IBM Public Cloud Support

[csrwng]

No description provided.

[csrwng]

@derekwaynecarr

[derekwaynecarr]

/assign @derekwaynecarr

FYI @smarterclayton @eparis

[sudhaponnaganti]

FYI @jupierce

[sttts]

expecting the owners of the control plane operators here, compare https://github.com/openshift/enhancements/pull/202/files#diff-8d49ecd990d312a72c0ffcdd1784ad05R92.

[csrwng]

@sttts did you mean a different pr? the link above is for this one

[sttts]

No, meant this one. Just expected the owners of the mentioned operators to be informed about these plans by being reviewer of the enhancement.

[csrwng]

Ack, will add more reviewers

[sttts]

has it been discussed what is needed to move that into the customer cluster?

[csrwng]

It hasn't... when we first looked at this, however, we were in a catch 22 situation, where in order to be able to schedule pods we needed the openshift crds and controller functional.

[sttts]

where is this beta control plane operator?

[csrwng]

we're working on it, will be added to the current hypershift-toolkit repo. For the second phase we will create separate repos for each of the control plane controllers.

[sttts]

"regular" means we get a normal CI job in the openshift org making sure our control plane code changes don't break it?

[sttts]

Will the CI job be blocking for OpenShift PRs? E.g. if deployment topology changes and some apiserver suddenly does not serve certain APIs because they moves, their CI will break.

[csrwng]

"regular" means we get a normal CI job in the openshift org making sure our control plane code changes don't break it?

That is the plan. We currently have a periodic job that creates clusters based on the 4.3 branches. One will be added for the master/4.4 branch.

Will the CI job be blocking for OpenShift PRs? E.g. if deployment topology changes and some apiserver suddenly does not serve certain APIs because they moves, their CI will break.

That will be harder. We would require capacity on the IBM Cloud to run that many jobs. Not sure that is feasible right now. The periodic job should block a release, but not individual PRs

[sttts]

We describe those apiserver changes (they are happening, now for oauth) in enhancements. The IBM team has to watch that repo to be informed.

[csrwng]

@deads2k @mfojtik @ironcladlou @spadgett @abhinavdahiya @crawford @miabbott

Please let me know if I should include other reviewers

[spadgett]

Ack, this shouldn't be an issue.

cc @rawagner @andybraren

[andybraren]

I believe Control Plane components would be shown as "Not available" if that's acceptable (better than "Down").

[spadgett]

@andybraren We probably need to remove that since we never expect to have control plane metrics. It's misleading to say not available.

[rawagner]

Agreed, created an issue to track this for 4.5 Dashboards https://issues.redhat.com/browse/MGMT-438

[spadgett]

@csrwng Are there any lingering issues where the console backend rejects the OAuth server certificate in this deployment?

[csrwng]

@spadgett no issue at the moment. Thx!

[miabbott]

cc: @lucab

[lucab]

From an OS point of view, there are at least two things in this proposal that looks uncomfortably hairy to me:

1. There is no mention of which cloud flavor this is trying to target. At a compute level, "IBM Cloud" is really an umbrella label for three different kinds of infrastructure: Classic, Gen 1, and Gen 2.
   Out of those three, only the latter (IMHO) qualifies as a proper environment where we can sanely support provisioning "cattle nodes" with RHCOS and Ignition.
2. This briefly mentions several topics which seem to require host-level customization (e.g. VPN setup, service network, certificate minting, IBM-specific automation) without ever mentioning how the logic for that is containerized and provided to the nodes at provisioning time (i.e. before kubelet is bootstrapped).

In short, the post-GA story is under-specified so it's quite hard to judge it. The rest of the document seems to hint at a heavy UPI+RHEL environment, which offers a lot of escape hatches and is more likely to result in a "pet nodes" provisioning flow.

