diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index a49c10b5d44d..1dcf41ce5872 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1288,9 +1288,6 @@ Topics: - Name: Configuring the Ingress Controller for manual DNS management File: ingress-controller-dnsmgt Distros: openshift-enterprise,openshift-origin -- Name: Configuring the Ingress Controller endpoint publishing strategy - File: nw-configuring-ingress-controller-endpoint-publishing-strategy - Distros: openshift-enterprise,openshift-origin - Name: Verifying connectivity to an endpoint File: verifying-connectivity-endpoint - Name: Changing the cluster network MTU @@ -1538,6 +1535,9 @@ Topics: Distros: openshift-enterprise,openshift-origin - Name: Configuring ingress cluster traffic using an Ingress Controller File: configuring-ingress-cluster-traffic-ingress-controller + - Name: Configuring the Ingress Controller endpoint publishing strategy + File: nw-configuring-ingress-controller-endpoint-publishing-strategy + Distros: openshift-enterprise,openshift-origin - Name: Configuring ingress cluster traffic using a load balancer File: configuring-ingress-cluster-traffic-load-balancer Distros: openshift-enterprise,openshift-origin diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc index abcf27129309..6e328f27bcb4 100644 --- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc +++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc @@ -30,7 +30,7 @@ include::modules/private-clusters-setting-api-private.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources -* xref:../../../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingresscontroller-change-internal_configuring-ingress-cluster-traffic-ingress-controller[Configuring the Ingress Controller endpoint publishing scope to Internal] +* xref:../../../networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc#nw-ingresscontroller-change-internal_nw-configuring-ingress-controller-endpoint-publishing-strategy[Configuring the Ingress Controller endpoint publishing scope to Internal] //Selecting a larger Amazon Web Services instance type for control plane machines include::modules/cpms-changing-aws-instance-type.adoc[leveloffset=+2] diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc index c633c3aa2462..9f639a45693b 100644 --- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc +++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc @@ -28,7 +28,7 @@ You can enable features by updating values in the control plane machine set. include::modules/private-clusters-setting-api-private.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources -* xref:../../../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingresscontroller-change-internal_configuring-ingress-cluster-traffic-ingress-controller[Configuring the Ingress Controller endpoint publishing scope to Internal] +* xref:../../../networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc#nw-ingresscontroller-change-internal_nw-configuring-ingress-controller-endpoint-publishing-strategy[Configuring the Ingress Controller endpoint publishing scope to Internal] //Selecting an Azure Marketplace image include::modules/installation-azure-marketplace-subscribe.adoc[leveloffset=+2] diff --git a/modules/nw-creating-project-and-service.adoc b/modules/nw-creating-project-and-service.adoc index 5c9cacffcceb..1501c313779c 100644 --- a/modules/nw-creating-project-and-service.adoc +++ b/modules/nw-creating-project-and-service.adoc @@ -6,15 +6,13 @@ [id="nw-creating-project-and-service_{context}"] = Creating a project and service -If the project and service that you want to expose do not exist, first create -the project, then the service. +If the project and service that you want to expose does not exist, create the project and then create the service. -If the project and service already exist, skip to the procedure on exposing the -service to create a route. +If the project and service already exists, skip to the procedure on exposing the service to create a route. .Prerequisites -* Install the `oc` CLI and log in as a cluster administrator. +* Install the {oc-first} and log in as a cluster administrator. .Procedure @@ -22,7 +20,7 @@ service to create a route. + [source,terminal] ---- -$ oc new-project myproject +$ oc new-project ---- . Use the `oc new-app` command to create your service: @@ -36,7 +34,7 @@ $ oc new-app nodejs:12~https://github.com/sclorg/nodejs-ex.git + [source,terminal] ---- -$ oc get svc -n myproject +$ oc get svc -n ---- + .Example output @@ -46,4 +44,7 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nodejs-ex ClusterIP 172.30.197.157 8080/TCP 70s ---- + +[NOTE] +==== By default, the new service does not have an external IP address. +==== diff --git a/modules/nw-exposing-service.adoc b/modules/nw-exposing-service.adoc index d79676bc6988..8e5dfc0c7fb9 100644 --- a/modules/nw-exposing-service.adoc +++ b/modules/nw-exposing-service.adoc @@ -12,17 +12,17 @@ endif::[] You can expose the service as a route by using the `oc expose` command. -.Procedure +.Prerequisites -To expose the service: +* You logged into {product-title}. -. Log in