[DNM] [test only] Test open sgs #2180
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For platforms without a DNS as a Service available, there is a chicken/egg scenario. This is because we cannot setup our own DNS solution on the nodes before they are booted via ignition. Instead, we get the ignition config via a virtual IP that is conifgured and maintained by keepalived. The setup of keepalived will be done via machine-config-operator, so it is not part of this patch. This patch only sets up the plumbing so that we can merge the keepalived work while keeping CI green. Then we can put up a patch that will switch to actually using this functionality. This patch also adds an interface for other platforms that need this functionality to work from. Specifically, these PRs can be rebased on this work: #1873 #1948
The experimental OpenStack backend used to create an extra server running DNS and load balancer services that the cluster needed. OpenStack does not always come with DNSaaS or LBaaS so we had to provide the functionality the OpenShift cluster depends on (e.g. the etcd SRV records, the api-int records & load balancing, etc.). This approach is undesirable for two reasons: first, it adds an extra node that the other IPI platforms do not need. Second, this node is a single point of failure. The Baremetal platform has faced the same issues and they have solved them with a few virtual IP addresses managed by keepalived in combination with coredns static pod running on every node using the mDNS protocol to update records as new nodes are added or removed and a similar static pod haproxy to load balance the control plane internally. The VIPs are defined here in the installer and they use the PlatformStatus field to be passed to the necessary machine-config-operator fields: openshift/api#374 The Bare Metal IPI Networking Infrastructure document is applicable here as well: https://github.com/openshift/installer/blob/master/docs/design/baremetal/networking-infrastructure.md There is also a great opportunity to share some of the configuration files and scripts here. This change needs several other pull requests: Keepalived plus the coredns & haproxy static pods in the MCO: openshift/machine-config-operator#740 Passing the API and DNS VIPs through the installer: #1998 Co-authored-by: Emilio Garcia <[email protected]> Co-authored-by: John Trowbridge <[email protected]> Co-authored-by: Martin Andre <[email protected]> Co-authored-by: Tomas Sedovic <[email protected]> Massive thanks to the Bare Metal and oVirt people!
This adds validations that verify the OpenStack VIPs have the expected values. These are currently not expected to be configured by the user so they're just compared to the expected values. Since the MachineCIDR is not part of the Platform struct, we need to pass it to OpenStack's ValidatePlatform.
Previously the service VM would proxy all traffic to the masters and workers. With this new architecture the worker nodes are addressed via an ingress VIP local to the cluster, and need to be reachable from the outside in order to serve the *.apps. We're attaching a floating IP to the port, that maps to the ingress VIP shared among the workers.
The `APIVIP`, `DNSVIP` and `IngressVIP` values not supposed to be user-configurable. They're set by the installer and setting them to a value other than the expected one will likely result in an error. Therefore, this removes them from `InstallConfig.Platform` in favour of free functions that return the expected values.
We'd removed the VIPs from the install-config, but not the test data itself.
This should let us log into the bootstrap node to see what's going on. This is a workaround until we've got must-gather implemented.
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tomassedovic The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
size/XXL
Contributor
Author
|
/label platform/openstack |
Contributor
Author
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
Contributor
Author
|
/close |
Contributor
|
@tomassedovic: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
|
@tomassedovic: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
another investigative PR for the bizzare CI stuff we're seeing for #1959
This adds opens all SGs (maybe we've missed some?) as well as adds SSH keys so we can log in to the bootstrap node and investigate what's wrong.