 +75,7 @@ Through Microsoft’s Secure Future Initiative (SFI), this release delivers the
75
75
76
76
* NFO - Signing of helm package used by network function extension.
77
77
* NFO - Signing of core image used by network function extension.
78
-
* NFO - Use of Cert-manager for service certificate management and rotation. This change can result in failed SNS deployments if not properly reconciled. For guidance on the impact of this change, see our [best practice recommendations](best-practices-onboard-deploy.md#considerations-if-your-nf-runs-cert-manager).
78
+
* NFO - Use of Cert-manager for service certificate management and rotation. This change can result in failed SNS deployments if not properly reconciled.
79
79
* NFO - Automated refresh of AOSM certificates during extension installation.
80
80
* NFO - A dedicated service account for the preupgrade job to safeguard against modifications to the existing network function extension service account.
81
81
* RP - The service principles (SPs) used for deploying site & Network Function (NF) now require “Microsoft.ExtendedLocation/customLocations/read” permission. The SPs that deploy day N scenario now require "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action" permission. This change can result in failed SNS deployments if not properly reconciled
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments