[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OKD 3.11 openshift_logging_install_logging=true install fails - openshift_logging_es_nodeselector error



Hi Samuel,

 

Hope all is doing well thanks again for the quick reply.

So actually I had set this to

openshift_logging_es_nodeselector={"node-role.kubernetes.io/infra":"true"}

 

in the meanwhile and wasrunning deploy_cluster, it just completed successfully! Amazing.

I do think it should maybe be better documented or have more examples in the docs I guess.

 

I have another question since we’re at it…

I have an LDAP server with a valid certificate.

Using openshift_master_identity_providers=…LDAPPasswordIdentityProvider… I am expected to supply a certificate. But since I have a valid public certificate, which is trusted by up-to-date public certificate authority, I don’t intend to provide any.

So here, I baffled with these possible solutions:

Use the ‘insecure’ : ‘true’ paramenter… it’s a quick dirty fix you know the certificate is valid…

Or I’ve been waiting for the master-config.yaml to be created then I create a symlink to ca-bundle.crt so the master-api comes up, otherwise it will fail saying providername_ldap_ca.crt can’t be found.

The documentation states the following:

 

# LDAP auth

#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]

# Configuring the ldap ca certificate

#openshift_master_ldap_ca=<ca text>

# or

#openshift_master_ldap_ca_file=<path to local ca file to use>

 

# Available variables for configuring certificates for other identity providers:

#openshift_master_openid_ca

#openshift_master_openid_ca_file

#openshift_master_request_header_ca

#openshift_master_request_header_ca_file

 

If you specified 'insecure': 'true' in the openshift_master_identity_providers parameter for only an LDAP identity provider, you can omit the CA certificate.

 

So… for LDAP to work after deployment completes I login to master and edit master-config.yaml leaving the Provider ca: field empty… and all works perfectly.

I have tried multiple combinations to have this field empty reading from inventory file… do you have a suggestion?

 

I also feel this is poorly documented, and I am a little surprised because it seems people rather have an insecure quick fix than looking into the problem, I’ve been around issues and it happens around. Again I do believe many people will go with insecure even having valid certificates, but this doesn’t make much sense to me.

 

Kind regards,

Ricardo Mendes

 

 

From: Samuel Martín Moro <faust64 gmail com>
Date: Sunday, 2 June 2019 at 14:06
To: Ricardo Mendes <maverickws outlook pt>
Cc: OpenShift Users List <users lists openshift redhat com>
Subject: Re: OKD 3.11 openshift_logging_install_logging=true install fails - openshift_logging_es_nodeselector error

 

Hi,

 

 

try that one:

 

openshift_logging_es_nodeselector={‘node-role.kubernetes.io/infra’:’true’}

 

 

alternatively, you might want to create some "group_vars" directory alongside your inventory, and add a file "group_vars/all.yaml", with the following:

 

openshift_logging_es_nodeselector:
  node-role.kubernetes.io/infra: "true"

 

as ini format can be quite painful, depending on which variables you need to set.

 

 

Regards.

 

 

On Sun, Jun 2, 2019 at 1:23 PM Ricardo Mendes <maverickws outlook pt> wrote:

Hi all,

 

I am using a three server Setup as my inventory file below.

I am facing this issue where I can’t install ELK by setting `openshift_logging_install_logging=true` because I always get this error:

 

TASK [openshift_control_plane : Ensure that Elasticsearch has nodes to run on] ***************************************************************************************************

fatal: [master.domain.com]: FAILED! => {

    "assertion": false,

    "changed": false,

    "evaluated_to": false,

    "msg": "No schedulable nodes found matching node selector for Elasticsearch - 'infra=true'"

}

 

I have tried with the following variables:

 

openshift_logging_es_nodeselector={"node-type":"infrastructure"}  # as seen somewhere on documentation

openshift_logging_es_nodeselector={"node-type":"infra"}

openshift_logging_es_nodeselector={"type":"infra"}

openshift_logging_es_nodeselector='node-role.kubernetes.io/infra=true'

openshift_logging_es_nodeselector={‘role’:’infra’}

openshift_logging_es_nodeselector={‘infra’:’true’}

 

My inventory file:

 

[OSEv3:children]

masters

etcd

nodes

 

[masters]

master.domain.com openshift_schedulable=True

 

[etcd]

master.domain.com openshift_schedulable=True

 

[nodes]

master.domain.com openshift_node_group_name='node-config-master' openshift_schedulable=True

infra.domain.com openshift_node_group_name='node-config-infra' openshift_schedulable=True

node01.domain.com openshift_node_group_name='node-config-compute' openshift_schedulable=True

 

 

[OSEv3:vars]

openshift_logging_install_logging=true

openshift_logging_es_nodeselector={'infra':'true'}

 

I am out of ideas and I think my google is broken cause I can’t seem to find a suitable option that works… and each deploy_cluster takes over half an hour…

 

Anyone can point me in the right path? Thank you!

 

Kind regards,

Ricardo M

 

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


 

--

Samuel Martín Moro
{EPITECH.} 2011

"Nobody wants to say how this works.
 Maybe nobody knows ..."
                      Xorg.conf(5)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]