Changes required for 4.1.0-rc3 #523
Conversation
russellb
left a comment
russellb
left a comment
There was a problem hiding this comment.
I wonder if this is still the right registry, even for a public release. Do you know?
|
looks like it should be on quay.io/openshift-release-dev/ocp-release |
|
It does work with this url, but seems to end up redirecting to quay in the end |
russellb
left a comment
russellb
left a comment
There was a problem hiding this comment.
Switching will drop the need for the extra CI registry pull secret
Confirmed: |
|
We should also look at #401 - if that's ready, would be good to base our next update on this new approach |
|
I’ve been watching the work on that. I agree, would like to use that process. Looks like a few things left to do on the checklist at the top of the PR before it’s ready. |
stbenjam
changed the title
stbenjam
changed the title
vm-setup/roles/common/tasks/main.yml
Outdated
| - ip: "{{ baremetal_network_cidr | nthhost(5) }}" | ||
| hostnames: | ||
| - "api" | ||
| - "api-int" |
There was a problem hiding this comment.
This change is still needed, at least for now - the masters are pointing at dnsmasq when they come up and they get their ignition config from api-int
There was a problem hiding this comment.
I guess this is fine as an interim solution in the VM case, but how do we avoid requiring a new DNS record for the API VIP in the baremetal case? cc @celebdor and @cybertron
There was a problem hiding this comment.
The solution is to get the VIPs from install config and serve them in coredns (and make ignition fetch from VIP instead of api)
There was a problem hiding this comment.
openshift-metal3/kni-installer#77 makes api-int available from coredns. We'll still need the change to point ignition at the VIP instead of a DNS name though.
There was a problem hiding this comment.
If I'm looking in the right place, doesn't ignition happen using HTTPS, verifying the hostname and certificate? The endpoint is also not platform specific: how do we make that work?
There was a problem hiding this comment.
We also need to tweak the certificate so it includes the VIP in addition to the DNS name. Some work has been done in that direction by other teams and I need to look at getting it integrated into our fork of the installer.
|
I was able to get a successful 4.1.0 rc.3 install, using the PR's |
|
Ah sorry this will need a rebase since vm-setup moved to metal3-dev-env - I wonder if we should parameterize some of |
|
@stbenjam want to add a checklist at the top listing what needs to be done before we can merge? Finding it hard to follow ... |
Sounds good, but I think the main remaining item is to resolve the api-int DNS solution, what's proposed here will only work for VMs AFAICS and we want to avoid requiring those testing baremetal to create another upstream DNS record for the "internal" VIP. So we need to figure out how ignition can resolve the IP in both VM and baremetal cases, which as mentioned by @stbenjam is tricky as I don't think we can just replace the hostname with an IP, and the resolv.conf additions don't happen until after the ignition/pivot happens, so we have a chicken/egg problem? |
|
I updated the description with the checklist. I'll rebase this PR when I'm at my workstation. Essentially, |
Thanks for the explanation. I suggest we proceed with rebasing ASAP and add "remove the need for an api-int DNS entry on baremetal" to our backlog? |
|
@hardys I rebased, and moved the api-int change here: metal3-io/metal3-dev-env#8 That's a bit specific to openshift, isn't it? Maybe we should parametrize those records in that role? |
Thanks! And yes, as mentioned in my earlier comment we probably should parameterize/sanitize some of that but I missed it in my earlier refactoring - I can take a look unless you've already started something? |
stbenjam
force-pushed
the
rc-pin
branch
3 times, most recently
from
613fdf9 to
176d9fd
Compare
|
I just pushed #536 which would enable us to add api-int via a variable only to dev-scripts, it will need to be merged together with metal3-io/metal3-dev-env#9 |
- update structure of cluster-image-registry-operator config object to match openshift/release#3548 - host-etcd moved from kube-system namespace to openshift-etcd
|
We should be able to proceed with |
|
Updated the pin, and I'm testing a new deployment right now. Thanks! |
|
It comes up fine, but hitting an issue on worker deployments. Based on discussion in slack, it sounds like it's pre-existing on 4.0 as well. The worker node shows "Node not found hook failed: Port 00:f6:ff:4d:bb:31 already exists" when it boots |
This isn't the real error. You see this because we haven't actually provisioned the worker host at all, and the baremetal-operator powers on hosts that aren't provisioned if we have The real error is up in the cluster-api integration that prevented the worker from being provisioned. See #537 (comment) |
7 participants
Changes required for update to RC.3