openshift · openshift-merge-robot · Aug 30, 2019 · Aug 29, 2019 · Aug 29, 2019 · Aug 29, 2019
diff --git a/docs/user/gcp/install_upi.md b/docs/user/gcp/install_upi.md
@@ -6,14 +6,26 @@ completing these steps or to help model your own. You are also free to create
 the required resources through other methods; the templates are just an
 example.
 
+## Prerequisites
+
+* all prerequisites from [README](README.md)
+* the following binaries installed and in $PATH:
+  * gcloud
+  * gsutil
+* gcloud authenticated to an account with [additional](iam.md) roles:
+  * Deployment Manager Editor
+* the following API Services enabled:
+  * Cloud Deployment Manager V2 API (deploymentmanager.googleapis.com)
+
 ## Create Ignition configs
 
 The machines will be started manually. Therefore, it is required to generate
 the bootstrap and machine Ignition configs and store them for later steps.
-Use [a staged install](../overview.md#multiple-invocations) to remove the
-control-plane Machines and compute MachineSets, because we'll be providing
-those ourselves and don't want to involve
-[the machine-API operator][machine-api-operator].
+Use a [staged install](../overview.md#multiple-invocations) to enable desired customizations.
+
+### Create an install config
+
+Create an install configuration as for [the usual approach](install.md#create-configuration).
 
 ```console
 $ openshift-install create install-config
@@ -26,29 +38,61 @@ $ openshift-install create install-config
 ? Pull Secret [? for help]
 ```
 
-Edit the resulting `openshift-install.yaml` to set `replicas` to 0 for the `compute` pool:
+### Empty the compute pool (optional)
 
-```console
-$ sed -i '1,/replicas: / s/replicas: .*/replicas: 0/' install-config.yaml
+If you do not want the cluster to provision compute machines, edit the resulting `install-config.yaml` to set `replicas` to 0 for the `compute` pool.
+
+```sh
+python -c '
+import yaml;
+path = "install-config.yaml";
+data = yaml.full_load(open(path));
+data["compute"][0]["replicas"] = 0;
+open(path, "w").write(yaml.dump(data, default_flow_style=False))'
 ```
 
-Create manifests to get access to the control-plane Machines and compute MachineSets:
+### Create manifests
+
+Create manifest to enable customizations which are not exposed via the install configuration.
 
 ```console
 $ openshift-install create manifests
 INFO Consuming "Install Config" from target directory
 ```
 
-From the manifest assets, remove the control-plane Machines and the compute MachineSets:
+### Remove control plane machines
 
-```console
-$ rm -f openshift/99_openshift-cluster-api_master-machines-*.yaml
-$ rm -f openshift/99_openshift-cluster-api_worker-machineset-*.yaml
+Remove the control plane machines from the manifests.
+We'll be providing those ourselves and don't want to involve [the machine-API operator][machine-api-operator].
+
+```sh
+rm -f openshift/99_openshift-cluster-api_master-machines-*.yaml
+```
+
+### Remove compute machinesets (Optional)
+
+If you do not want the cluster to provision compute machines, remove the compute machinesets from the manifests as well.
+
+```sh
+rm -f openshift/99_openshift-cluster-api_worker-machineset-*.yaml
 ```
 
-You are free to leave the compute MachineSets in if you want to create compute
-machines via the machine API, but if you do you may need to update the various
-references (`subnetwork`, etc.) to match your environment.
+### Remove DNS Zones (Optional)
+
+If you don't want [the ingress operator][ingress-operator] to create DNS records on your behalf, remove the `privateZone` and `publicZone` sections from the DNS configuration.
+If you do so, you'll need to [add ingress DNS records manually](#add-the-ingress-dns-records-optional) later on.
+
+```sh
+python -c '
+import yaml;
+path = "manifests/cluster-dns-02-config.yml";
+data = yaml.full_load(open(path));
+del data["spec"]["publicZone"];
+del data["spec"]["privateZone"];
+open(path, "w").write(yaml.dump(data, default_flow_style=False))'
+```
+
+### Create Ignition configs
 
 Now we can create the bootstrap Ignition configs.
 
@@ -69,7 +113,7 @@ $ tree
 └── worker.ign
 ```
 
-### Extract infrastructure name from Ignition metadata
+## Extract infrastructure name from Ignition metadata
 
 By default, Ignition generates a unique cluster identifier comprised of the
 cluster name specified during the invocation of the installer and a short
@@ -94,6 +138,7 @@ export NETWORK_CIDR='10.0.0.0/16'
 export MASTER_SUBNET_CIDR='10.0.0.0/19'
 export WORKER_SUBNET_CIDR='10.0.32.0/19'
 
+export KUBECONFIG=auth/kubeconfig
 export CLUSTER_NAME=`jq -r .clusterName metadata.json`
 export INFRA_ID=`jq -r .infraID metadata.json`
 export PROJECT_NAME=`jq -r .gcp.projectID metadata.json`
@@ -273,7 +318,7 @@ Copy [`04_bootstrap.py`](../../../upi/gcp/04_bootstrap.py) locally.
 Export variables needed by the resource definition.
 