If that's indeed the priority, then it would be better to descope RHCOS and leave if for "future exploration" (with the risk that it may be very hard or impossible to retrofit). If RHCOS workers are instead a requirement, then clarifying the points above may result in vastly different design and required work.

[cgwalters]

I find this confusing...IBM Public Cloud means a lot of different things, and a sort of baseline obvious one is having OpenShift support the default "self driving" path in their existing IaaS. But I guess we're doing hosted control plane first?

Maybe the enhancement should be called: "IBM Public Cloud Hosted Control Plane" ?

And one thing I would say here is that we should think of this "fairly" - if some other IaaS showed up and was willing to commit significant resources to maintaining a similar thing... clearly vast amounts of the design would likely be shared. But that can come later.

[csrwng]

Absolutely, I think the things we learn from this work is something we can likely reuse in other cases. And perhaps at the proper time, make the pattern something standalone that's configured per provider. So definitely, this non-goal is a point-in-time statement.

[csrwng]

I find this confusing...IBM Public Cloud means a lot of different things, and a sort of baseline obvious one is having OpenShift support the default "self driving" path in their existing IaaS. But I guess we're doing hosted control plane first?

At least in the foreseeable future, supporting the self-hosted path is not a priority afaik, but @derekwaynecarr can likely provide more insight into that.

[cgwalters]

Thanks for writing this enhancement BTW!

I will say I have trouble keeping in my head the fundamental impacts this makes to the default OpenShift 4 "self-driving" ("non-hosted? Need a term...) mode. Particularly given the other fundamental changes going on like the etcd operator that affect how we think of the control plane too.

Maybe we can use "hostedCP" as a shorthand term when discussing this? (HCP is obvious but three letter acronyms are too common etc.)

[csrwng]

In short, the post-GA story is under-specified so it's quite hard to judge it. The rest of the document seems to hint at a heavy UPI+RHEL environment, which offers a lot of escape hatches and is more likely to result in a "pet nodes" provisioning flow.

@lucab thank you for the feedback. Yes, this proposal is definitely under-specified where it comes to RHCOS. It's more a statement that we don't expect to continue supporting IBM cloud without RHCOS forever. We should have a separate enhancement proposal/design specifically for RHCOS, given that as I understand it, the RHCOS team has already done some initial investigations around this.

[cgwalters]

OS upgrades for the worker nodes is owned by the customer? Or does IBM provide tooling for that? Are they using openshift-ansible?

In the "Post-GA" world with RHCOS...do we forsee trying to enable the MCO to manage upgrades for the workers w/RHCOS?

[wking]

Isn't this covered in the Managed Workers section below?

[cgwalters]

The second half is yes, thanks!

[wking]

So compute nodes still run machine-config daemons and cluster admins can write MachineConfig entries, create MachineSets, and all that good stuff? They just don't have any objects representing or control over the control-plane machines?

[derekwaynecarr]

The service is now GA and running 4.4.11, so let's merge this and then make updates to explain usage of Cluster Profile(s).

/approve
/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng, derekwaynecarr, sudhaponnaganti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [derekwaynecarr,sudhaponnaganti]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lilic]

This part won't be that easy, unless we get provided with a list of it. Also it will not fire if there are no metrics for those components, so don't think its a problem.

[csrwng]

This is what we addressed with openshift/cluster-monitoring-operator#705
No other alerts related to control plane components have surfaced.

[s-urbaniak]

please don't use SLO as an acronym here. It is very commonly used for "Service Level Objectives".

[csrwng]

ack, will do a follow-up to remove.

[s-urbaniak]

for cluster-monitoring: as apiserver monitoring is effectively being disabled when running in "ROKS mode" what is monitoring control plane components on the management cluster?

[csrwng]

IBM is running their own monitoring solution on their management/tugboat clusters.

[s-urbaniak]

Are all edge cases for disabling monitoring of control plane components on the worker clusters covered in openshift/cluster-monitoring-operator#705 ?

[csrwng]

So far yes