-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[hack] support unique domain names for CRC clusters to enable multiple clusters on the same network #7244
Conversation
Note that if you use "changedomain", the firewalld service is stopped on the machine (if there was one running). This also means the "expose" and "unexpose" commands should not be used when the domain is changed. There is no need to use them since "changedomain" will expose the cluster to remote clients. |
Some of this work (particularly the part that configured OpenShift with the new base domain name) originated here: https://github.com/iLLeniumStudios/remote-crc-setup/blob/main/install.sh |
|
This doesn't fully work. oc CLI can log in and get resources, but it looks like oauth isn't working and you cannot log into the Console UI. It has to do with the firewall. Shutting down the firewall will allow everything to work. But if I turn on the firewall and expose the ports 80, 443, 6443 it fails with "connection refused". Interestingly, if I restart the firewall but do not expose the ports, the error is "no route to host". So I think I need to figure out what additional firewall rules are needed. With the current firewall rules in place, this happens (from:
Not sure why this error happens. Port 443 is forewarded. It has to do with the fact the request is coming from inside the CRC VM. Because I can "curl" to my IP (http://) from the local machine and a remote machine. But if I try the same curl command from within a pod running in the cluster, I get the error. If I turn off the firewall, no error, and the pod can run curl successfully. |
Worst case, I can just have the script shutdown the firewall when changing the domain. But I would like this to work with the firewall enabled... so I need to find what rules to create to get this to work with the firewall running. |
Well, after that last commit, now I can't see it fail. It may be due to the removal of the passthroughs, but I don't see why that would be the issue. These were removed:
UPDATE: starts failing again. I think I was able to log in due to come browser cache that is keeping the login tokens around. |
Here's the thing I need fixed. If anyone knows what firewall rules would fix this, let me know. The firewall rules in place are:
But internal cluster pods cannot make requests outside to the nip.io endpoints. For example, these two are causing problems (these URLs that are failing are on the host machine and point to the HAProxy which should forward the request right back into the cluster).
|
can't figure out the firewall. I was close, but not there. So the script will disable firewalld if it is running when you use the changedomain command. Other than that, this all works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine.
tl;dr This allows you to use CRC to run multiple OpenShift clusters on a local network. Very useful for multi-cluster work.
This is a very useful enhancement to the CRC hack script.
We already had a command "expose" and "unexpose" which exposes the CRC cluster to remote machines on the local network. This allows you to access the OpenShift cluster via a browser or an oc/kubectl client running anywhere on the network (not just from the same box where CRC is running). This uses firewall rules.
However, the problem is you can only have one CRC cluster on your network because CRC fixes the domain name to "crc.testing". So if I want to start two CRC clusters, one on machine "foo" and one on machine "bar" they both bind to "crc.testing" and therefore only one can be exposed to remote machines on the network.
This PR introduces a new command "changedomain" which changes the domain of a running CRC cluster from the default
crc.testing
to an nip.io hostname unique to the IP address of the host machine (so, for example,192.168.1.10.nip.io
). This command will also configure HAProxy so remote machines can access the CRC cluster using that new domain name.If you have the firewalld service already running, this new command will add some firewall rules to open up the ports necessary to access the CRC cluster (technically, it just runs the "expose" command for you at the end).
==
To test:
hack/crc-openshift.sh start
hack/crc-openshift.sh changedomain
IP_ADDR=$(hostname -I | awk '{print $1}')
).oc login -u kiali -p kiali https://api.${IP_ADDR}.nip.io:6443
oc whoami --show-server
oc get ns