Azure: Create clusters with no public endpoints #2521

jhixson74 · 2019-10-17T00:24:17Z

This gives the install the ability to install an OpenShift cluster on Azure as
internal/private, which is only accessable from an internal network and not
visible on the Internet.

https://jira.coreos.com/browse/CORS-1227

jhixson74 · 2019-10-17T18:53:11Z

/test e2e-azure

data/data/azure/variables-azure.tf

data/data/azure/main.tf

pkg/types/installconfig.go

ironcladlou · 2019-10-18T18:43:40Z

@abhinavdahiya @crawford @jhixson74

Would it be useful to tease apart the Azure-ness of this PR and extract the new generic PublishingStrategy support into a separate PR? Once #2523 lands I would like to use the new field for an ingress PR.

Or, any feeling for when this PR will merge?

abhinavdahiya · 2019-10-18T19:29:38Z

@ironcladlou 31a9d52 is a little fleshed out version of publish, and #2526 is only waiting for review from @wking

So as soon as #2526 lands you can start looking at it. Also fell free to take that commit and work up a PR to unblock too.

pkg/types/installconfig.go

pkg/types/defaults/installconfig.go

pkg/terraform/gather/azure/ip.go

pkg/asset/cluster/tfvars.go

data/data/azure/vnet/variables.tf

data/data/azure/vnet/public-lb.tf

data/data/azure/bootstrap/main.tf

data/data/azure/vnet/outputs.tf

jhixson74 · 2019-10-22T05:43:27Z

/test e2e-azure

jhixson74 · 2019-10-24T20:34:50Z

/test e2e-azure

pkg/types/azure/validation/platform.go

jhixson74 · 2019-10-24T21:13:27Z

/test e2e-azure

jhixson74 · 2019-10-25T01:51:26Z

/test e2e-azure

data/data/azure/vnet/public-lb.tf

pkg/asset/manifests/openshift.go

jhixson74 · 2019-10-28T18:27:26Z

/test e2e-azure

jhixson74 · 2019-10-28T20:31:37Z

/test e2e-azure

jhixson74 · 2019-10-28T20:58:26Z

/test e2e-azure

jhixson74 · 2019-10-28T23:29:35Z

Tested and confirmed working with the following resources:

resource group: jhixson_vnet_rg
virtual network: jhixson_test_vnet (10.0.0.0/16)
subnet: jhixson_test_master_subnet (10.0.0.0/19)
subnet: jhixson_test_worker_subnet (10.0.32.0/19)
network security group: jhixson_test_master_nsg (22, 6443)
network security group: jhixson_test_worker_nsg (22, 80, 443, 6443)

I created a bastion host on the control plane network (jhixson_test_master_subnet) and setup a VPN server. It is necessary to connect the install client to the VPN server and have DNS configured for this to work. sshuttle can possibly be used for an easier configuration. You will need access to the vnet networks for this to be successful.

VPN server config:

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
remote-cert-tls client
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.224.0"
push "route 10.0.32.0 255.255.224.0"
push "route 168.63.129.16 255.255.255.255"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

VPN client config:

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /home/jhixson/openvpn/keys/ca.crt
cert /home/jhixson/openvpn/keys/jhixson.remote.csb.crt
key /home/jhixson/openvpn/keys/jhixson.remote.csb.key
remote-cert-tls server
tls-auth /home/jhixson/openvpn/keys/ta.key 1
cipher AES-256-CBC
verb 3

/etc/resolv.conf:

search redhat.com remote.csb 0bdxka02uqnuvpajnzo52ntqfd.gx.internal.cloudapp.net
nameserver 168.63.129.16
nameserver 127.0.0.1

Here is the relevant install-config.yaml for a private/internal cluster:

apiVersion: v1
baseDomain: installer.azure.devcluster.openshift.com
publish: Internal
compute:
- hyperthreading: Enabled
  name: worker
  platform:
    azure:
      osDisk:
        diskSizeGB: 128
      type: Standard_D4s_v3
controlPlane:
  hyperthreading: Enabled
  name: master
  platform: {}
  replicas: 3
metadata:
  creationTimestamp: null
  name: testprivate
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineCIDR: 10.0.0.0/16
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  azure:
    baseDomainResourceGroupName: os4-common
    region: centralus
    networkResourceGroupName: jhixson_vnet_rg
    virtualNetwork: jhixson_test_vnet
    controlPlaneSubnet: jhixson_test_master_subnet
    computeSubnet: jhixson_test_worker_subnet

Tested and confirmed working for external/public clusters also.

install-config.yaml for external/public cluster:

apiVersion: v1
baseDomain: installer.azure.devcluster.openshift.com
compute:
- hyperthreading: Enabled
  name: worker
  platform: {}
  replicas: 3
controlPlane:
  hyperthreading: Enabled
  name: master
  platform: {}
  replicas: 3
metadata:
  creationTimestamp: null
  name: jhixson42
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineCIDR: 10.0.0.0/16
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  azure:
    baseDomainResourceGroupName: os4-common
    region: centralus

This gives the install the ability to install an OpenShift cluster on Azure as internal/private, which is only accessable from an internal network and not visible on the Internet. Because of limitations in Azure, VM's without a public IP address behind a load balancer without a public IP address are unable to reach the internet. To get around this limitation, a dummy load balancer with a public IP address is setup with a rule to a dummy service. https://jira.coreos.com/browse/CORS-1227

abhinavdahiya · 2019-10-29T17:58:01Z

/test e2e-azure

abhinavdahiya · 2019-10-29T17:58:23Z

/approve

waiting for e2e-azure to go green before dropping lgtm

openshift-ci-robot · 2019-10-29T20:06:03Z

@jhixson74: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-openstack	`442395f`	link	`/test e2e-openstack`
ci/prow/e2e-aws-scaleup-rhel7	`442395f`	link	`/test e2e-aws-scaleup-rhel7`

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

jhixson74 · 2019-10-29T20:11:34Z

/test e2e-azure

abhinavdahiya · 2019-10-29T22:24:42Z

/lgtm

openshift-ci-robot · 2019-10-29T22:25:00Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, jhixson74

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 17, 2019

openshift-ci-robot requested review from mtnbikenc and patrickdillon October 17, 2019 00:24

jhixson74 force-pushed the master_azure_no_public_endpoints branch from 91406ea to 0c2fe22 Compare October 17, 2019 18:52

patrickdillon reviewed Oct 17, 2019

View reviewed changes

data/data/azure/variables-azure.tf Outdated Show resolved Hide resolved

data/data/azure/main.tf Outdated Show resolved Hide resolved

pkg/types/installconfig.go Outdated Show resolved Hide resolved

ironcladlou mentioned this pull request Oct 17, 2019

Enable user defined default ingresscontroller #2523

Merged

2 tasks

jhixson74 force-pushed the master_azure_no_public_endpoints branch from 0c2fe22 to 4ce5271 Compare October 17, 2019 20:30

jhixson74 force-pushed the master_azure_no_public_endpoints branch 3 times, most recently from 6c9def9 to 8291f56 Compare October 22, 2019 00:50