Closed forlalit closed 4 years ago
Yes - the API port is not exposed to the public (internet) as those are supposedly connected through a CI/CD pipeline instead of directly. Only the Web application are made public. To connect directly to the API (6443) you must create a classic load balancer in the public subnet that routes the requests to the control plane's instances.
Thanks vbudi000 for information...As per our company policy we are not allowed to attach internet gateway (i.e we cant go out to internet directly ..we have to go via proxy/firewall etc)...Is it possible to create Classic load balancer in Private subnet?
Yes, it is possible to create an elb in the private subnet (in fact - the terraform already did that) then what you need is to create a transit gateway to your own VPC so that you can access the load balancer.
Further possibility is that I am currently creating an air-gapped version of the terraform that did not create any internet gateway nor nat - you will then responsible to define the necessary networking connection (incl transit gw or private link) to connect to the cluster; It will be using an ECR to host a mirror from RedHat registry.
Thanks Budi for quick response...my understanding is that it creates two load balancer
1) Network Load balancer for API request in private subnet 2) Classic load balancer in Public subnet with internet gateway
We want second to be in private subnet
I am eagerly waiting for your air-gapped installation to come up.
I really appreciate the work you are doing ...It is really very helpful for us
No, The terraform code creates 1 load balancer, which is the API in the private subnet. OpenShift in - turn creates a public load balancer (ie a load balancer with a public facing IP). I added a logic in the post-installation to associate the automatically created elb with a public hosted zone entry.
IF you wanted to create the load balancer as an internal load balancer, there are several OpenShift objects that you must modify - I must look into my note to find these objects and the sequences to modify them ....
Thanks Budi...if you can get list of components which needed be modified in order to get internal load balancer that would be great
There is only one that must be modified:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
finalizers:
- ingresscontroller.operator.openshift.io/finalizer-ingresscontroller
name: default
namespace: openshift-ingress-operator
spec:
endpointPublishingStrategy:
loadBalancer:
scope: ${var.private ? "Internal" : "External"}
type: LoadBalancerService
The scope should be Internal if you wanted build the load balancer internally .... Thanks to @ncolon for the help :D
I have few queries 1) Bootstrap machine runs even after installation ..my understanding was that it should get destroyed after installation 2) What is the correct process of shutting down OCP4 nodes (for example we dont want them to be running on weekends
I am able to complete installation successfully and i got url from kubeconfig https://api.openshift4-cluster-1.test-openshift.co.uk:6443 from a machine in public subnet of vpc
Are there any particular steps i need to follow after installation to connect to cluster url ?