New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSASINFRA-902: Update OpenStack Custom External LB and DNS Docs #4389
OSASINFRA-902: Update OpenStack Custom External LB and DNS Docs #4389
Conversation
/label platform/openstack |
/cc @maxwelldb |
@iamemilio Would you like suggestions on this, or is the review request more of an FYI only thing? |
Suggestions sound great, but up to you. |
6e3c398
to
52d7e08
Compare
/lgtm |
/hold lets give people some time to put reviews in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made a number of comments. Feel free to accept/trash/interrogate however you like. @iamemilio
docs/user/openstack/README.md
Outdated
|
||
This documents how to shift from the internal load balancer, which is intended for internal networking needs, to an external load balancer. | ||
This documents how to shift external traffic from the internal load balancer that comes stock with OpenShift on OpenStack to an external load balancer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This documents how to shift external traffic from the internal load balancer that comes stock with OpenShift on OpenStack to an external load balancer. | |
You can shift network traffic from the default OpenShift on OpenStack load balancer to a load balancer that you provide. |
(Or something like this. What's the importance of external and internal in an instructional sense? Could preserve those terms if it's important.)
docs/user/openstack/README.md
Outdated
|
||
The load balancer must serve ports 6443, 443, and 80 to any users of the system. Port 22623 is for serving ignition start-up configurations to the OpenShift nodes and should not be reachable outside of the cluster. | ||
It is essential that the instance your load balancing service is running from can reach all of the nodes in the cluster. One easy way to do this is to create the instance in a subnet that is within the OpenShift network created by your installer, and making sure a router interface is attached to that subnet from the OpenShift-external-router. Another solution is to attach a floating IP to the nodes that you want to add to your external load balancer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is essential that the instance your load balancing service is running from can reach all of the nodes in the cluster. One easy way to do this is to create the instance in a subnet that is within the OpenShift network created by your installer, and making sure a router interface is attached to that subnet from the OpenShift-external-router. Another solution is to attach a floating IP to the nodes that you want to add to your external load balancer. | |
To use your own load balancer, the instance that it runs from must be able to access every machine in your cluster. You might ensure this access by creating the instance on a subnet that is within your cluster's network, and then attaching a router interface to that subnet from the `OpenShift-external-router` [object/instance/whatever]. You can also attach a floating IP address to the machines that you want to add to your load balancer. |
docs/user/openstack/README.md
Outdated
openstack floating ip create --port master-port-1 <public network> | ||
openstack floating ip create --port master-port-2 <public network> | ||
``` | ||
The following external facing services should be added to your new load balancer: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following external facing services should be added to your new load balancer: | |
Add the following external facing services to your new load balancer: |
docs/user/openstack/README.md
Outdated
|
||
The first step is to add floating IPs to all the master nodes: | ||
#### Key OpenShift Services |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Key" == "Required?" "Important?"
docs/user/openstack/README.md
Outdated
|
||
Once complete you can see your floating IPs using: | ||
- The master nodes serve the OpenShift API over port 6443 via tcp. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The master nodes serve the OpenShift API over port 6443 via tcp. | |
- The master nodes serve the OpenShift API on port 6443 by using TCP. |
docs/user/openstack/README.md
Outdated
``` | ||
|
||
The external load balancer should now be operational along with your own DNS solution. The following curl command is an example of how to check functionality: | ||
#### Verifying API Reachable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#### Verifying API Reachable | |
#### Verifying that the API is Reachable |
Capitalized however you like.
docs/user/openstack/README.md
Outdated
The external load balancer should now be operational along with your own DNS solution. The following curl command is an example of how to check functionality: | ||
#### Verifying API Reachable | ||
|
||
One good way to test that you can reach the API is to try executing an `oc` command. If you can't do that easily, you can use this curl command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One good way to test that you can reach the API is to try executing an `oc` command. If you can't do that easily, you can use this curl command: | |
One way to test whether or not you can reach the API is to run the `oc` command. | |
If you can't use `oc`, use the following `curl` command: |
Could include sample output for good/bad cases while using oc
.
