Add installer/bootstrap-konnectivity-tunnel.md#1941
Add installer/bootstrap-konnectivity-tunnel.md#1941mdbooth wants to merge 1 commit intoopenshift:masterfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
mdbooth
force-pushed
the
bootstrap-konnectivity
branch
from
8b9f582 to
156c5cc
Compare
|
@mdbooth: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| ### Workflow Description | ||
|
|
||
| This feature is transparent to the cluster administrator. | ||
| It requires no user action and does not change the `openshift-install` CLI interface. |
There was a problem hiding this comment.
Unfortunately this part will not be true in cases where users bring their own networks:
- baremetal/on-prem platforms
- azure byo vnet
Because the port management will need to be updated to open port 8091. That's not an unreasonable ask, but it is definitely not transparent.
There was a problem hiding this comment.
And I see you included this in open questions 👍
| 1. How should the bootstrap script determine the bootstrap node IP? | ||
| This IP is required for the server certificate SAN and the agent `--proxy-server-host` argument. | ||
| 1. Clarify the impacts, if any, on SNO, MicroShift, and OKE. | ||
| For SNO, the bootstrap node is typically separate from the single cluster node, so the architecture still applies. |
There was a problem hiding this comment.
This is only true in the cloud. On-prem SNO uses bootstrap-in-place, and the bootstrap and control plane never interact.
| MicroShift does not use the bootstrap process and is likely not affected. | ||
| OKE uses the same installer and is likely affected in the same way as OCP. | ||
| These assumptions need confirmation. | ||
| 1. Determine all platforms requiring security group updates for TCP port 8091. |
There was a problem hiding this comment.
Please document this in https://github.com/openshift/enhancements/blob/master/dev-guide/host-port-registry.md
|
LGTM once existing comments are resolved. We can merge this and iterate during implementation as we answer open questions IMO |
|
|
||
| 10. The installer destroys the bootstrap node infrastructure. | ||
| The Konnectivity server is gone with it. | ||
| The production KAS instances have direct access to the pod network and do not need the tunnel. |
There was a problem hiding this comment.
The installer destroys the bootstrap node infrastructure
Quick question: For cloud platforms, this also implies deleting the rule that allows TCP/8091 to bootstrap node, right? Or are we leaving it behind?
There was a problem hiding this comment.
Background: On AWS, the bootstrap node shares the same security group(s) as the control plane nodes. So, adding TCP/8091 will need cleaning up post-bootstrap; otherwise, it will stay behind.
Looking at this change (still in-progress), I don't see the cleanup logic so just wanted to double-check 😅
There was a problem hiding this comment.
Sorry, nvmind me, I missed Patrick's openshift/installer#10344 (comment) 😩 (been a long day...)
nit: How about making the wordings a bit more explicit? Let's add the following to section Workflow:
- The konnectivity server listens on
TCP/8091 - The installer should configure platforms to open a security group rule/firewall rule to allow
TCP/8091(link to sectionCloud-specific Security Group Configuration). - After bootstrap, the installer
destroys bootstrap resources, including the new security/firewall rule.
IMO, allow TCP/8091 is an important workflow step so it should be mentioned here, which sounds clearer... That being said, it's just a nit 😅
| 4. The script creates cluster resources for the Konnectivity agent: | ||
| a. Resolves the `apiserver-network-proxy` image from the release payload. | ||
| b. Substitutes the image and bootstrap IP into the DaemonSet template and writes the resulting manifest to the manifests directory. | ||
| c. Writes the `openshift-installer-bootstrap` Namespace manifest to the manifests directory. |
There was a problem hiding this comment.
Looking at commit (still in progress), the namespace says openshift-bootstrap-konnectivity, but here the EP says openshift-installer-bootstrap. I just wanted to double-check which one is the correct 👀?
5 participants
An EP describing the investigation outcomes of a PoC implementing a Konnectivity tunnel between the bootstrap node and early cluster nodes.
Tracker: https://issues.redhat.com/browse/CORS-4334