[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Installation of HA w/o LB supported



 I'm looking for the proper way to configure OpenShift HA without a LB.  
The inventory file says it can be done but nothing I try actually gets 
the cluster into a state that allows logins or API responses from 
anything other than the first node the cluster.

Note: It is prompted by this comment in the sample inventory files from 3.6 through 3.11.
# openshift_master_cluster_hostname must resolve to the load balancer
# or to one or all of the masters defined in the inventory if no load
# balancer is present.
#openshift_master_cluster_hostname=openshift-ansible.test.example.com

Cluster:
oc get nodes
NAME                   STATUS    ROLES                  AGE       VERSION
host-t1.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
host-t2.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
host-t3.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0

Details login message:
oc -v=10 login -u system:admin host-t2.example.com:8443
I0502 16:25:42.809795   29979 loader.go:359] Config loaded from file /root/.kube/config
I0502 16:25:42.811040   29979 loader.go:359] Config loaded from file /root/.kube/config
I0502 16:25:42.811446   29979 round_trippers.go:386] curl -k -v -XHEAD  'https://host-t2.example.com:8443/'
I0502 16:25:42.846243   29979 round_trippers.go:405] HEAD https://host-t2.example.com:8443/  in 34 milliseconds
I0502 16:25:42.846297   29979 round_trippers.go:411] Response Headers:
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): yes

I0502 16:25:52.654386   29979 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://host-t2.example.com:8443/.well-known/oauth-authorization-server'
I0502 16:25:52.666730   29979 round_trippers.go:405] GET https://host-t2.example.com:8443/.well-known/oauth-authorization-server 200 OK in 12 milliseconds
I0502 16:25:52.666763   29979 round_trippers.go:411] Response Headers:
I0502 16:25:52.666775   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 23:25:52 GMT
I0502 16:25:52.666785   29979 round_trippers.go:414]     Cache-Control: no-store
I0502 16:25:52.666811   29979 round_trippers.go:414]     Content-Type: application/json
I0502 16:25:52.666821   29979 round_trippers.go:414]     Content-Length: 552
I0502 16:25:52.667136   29979 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code'
I0502 16:25:52.670384   29979 round_trippers.go:405] GET https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code 400 Bad Request in 3 milliseconds
I0502 16:25:52.670418   29979 round_trippers.go:411] Response Headers:
I0502 16:25:52.670525   29979 round_trippers.go:414]     Content-Length: 196
I0502 16:25:52.670539   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 23:25:52 GMT
I0502 16:25:52.670549   29979 round_trippers.go:414]     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
I0502 16:25:52.670564   29979 round_trippers.go:414]     Content-Type: application/json
I0502 16:25:52.670574   29979 round_trippers.go:414]     Expires: Fri, 01 Jan 1990 00:00:00 GMT
I0502 16:25:52.670698   29979 round_trippers.go:414]     Pragma: no-cache
I0502 16:25:52.670972   29979 helpers.go:201] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "Internal error occurred: unexpected response: 400",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "message": "unexpected response: 400"
      }
    ]
  },
  "code": 500
}]
F0502 16:25:52.671034   29979 helpers.go:119] Error from server (InternalError): Internal error occurred: unexpected response: 400


Providing a Round-Robin DNS address that resolves to all hosts seemed the most likely to work
but things still only get routed to the first host.

At one point either in 3.7 or 3.9, I tested this and it seemed to work correctly but it has been too long
ago to replicate to prove that point.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]