 ```sh
-export CONTROL_SUBNET=`gcloud compute networks subnets describe ${INFRA_ID}-master-subnet --format json | jq -r .selfLink`
+export CONTROL_SUBNET=`gcloud compute networks subnets describe ${INFRA_ID}-master-subnet --region=${REGION} --format json | jq -r .selfLink`
 export CLUSTER_IMAGE=`gcloud compute images describe ${INFRA_ID}-rhcos-image --format json | jq -r .selfLink`
 ```
 
@@ -332,8 +377,8 @@ The templates do not manage load balancer membership due to limitations of Deplo
 Manager, so we must add the bootstrap node manually.
 
 ```sh
-gcloud compute target-pools add-instances ${INFRA_ID}-api-target-pool --instances=${INFRA_ID}-bootstrap
-gcloud compute target-pools add-instances ${INFRA_ID}-ign-target-pool --instances=${INFRA_ID}-bootstrap
+gcloud compute target-pools add-instances ${INFRA_ID}-api-target-pool --instances-zone="${REGION}-a" --instances=${INFRA_ID}-bootstrap
+gcloud compute target-pools add-instances ${INFRA_ID}-ign-target-pool --instances-zone="${REGION}-a" --instances=${INFRA_ID}-bootstrap
 ```
 
 ## Launch permanent control plane
@@ -404,19 +449,8 @@ gcloud dns record-sets transaction add \
 gcloud dns record-sets transaction execute --zone ${INFRA_ID}-private-zone
 ```
 
-## Monitor for `bootstrap-complete`
-
-```console
-$ openshift-install wait-for bootstrap-complete
-INFO Waiting up to 30m0s for the Kubernetes API at https://api.test.example.com:6443...
-INFO API v1.12.4+c53f462 up
-INFO Waiting up to 30m0s for the bootstrap-complete event...
-```
-## Pivot load balancers to control plane
-
-The bootstrap node can now be removed from the load balancers.
-
-First, the control plane needs to be added.
+The templates do not manage load balancer membership due to limitations of Deployment
+Manager, so we must add the control plane nodes manually.
 
 ```sh
 gcloud compute target-pools add-instances ${INFRA_ID}-api-target-pool --instances-zone="${REGION}-a" --instances=${INFRA_ID}-m-0
@@ -427,17 +461,22 @@ gcloud compute target-pools add-instances ${INFRA_ID}-ign-target-pool --instance
 gcloud compute target-pools add-instances ${INFRA_ID}-ign-target-pool --instances-zone="${REGION}-c" --instances=${INFRA_ID}-m-2
 ```
 
-Then, the bootstrap node can be removed.
+## Monitor for `bootstrap-complete`
 
-``` sh
-gcloud compute target-pools remove-instances ${INFRA_ID}-api-target-pool --instances=${INFRA_ID}-bootstrap
-gcloud compute target-pools remove-instances ${INFRA_ID}-ign-target-pool --instances=${INFRA_ID}-bootstrap
+```console
+$ openshift-install wait-for bootstrap-complete
+INFO Waiting up to 30m0s for the Kubernetes API at https://api.test.example.com:6443...
+INFO API v1.12.4+c53f462 up
+INFO Waiting up to 30m0s for the bootstrap-complete event...
 ```
+
 ## Destroy bootstrap resources
 
 At this point, you should delete the bootstrap resources.
 