docs/user/openstack/README.md
Outdated
"compiler": "gc", | ||
"platform": "linux/amd64" | ||
} | ||
``` | ||
|
||
Another useful thing to check is that the ignition configurations are only available from within the deployment. The following command should only succeed from a node in the OpenShift cluster: | ||
Note: the versions may be different, but as long as you get a json payload response, it worked correctly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: the versions may be different, but as long as you get a json payload response, it worked correctly. | |
Note: The versions in the sample output may differ from your own. As long as you get a JSON payload response, the API is accessible. |
docs/user/openstack/README.md
Outdated
Another useful thing to check is that the ignition configurations are only available from within the deployment. The following command should only succeed from a node in the OpenShift cluster: | ||
Note: the versions may be different, but as long as you get a json payload response, it worked correctly. | ||
|
||
#### Verifying Apps Reachable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#### Verifying Apps Reachable | |
#### Verifying that Apps Are Reachable |
Or something to that effect.
docs/user/openstack/README.md
Outdated
|
||
#### Verifying Apps Reachable | ||
|
||
An easy way to check that the workers are load balanced correctly is to try to access the OpenShift console. This can be done from your web browser. If you don't have access to a web browser, then you can try to query it with the following curl command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An easy way to check that the workers are load balanced correctly is to try to access the OpenShift console. This can be done from your web browser. If you don't have access to a web browser, then you can try to query it with the following curl command: | |
The simplest way to verify that apps are reachable is to open the OpenShift console in a web browser. | |
If you don't have access to a web browser, query the console by using the following `curl` command: |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: EmilienM, maxwelldb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
52d7e08
to
2e9b816
Compare
@iamemilio: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
docs/user/openstack/README.md
Outdated
You can verify the operation of the load balancer now if you wish, using the curl commands given below. | ||
|
||
Now the DNS entry for `api.<cluster name>.<base domain>` needs to be updated to point to the new load balancer: | ||
To ensure that your API and apps are accessible through your load balancer, [create or update DNS entries](#Create API and Ingress DNS Records) for them. To use your new load balancing service for external traffic, make sure the IP address for these DNS entries is the IP address your load balancer is reachable at. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The anchor should be #create-api-and-ingress-dns-records, otherwise the link doesn't render. The sentence ends bizarrely too.
To ensure that your API and apps are accessible through your load balancer, [create or update DNS entries](#Create API and Ingress DNS Records) for them. To use your new load balancing service for external traffic, make sure the IP address for these DNS entries is the IP address your load balancer is reachable at. | |
To ensure that your API and apps are accessible through your load balancer, [create or update DNS entries](#create-api-and-ingress-dns-records) for them. To use your new load balancing service for external traffic, make sure the IP address for these DNS entries is the IP address your load balancer: |
The underlying network architecture has changed a lot since these docs were initially written. We want to make sure that these docs are accurate and up to date so that users with complex networking use cases like workers on a custom subnet and baremetal workers are able to manage their ingress/egress traffic as needed. More up to date examples and reference information has been added. We have chosen to omit sections outlining how to replace the internal lb and dns services since they were inaccurate. We are targeting an upcoming release to handle these features better given the complexity of our current networking architecture.
2e9b816
to
30e597f
Compare
removing the hold, reviewers can lgtm again when ready /hold cancel |
/lgtm |
The underlying network architecture has changed a lot since these docs
were initially written. We want to make sure that these docs are accurate
and up to date so that users with complex networking use cases like workers
on a custom subnet and baremetal workers are able to manage their ingress/egress
traffic as needed. More up to date examples and reference information has been added.
We have chosen to omit sections outlining how to replace the internal lb and dns
services since they were inaccurate. We are targeting an upcoming release to handle
these features better given the complexity of our current networking architecture.