to {product-title}. +.Procedure . Log in to the project where the service you want to expose is located: + [source,terminal] ---- -$ oc project myproject +$ oc project ---- ifndef::nodeport[] @@ -40,9 +40,9 @@ $ oc expose service nodejs-ex route.route.openshift.io/nodejs-ex exposed ---- -. To verify that the service is exposed, you can use a tool, such as cURL, to make sure the service is accessible from outside the cluster. +. To verify that the service is exposed, you can use a tool, such as `curl` to check that the service is accessible from outside the cluster. -.. Use the `oc get route` command to find the route's host name: +.. To find the hostname of the route, enter the following command: + [source,terminal] ---- @@ -56,8 +56,9 @@ NAME HOST/PORT PATH SERVICES PORT TERMI nodejs-ex nodejs-ex-myproject.example.com nodejs-ex 8080-tcp None ---- -.. Use cURL to check that the host responds to a GET request: +.. To check that the host responds to a GET request, enter the following command: + +.Example `curl` command [source,terminal] ---- $ curl --head nodejs-ex-myproject.example.com diff --git a/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc b/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc index 1e8e30bcd863..7eaaa5c1647d 100644 --- a/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc +++ b/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc +// * networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc :_mod-docs-content-type: CONCEPT [id="nw-ingress-controller-endpoint-publishing-strategies_{context}"] diff --git a/modules/nw-ingress-controller-nodeportservice-projects.adoc b/modules/nw-ingress-controller-nodeportservice-projects.adoc new file mode 100644 index 000000000000..fdd1d7ff751d --- /dev/null +++ b/modules/nw-ingress-controller-nodeportservice-projects.adoc @@ -0,0 +1,180 @@ +// Module included in the following assemblies: +// +// * networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc + +:_mod-docs-content-type: PROCEDURE +[id="nw-ingress-controller-nodeportservice-projects_{context}"] += Adding a single NodePort service to an Ingress Controller + +Instead of creating a `NodePort`-type `Service` for each project, you can create a custom Ingress Controller to use the `NodePortService` endpoint publishing strategy. To prevent port conflicts, consider this configuration for your Ingress Controller when you want to apply a set of routes, through Ingress sharding, to nodes that might already have a `HostNetwork` Ingress Controller. + +Before you set a `NodePort`-type `Service` for each project, read the following considerations: + +* You must create a wildcard DNS record for the Nodeport Ingress Controller domain. A Nodeport Ingress Controller route can be reached from the address of a worker node. For more information about the required DNS records for routes, see "User-provisioned DNS requirements". +* You must expose a route for your service and specify the `--hostname` argument for your custom Ingress Controller domain. +* You must append the port that is assigned to the `NodePort`-type `Service` in the route so that you can access application pods. + +.Prerequisites + +* You installed the {oc-first}. +* Logged in as a user with `cluster-admin` privileges. +* You created a wildcard DNS record. +// https://docs.openshift.com/container-platform/4.16/networking/ingress-controller-dnsmgt.html (does not detail how to create the DNS) + +.Procedure + +. Create a custom resource (CR) file for the Ingress Controller: ++ +.Example of a CR file that defines information for the `IngressController` object +[source,yaml] +---- +apiVersion: v1 +items: +- apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: <1> + namespace: openshift-ingress-operator + spec: + replicas: 1 + domain: <2> + nodePlacement: + nodeSelector: + matchLabels: + : <3> + namespaceSelector: + matchLabels: + : <4> + endpointPublishingStrategy: + type: NodePortService +# ... +---- +<1> Specify the a custom `name` for the `IngressController` CR. +<2> The DNS name that the Ingress Controller services. As an example, the default ingresscontroller domain is `apps.ipi-cluster.example.com`, so you would specify the `` as `nodeportsvc.ipi-cluster.example.com`. +<3> Specify the label for the nodes that include the custom Ingress Controller. +<4> Specify the label for a set of namespaces. Substitute `:` with a map of key-value pairs where `` is a unique name for the new label and `` is its value. For example: `ingresscontroller: custom-ic`. + +. Add a label to a node by using the `oc label node` command: ++ +[source,terminal] +---- +$ oc label node = <1> +---- +<1> Where `` must match the key-value pair specified in the `nodePlacement` section of your `IngressController` CR. + +. Create the `IngressController` object: ++ +[source,terminal] +---- +$ oc create -f .yaml +---- + +. Find the port for the service created for the `IngressController` CR: ++ +[source,terminal] +---- +$ oc get svc -n openshift-ingress +---- ++ +.Example output that shows port `80:32432/TCP` for the `router-nodeport-custom-ic3` service +[source,terminal] +---- +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +router-internal-default ClusterIP 172.30.195.74 80/TCP,443/TCP,1936/TCP 223d +router-nodeport-custom-ic3 NodePort 172.30.109.219 80:32432/TCP,443:31366/TCP,1936:30499/TCP 155m +---- + +. To create a new project, enter the following command: ++ +[source,terminal] +---- +$ oc new-project +---- + +. To label the new namespace, enter the following command: ++ +[source,terminal] +---- +$ oc label namespace = <1> +---- +<1> Where `=` must match the value in the `namespaceSelector` section of your Ingress Controller CR. + +. Create a new application in your cluster: ++ +[source,terminal] +---- +$ oc new-app --image= <1> +---- +<1> An example of `` is `quay.io/openshifttest/hello-openshift:multiarch`. + +. Create a `Route` object for a service, so that the pod can use the service to expose the application external to the cluster. ++ +[source,terminal] +---- +$ oc expose svc/ --hostname=-. <1> +---- ++ +[NOTE] +==== +You must specify the domain name of your custom Ingress Controller in the `--hostname` argument. If you do not do this, the Ingress Operator uses the default Ingress Controller to serve all the routes for your cluster. +==== + +. Check that the route has the `Admitted` status and that it includes metadata for the custom Ingress Controller: ++ +[source,terminal,subs="quotes,attributes"] +---- +$ oc get route/hello-openshift -o json | jq '.status.ingress' +---- ++ +.Example output +[source,terminal] +---- +# ... +{ + "conditions": [ + { + "lastTransitionTime": "2024-05-17T18:25:41Z", + "status": "True", + "type": "Admitted" + } + ], + [ + { + "host": "hello-openshift.nodeportsvc.ipi-cluster.example.com", + "routerCanonicalHostname": "router-nodeportsvc.nodeportsvc.ipi-cluster.example.com", + "routerName": "nodeportsvc", "wildcardPolicy": "None" + } + ], +} +---- + +. Update the default `IngressController` CR to prevent the default Ingress Controller from managing the `NodePort`-type `Service`. The default Ingress Controller will continue to monitor all other cluster traffic. ++ +[source,terminal] +---- +$ oc patch --type=merge -n openshift-ingress-operator ingresscontroller/default --patch '{"spec":{"namespaceSelector":{"matchExpressions":[{"key":"","operator":"NotIn","values":["]}]}}}' +---- + +.Verification + +. Verify that the DNS entry can route inside and outside of your cluster by entering the following command. The command outputs the IP address of the node that received the label from running the `oc label node` command earlier in the procedure. ++ +[source,terminal] +---- +$ dig +short -. +---- + +. To verify that your cluster uses the IP addresses from external DNS servers for DNS resolution, check the connection of your cluster by entering the following command: ++ +[source,terminal] +---- +$ curl -.: <1> +---- +<1> Where `` is the node port from the `NodePort`-type `Service`. Based on example output from the `oc get svc -n openshift-ingress` command, the `80:32432/TCP` HTTP route means that `32432` is the node port. ++ +.Output example ++ +[source,terminal] +---- +Hello OpenShift! +---- diff --git a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc index 78a7832ff30a..46a071fdcb97 100644 --- a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc +++ b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc @@ -32,7 +32,7 @@ to a user, run the following command: $ oc adm policy add-cluster-role-to-user cluster-admin username ---- -* Have an {product-title} cluster with at least one master and at least one node +* You have an {product-title} cluster with at least one master and at least one node and a system outside the cluster that has network access to the cluster. This procedure assumes that the external system is on the same subnet as the cluster. The additional networking required for external systems on a different subnet is @@ -45,9 +45,7 @@ include::modules/nw-creating-project-and-service.adoc[leveloffset=+1] // Exposing the service by creating a route include::modules/nw-exposing-service.adoc[leveloffset=+1] -// Router sharding ifdef::openshift-enterprise,openshift-webscale,openshift-origin[] - // Ingress sharding in OpenShift Container Platform include::modules/nw-ingress-sharding-concept.adoc[leveloffset=+1] @@ -89,18 +87,3 @@ include::modules/nw-ingress-sharding-route-configuration.adoc[leveloffset=+2] * xref:../../networking/network_policy/about-network-policy.adoc#nw-networkpolicy-about_about-network-policy[About network policy] endif::openshift-enterprise,openshift-webscale,openshift-origin[] - -// Ingress Controller endpoint publishing strategy -include::modules/nw-ingress-controller-endpoint-publishing-strategies.adoc[leveloffset=+1] - -// Configuring the Ingress Controller endpoint publishing scope to Internal -include::modules/nw-ingresscontroller-change-internal.adoc[leveloffset=+2] - -// Configuring the Ingress Controller endpoint publishing scope to External -include::modules/nw-ingresscontroller-change-external.adoc[leveloffset=+2] - -[discrete] -[id="additional-resources_nw-ingress-controller-endpoint-publishing-strategies"] -=== Additional