 ```sh
+gcloud compute target-pools remove-instances ${INFRA_ID}-api-target-pool --instances-zone="${REGION}-a" --instances=${INFRA_ID}-bootstrap
+gcloud compute target-pools remove-instances ${INFRA_ID}-ign-target-pool --instances-zone="${REGION}-a" --instances=${INFRA_ID}-bootstrap
 gsutil rm gs://${INFRA_ID}-bootstrap-ignition/bootstrap.ign
 gsutil rb gs://${INFRA_ID}-bootstrap-ignition
 gcloud deployment-manager deployments delete ${INFRA_ID}-bootstrap
@@ -458,7 +497,7 @@ Copy [`06_worker.py`](../../../upi/gcp/06_worker.py) locally.
 Export variables needed by the resource definition.
 
 ```sh
-export COMPUTE_SUBNET=`gcloud compute networks subnets describe ${INFRA_ID}-worker-subnet --format json | jq -r .selfLink`
+export COMPUTE_SUBNET=`gcloud compute networks subnets describe ${INFRA_ID}-worker-subnet --region=${REGION} --format json | jq -r .selfLink`
 export WORKER_SERVICE_ACCOUNT_EMAIL=`gcloud iam service-accounts list | grep "^${INFRA_ID}-worker-node " | awk '{print $2}'`
 export WORKER_IGNITION=`cat worker.ign`
 ```
@@ -502,13 +541,13 @@ Create the deployment using gcloud.
 gcloud deployment-manager deployments create ${INFRA_ID}-worker --config 06_worker.yaml
 ```
 
-#### Approving the CSR requests for nodes
+### Approving the CSR requests for nodes
 
 The CSR requests for client and server certificates for nodes joining the cluster will need to be approved by the administrator.
+Nodes that have not been provisioned by the cluster need their associated `system:serviceaccount` certificate approved to join the cluster.
 You can view them with:
 
 ```console
-$ export KUBECONFIG=./auth/kubeconfig
 $ oc get csr
 NAME        AGE     REQUESTOR                                                                   CONDITION
 csr-8b2br   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
@@ -526,6 +565,48 @@ CSRs can be approved by name, for example:
 oc adm certificate approve csr-bfd72
 ```
 
+## Add the Ingress DNS Records (Optional)
+
+If you removed the DNS Zone configuration [earlier](#remove-dns-zones), you'll need to manually create some DNS records pointing at the ingress load balancer.
+You can create either a wildcard `*.apps.{baseDomain}.` or specific records (more on the specific records below).
+You can use A, CNAME, etc. records, as you see fit.
+
+You must wait for the ingress-router to create a load balancer and populate the `EXTERNAL-IP`
+
+```console
+$ oc -n openshift-ingress get service router-default
+NAME             TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
+router-default   LoadBalancer   172.30.18.154   35.233.157.184   80:32288/TCP,443:31215/TCP   98
+```
+
+Then create the A record to your public and private zones.
+
+```sh
+export ROUTER_IP=`oc -n openshift-ingress get service router-default --no-headers | awk '{print $4}'`
+
+if [ -f transaction.yaml ]; then rm transaction.yaml; fi
+gcloud dns record-sets transaction start --zone ${BASE_DOMAIN_ZONE_NAME}
+gcloud dns record-sets transaction add ${ROUTER_IP} --name \*.apps.${CLUSTER_NAME}.${BASE_DOMAIN}. --ttl 300 --type A --zone ${BASE_DOMAIN_ZONE_NAME}
+gcloud dns record-sets transaction execute --zone ${BASE_DOMAIN_ZONE_NAME}
+
+if [ -f transaction.yaml ]; then rm transaction.yaml; fi
+gcloud dns record-sets transaction start --zone ${INFRA_ID}-private-zone
+gcloud dns record-sets transaction add ${ROUTER_IP} --name \*.apps.${CLUSTER_NAME}.${BASE_DOMAIN}. --ttl 300 --type A --zone ${INFRA_ID}-private-zone
+gcloud dns record-sets transaction execute --zone ${INFRA_ID}-private-zone
+```
+
+If you prefer to add explicit domains instead of using a wildcard, you can create entries for each of the cluster's current routes:
+
+```console
+$ oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes
+oauth-openshift.apps.your.cluster.domain.example.com
+console-openshift-console.apps.your.cluster.domain.example.com
+downloads-openshift-console.apps.your.cluster.domain.example.com
+alertmanager-main-openshift-monitoring.apps.your.cluster.domain.example.com
+grafana-openshift-monitoring.apps.your.cluster.domain.example.com
+prometheus-k8s-openshift-monitoring.apps.your.cluster.domain.example.com
+```
+
 ## Monitor for cluster completion
 
 ```console
@@ -536,7 +617,6 @@ INFO Waiting up to 30m0s for the cluster to initialize...
 Also, you can observe the running state of your cluster pods:
 
 ```console
-$ export KUBECONFIG=./auth/kubeconfig
 $ oc get clusterversion
 NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
 version             False       True          24m     Working towards 4.2.0-0.okd-2019-08-05-204819: 99% complete
@@ -590,4 +670,5 @@ openshift-service-catalog-controller-manager-operator   openshift-service-catalo
 ```
 
 [deploymentmanager]: https://cloud.google.com/deployment-manager/docs
+[ingress-operator]: https://github.com/openshift/cluster-ingress-operator
 [machine-api-operator]: https://github.com/openshift/machine-api-operator