[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Installation of HA w/o LB supported




I’d be keen to see this described as well.
Initially I had a total of 6 nodes in my lab but I’ve grown it a bit since I tried the initial (unsuccessful) deployment. I now have 8 physical hosts, and am nearly ready to try again

The issues I encountered were mostly around internal vs external certs, but having some guidance on what architecture configurations are expected / supposed to work (for some reasonable value of work) would be helpful.

> On May 2, 2019, at 17:50, Brigman, Larry <Larry Brigman arris com> wrote:
> 
> I'm looking for the proper way to configure OpenShift HA without a LB.  
> The inventory file says it can be done but nothing I try actually gets 
> the cluster into a state that allows logins or API responses from 
> anything other than the first node the cluster.
> 
> Note: It is prompted by this comment in the sample inventory files from 3.6 through 3.11.
> # openshift_master_cluster_hostname must resolve to the load balancer
> # or to one or all of the masters defined in the inventory if no load
> # balancer is present.
> #openshift_master_cluster_hostname=openshift-ansible.test.example.com
> 
> Cluster:
> oc get nodes
> NAME                   STATUS    ROLES                  AGE       VERSION
> host-t1.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
> host-t2.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
> host-t3.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
> 
> Details login message:
> oc -v=10 login -u system:admin host-t2.example.com:8443
> I0502 16:25:42.809795   29979 loader.go:359] Config loaded from file /root/.kube/config
> I0502 16:25:42.811040   29979 loader.go:359] Config loaded from file /root/.kube/config
> I0502 16:25:42.811446   29979 round_trippers.go:386] curl -k -v -XHEAD  'https://host-t2.example.com:8443/'
> I0502 16:25:42.846243   29979 round_trippers.go:405] HEAD https://host-t2.example.com:8443/  in 34 milliseconds
> I0502 16:25:42.846297   29979 round_trippers.go:411] Response Headers:
> The server uses a certificate signed by an unknown authority.
> You can bypass the certificate check, but any data you send to the server could be intercepted by others.
> Use insecure connections? (y/n): yes
> 
> I0502 16:25:52.654386   29979 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://host-t2.example.com:8443/.well-known/oauth-authorization-server'
> I0502 16:25:52.666730   29979 round_trippers.go:405] GET https://host-t2.example.com:8443/.well-known/oauth-authorization-server 200 OK in 12 milliseconds
> I0502 16:25:52.666763   29979 round_trippers.go:411] Response Headers:
> I0502 16:25:52.666775   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 23:25:52 GMT
> I0502 16:25:52.666785   29979 round_trippers.go:414]     Cache-Control: no-store
> I0502 16:25:52.666811   29979 round_trippers.go:414]     Content-Type: application/json
> I0502 16:25:52.666821   29979 round_trippers.go:414]     Content-Length: 552
> I0502 16:25:52.667136   29979 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code'
> I0502 16:25:52.670384   29979 round_trippers.go:405] GET https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code 400 Bad Request in 3 milliseconds
> I0502 16:25:52.670418   29979 round_trippers.go:411] Response Headers:
> I0502 16:25:52.670525   29979 round_trippers.go:414]     Content-Length: 196
> I0502 16:25:52.670539   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 23:25:52 GMT
> I0502 16:25:52.670549   29979 round_trippers.go:414]     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> I0502 16:25:52.670564   29979 round_trippers.go:414]     Content-Type: application/json
> I0502 16:25:52.670574   29979 round_trippers.go:414]     Expires: Fri, 01 Jan 1990 00:00:00 GMT
> I0502 16:25:52.670698   29979 round_trippers.go:414]     Pragma: no-cache
> I0502 16:25:52.670972   29979 helpers.go:201] server response object: [{
>  "metadata": {},
>  "status": "Failure",
>  "message": "Internal error occurred: unexpected response: 400",
>  "reason": "InternalError",
>  "details": {
>    "causes": [
>      {
>        "message": "unexpected response: 400"
>      }
>    ]
>  },
>  "code": 500
> }]
> F0502 16:25:52.671034   29979 helpers.go:119] Error from server (InternalError): Internal error occurred: unexpected response: 400
> 
> 
> Providing a Round-Robin DNS address that resolves to all hosts seemed the most likely to work
> but things still only get routed to the first host.
> 
> At one point either in 3.7 or 3.9, I tested this and it seemed to work correctly but it has been too long
> ago to replicate to prove that point.
> 
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]