-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osdocs-627 disconnected install #16696
Conversation
8fb67ee
to
c10b0da
Compare
The preview will be available shortly at: |
@umohnani8, will you PTAL? |
@wking @abhinavdahiya PTAL |
include::modules/installation-generate-aws-user-infra.adoc[leveloffset=+1] | ||
|
||
// After the proxy change merges, I need to put it in and emphasize that you | ||
// must configure a proxy for the AWS mirrored content story. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use a proxy. I don't think you must use a proxy unless you close off enough network access that we need it to access the AWS IAM endpoints or something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, and I'm going to clarify the AWS proxy requirements and usage on https://bugzilla.redhat.com/show_bug.cgi?id=1743483
link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] | ||
in the AWS documentation. | ||
* If you use a firewall, you must | ||
xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to access Red Hat Insights]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's this for? I wouldn't expect to need access to Insights. Currently the firewall docs just talk about Telemetry / updates, and neither of those are critical to install. The disabling-Telemetry docs talk about that in more detail, and I'd expect most disconnected folks to disable update downloads and Telemetry and Insights uploads. Maybe you want to talk about the pros, cons, and methods behind enabling/disabling each of those in the body of the doc, but I don't think we want to make a hard must statement here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wking, disabling telemetry is one of the optional next steps in the assembly. Do you have a bit more information that I can include to help the disconnected installers appreciate why they should disable telemetry?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current disabling-telemetry docs focus on the pros of telemetry and cons of disabling it. But if you have no way to connect to telemetry, you don't have to think about it, you should just disable it. Still good to read about the cons, but no sense in having the telemeter container banging its head against the disconnected network every few minutes for the life of the cluster and alerting about those failures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the other hand, if you're just using mirrors for auditing/performance, and your cluster can still reach Red Hat's telemetry endpoints, you probably want to keep them enabled.
it in the `<installation_directory>`. | ||
+ | ||
[NOTE] | ||
==== | ||
You must name this configuration file `install-config.yaml`. | ||
==== | ||
ifdef::disconnected[] | ||
** You must provide the contents of the certificate for your mirror repository | ||
in the `additionalTrustBundle` section. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only if your mirror certificate is not signed by a CA RHCOS trusts by default. Maybe weaken the "must"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wking, can you tell me a little more about how this workflow would work? I'm happy to soften that requirement, but I'd need to add some notes in other topics. (Like in the topic about setting up a mirror repo and probably elsewhere in the installation docs.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you're mirroring to a registry whose cert RHCOS trusts by default (e.g. from quay.io to docker.io), you don't need to add additional trust for your mirror registry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm adding that exception.
pullSecret: '{"auths": ...}' <12> | ||
endif::disconnected[] | ||
ifdef::disconnected[] | ||
pullSecret: '{"auths":{"<bastion_host_name>:5000": {"auth": "<credentials>","email": "you@example.com"}}}' <12> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the earlier docs you were talking about appending the mirror creds to the cloud.openshift.com ceds, but this line here is just the mirror creds. That's fine if the cluster doesn't need to auth to any of the standard Red Hat services, but it's not going to work if there is proxy or whatever access and the cluster is supposed to be pushing Telemetry/Insights, pulling registry.redhat.io images, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wking, do we know which use case is more likely or preferred?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dunno, but sounds like you're planning to address this with a note in a reroll.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the "preparing" topic, I'm saying to use just the mirror creds, so I'm going to keep this reference as-is.
@openshift/team-documentation, PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few small comments but otherwise LGTM.
b8854dd
to
b848fc8
Compare
b848fc8
to
b7ca64c
Compare
/cherrypick enterprise-4.2 |
@kalexand-rh: new pull request created: #16822 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
||
include::modules/installation-about-restricted-network.adoc[leveloffset=+1] | ||
|
||
include::modules/cluster-entitlements.adoc[leveloffset=+1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Go through this section, seem like not suitable for disconnected install, especially for the following lines, though I am not expert for Telemetry part.
"""
Your machines must have direct internet access to install the cluster.
You must have internet access to:
Access the OpenShift Infrastructure Providers page to download the installation program
Access quay.io to obtain the packages that are required to install your cluster
Obtain the packages that are required to perform cluster updates
Access Red Hat’s software as a service page to perform subscription management
"""
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I opened a PR here to try to address this: #16985
If you have more feedback, please let me know!
---- | ||
+ | ||
Provide the contents of the certificate file that you used for your mirror | ||
registry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Form customer perspective, I think we need make this be more clear. In this example, I think it is better to mention the certificate file is generated in step 3 of "Creating a mirror registry" section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll improve the note, but I can't create a link to that step.
|
||
include::modules/ssh-agent-using.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-generate-aws-user-infra.adoc[leveloffset=+1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In disconnected env, user probably need bring his/her own DNS, but not provisioned by ingress router, just like what is mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1743483#c20, so we need openshift/installer#2221, and mentioned that in the disconnected install doc. Once that, manifests/cluster-dns-02-config.yml
also need to be removed in this step
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jianlinliu, does the whole file need to be removed? Just part of it's removed in that installer PR. I have a draft here: https://github.com/openshift/openshift-docs/pull/17190/files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, not remove the whole file, but change some line in manifests/cluster-dns-02-config.yml, will follow up in your new PR.
|
||
include::modules/installation-creating-aws-vpc.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-cloudformation-vpc.adoc[leveloffset=+2] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If follow the same CF template and process to install cluster, personally I do not think it is meaningful to link a common UPI install here (except the part of consuming release image from mirror registry). From customer perspective, I will be more interested in what change should be applied once the installation is happening in restricted networks. The long document is easy to make user miss his/her focus.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea of the assembly is to provide all of the context that a user would need to complete the the installation. They shouldn't have to use the other assembly at all. Can you tell me more about the other improvements at the end of the process?
# File: installing-restricted-networks-preparations | ||
- Name: Restricted network AWS installation | ||
File: installing-restricted-networks-aws | ||
- Name: Restricted network bare metal installation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@morenod Could you help review this part - upi install on baremetal in a restricted network (originally we call it 'disconnected')?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On "Sample install-config.yaml file for bare metal". Point 14: imageContentSources is a requirement?
What happens if quay.io connection is also not allowed from the host where installer is being executed and image have been already uploaded to the internal registry?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You still need to provide imageContentSources with the mirror mapping of quay.io and the internal registry to the install-config.yaml. This way you don't have to go in and manually change the names of the images to be internal-registry/internal-repo
, it can still be quay.io/myrepo
and with the mirror mapping, the installer will know to try the mirrored location (i.e the internal registry) first.
- mirrors: | ||
- <bastion_host_name>:5000/<repo_name>/release | ||
source: quay.io/openshift-release-dev/ocp-release | ||
- mirrors: | ||
- <bastion_host_name>:5000/<repo_name>/release | ||
source: registry.svc.ci.openshift.org/ocp/release |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both examples of mirrors are the same, we need to provide different options on each mirror example or left just one
https://jira.coreos.com/browse/OSDOCS-627