search

terraform-ibm-modules / terraform-ibm-cluster

Terraform modules to create and work with IBM Kubernetes cluster & Red Hat OpenShift Kubernetes cluster on IBM Cloud (Classic, VPC)
https://cloud.ibm.com/docs/containers
Apache License 2.0
11 stars 34 forks source link

Default vpc security group outbound rule does not allow the openshift web console to work #77

Open powellquiring opened 2 years ago

powellquiring commented 2 years ago

Following the example https://cloud.ibm.com/docs/openshift?topic=openshift-templates&interface=ui got me to this repository. The cluster created has openshift-console pods that will not initialize, making this button not work:

image

image

secure-roks-cluster $ oc logs -n openshift-console  pod/$pod
W0210 16:01:20.662977       1 main.go:211] Flag inactivity-timeout is set to less then 300 seconds and will be ignored!
I0210 16:01:20.663129       1 main.go:288] cookies are secure!
E0210 16:01:25.735212       1 auth.go:235] error contacting auth provider (retrying in 10s): request to OAuth issuer endpoint https://c115-e.us-south.containers.cloud.ibm.com:30755/oauth/token failed: Head "https://c115-e.us-south.containers.cloud.ibm.com:30755": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
E0210 16:01:40.745800       1 auth.go:235] error contacting auth provider (retrying in 10s): request to OAuth issuer endpoint https://c115-e.us-south.containers.cloud.ibm.com:30755/oauth/token failed: Head "https://c115-e.us-south.containers.cloud.ibm.com:30755": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I changed the security group outbound rule to allow all traffic - this resolved the problem.

powellquiring commented 2 years ago

I applied two updates to the cluster using the Cloud Console UI to make the cluster operational:

  1. Security group outbound rules. I set it to ALL to verify. I do not know what the exact configuration should be
  2. Enable public gateway on each of the subnets

In addition to the cloud console without these updates it was not possible to successfully install software like this:

ibmcloud oc cluster addon enable openshift-data-foundation -c $c --version 4.7.0
ibmtfprovider commented 2 years ago

@powellquiring

Analysing the issue

umarali-nagoor commented 2 years ago

@powellquiring

Doc which you pasted above talks about creation of SECURE CLUSTER which is PRIVATE-ONLY cluster with logging and monitoring enabled.

The secure cluster doesn't have public network access. Thats the reason, after creation of cluster you are unable to access the console. But when you changed security group outbound rule to allow ALL traffic - this resolved the problem, which is expected.

powellquiring commented 2 years ago

This option is woven into the documentation as another option to create a cluster. This was my journey:

https://cloud.ibm.com/docs/openshift?topic=openshift-deploy-odf-vpc image

https://cloud.ibm.com/docs/openshift?topic=openshift-clusters image

https://cloud.ibm.com/docs/openshift?topic=openshift-templates&interface=ui

My end result was a cluster that could not be used for my original purpose. At each step along the way in the docs it must be mentioned that using this terraform will not provide a cluster that will not allow:

It must also be made explicit in the README of this project.

image

And the readme https://github.com/terraform-ibm-modules/terraform-ibm-cluster/tree/master/examples/secure-roks-cluster

image

In addition the terraform could be enhanced to add the option for web console and software installation.