resources - -* xref:../networking/ingress-operator#nw-ingress-controller-configuration-parameters_configuring-ingress[Ingress Controller configuration parameters] diff --git a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc index 613cdd97ea93..478d57fbf02b 100644 --- a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc +++ b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc @@ -1,6 +1,6 @@ :_mod-docs-content-type: ASSEMBLY [id="configuring-ingress-cluster-traffic-nodeport"] -= Configuring ingress cluster traffic using a NodePort += Configuring ingress cluster traffic by using a NodePort include::_attributes/common-attributes.adoc[] :context: configuring-ingress-cluster-traffic-nodeport @@ -38,13 +38,16 @@ procedure assumes that the external system is on the same subnet as the cluster. The additional networking required for external systems on a different subnet is out-of-scope for this topic. +// Creating a project and service include::modules/nw-creating-project-and-service.adoc[leveloffset=+1] +// Exposing the service by creating a route include::modules/nw-exposing-service.adoc[leveloffset=+1] - [role="_additional-resources"] [id="configuring-ingress-cluster-traffic-nodeport-additional-resources"] == Additional resources * xref:../../networking/configuring-node-port-service-range.adoc#configuring-node-port-service-range[Configuring the node port service range] + +* xref:../../networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc#nw-ingress-controller-nodeportservice-projects_nw-configuring-ingress-controller-endpoint-publishing-strategy[Adding a single NodePort service to an Ingress Controller] diff --git a/networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc b/networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc similarity index 66% rename from networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc rename to networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc index e297de9190a4..d876e6ff24e0 100644 --- a/networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc +++ b/networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc @@ -24,9 +24,14 @@ include::modules/nw-ingresscontroller-change-internal.adoc[leveloffset=+2] // Configuring the Ingress Controller endpoint publishing scope to External include::modules/nw-ingresscontroller-change-external.adoc[leveloffset=+2] +// Adding a single NodePort service to an Ingress Controller +include::modules/nw-ingress-controller-nodeportservice-projects.adoc[leveloffset=+2] + [role="_additional-resources"] == Additional resources -* xref:../networking/ingress-operator.adoc#nw-ingress-controller-configuration-parameters_configuring-ingress[Ingress Controller configuration parameters]. +* xref:../../networking/ingress-operator.adoc#nw-ingress-controller-configuration-parameters_configuring-ingress[Ingress Controller configuration parameters] + +* xref:../../installing/installing_openstack/installing-openstack-installer-custom.adoc#installation-osp-setting-cloud-provider-options_installing-openstack-installer-custom[Setting {rh-openstack} Cloud Controller Manager options] -* xref:../installing/installing_openstack/installing-openstack-installer-custom.adoc#installation-osp-setting-cloud-provider-options_installing-openstack-installer-custom[Setting {rh-openstack} Cloud Controller Manager options]. +* xref:../../installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-dns-user-infra_installing-platform-agnostic[User-provisioned DNS requirements] diff --git a/networking/ingress-controller-dnsmgt.adoc b/networking/ingress-controller-dnsmgt.adoc index 4ac5b39c55cb..21cc8fc1430d 100644 --- a/networking/ingress-controller-dnsmgt.adoc +++ b/networking/ingress-controller-dnsmgt.adoc @@ -33,7 +33,6 @@ include::modules/creating-a-custom-ingress-controller.adoc[leveloffset=+1] include::modules/modifying-an-existing-ingress-controller.adoc[leveloffset=+1] - [role="_additional-resources"] [id="configuring-ingress-controller-dns-management-additional-resources"] == Additional resources diff --git a/post_installation_configuration/configuring-private-cluster.adoc b/post_installation_configuration/configuring-private-cluster.adoc index 1fd3c2025b25..fcb32dd62750 100644 --- a/post_installation_configuration/configuring-private-cluster.adoc +++ b/post_installation_configuration/configuring-private-cluster.adoc @@ -18,7 +18,7 @@ include::modules/private-clusters-setting-api-private.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* xref:../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingresscontroller-change-internal_configuring-ingress-cluster-traffic-ingress-controller[Configuring the Ingress Controller endpoint publishing scope to Internal] +* xref:../networking/configuring_ingress_cluster_traffic/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc#nw-ingresscontroller-change-internal_nw-configuring-ingress-controller-endpoint-publishing-strategy[Configuring the Ingress Controller endpoint publishing scope to Internal] include::modules/registry-configuring-private-storage-endpoint-azure.adoc[leveloffset=+1]