When there is OpenStack deployment, which doesn't have swift services,
or there are no containers used at all, listing them will fail the
playbook and leave exit code other than 0, which may interrupt CI.
With this commit, errors from listing containers will be ignored, which
will cover both cases.
Ansible utils we get from the openstack-17-for-rhel-9-rpms is too old
(version 2.3.0-2.el9ost) and doesn't have any of the needed filters
added in v2.5.
On ansible-core 2.14 and below, `var_files` chokes on missing file. This
is no longer the case with ansible-core 2.15. We need a different
strategy so that ansible ignores non-existent files.
We experienced issues caused by network resources created with the same
name, which makes ansible playbooks to behave differently.
Due to fact, that there is not yet OpenShift infraID accessible on the
stage of creating network resources, there is a need to create
deployment unique identifier in some other way. This patch implements
generating such identifier independent from OpenShift deployment id.
Co-authored-by: Maysa De Macedo Souza <maysa.macedo95@gmail.com>
This commit changes `ether_type` field to `ethertype` so it will not
break on older ansible openstack collections.
Also, fixed condition for IPv6 block.
This commit adds tasks to create the Servers Ports with
the dualstack network and also include the addresses of the
API and ingress dualstack Ports to the allowed address pairs.
OpenStack network related resource names which was defined in
common.ymal need to be moved to inventory.yaml, so the user will have a
chance to change them before running the network.yaml playbook. This is
needed as we will not have infraId to be added as part of the resource
names.
All the IPv6 security group related tasks has been moved to dedicated
block. There was added IPv6 rules for the master security groups in case
masters are set to be scheduable. And finally, fixed conditions for IPv6
tasks.
In 4.15 Kuryr is no longer a supported NetworkType, following its
deprecation in 4.12. This commit removes mentions of Kuryr from the
documentation and code, but also adds validation to prevent
installations from being executed when `networkType` is set to `Kuryr`.
Compact clusters have been supported for a while in IPI.
To also allow compact clusters on UPI, the security group rules
for UPI should be adapted enabling the same ingress traffic
that is enabled for workers.
With openshift/cluster-cloud-controller-manager-operator#264 we should
no longer need the SG rules opening whole NodePorts range by default.
cloud-provider-openstack will manage this on its own now.
We still need to keep the rules opening the traffic inside the cluster
to make sure traffic redirections and regular NodePort services work.
For consistency with IPI, and so that the MachineSet documentation works
the same for both installation methods, we should create a server group
for Compute nodes.
The server group is named `<infra-ID>-worker`, and uses the
`soft-anti-affinity`, similar to what IPI does.
Akin to `install-config.yaml`'s `platform.openstack.externalDNS`, add a
new `os_external_dns` property of the UPI inventory to allow setting up
external DNS resolvers to the machines' subnet.
Bootstrapping no longer uses mdns for node resolution, we can remove the
security group rules for mdns.
These rules where only defined for OpenStack plaform. This commit
removes the rules for both UPI and IPI.
TL;DR: SSH shouldn't be exposed to the public by default and if an
operator explicitly wants it, they should do it by modifying the
security group on day 2.
Reasons to not open SSH to all networks:
* SSH to an OCP cluster should be done only by advanced operators and
shouldn't be encouraged, therefore not open by default that easily. Instead, an experienced operator should make configuration changes via `machineconfig` objects.
* Operators who know what they do should reach the nodes from a secure
network (e.g. provider network or tenant network, ie internal). Not
from a public network (e.g. Internet or any public faced networked).
* Other cloud providers don't allow SSH from 0.0.0.0/0, we shouldn't be
the one doing it.
* Running `oc debug` doesn't require SSH to be open from the client.
Signed-off-by: Emilien Macchi <emilien@redhat.com>
This feature allows the customer to select fixed IP addresses
that they can reach the API and apps ingress at in their OpenShift cluster.
Note that the default values have not changed. APIVIP still defaults
to the 5 on the machineNetwork, and IngressVIP still defaults to the 7.
If the external network is not provided, the router will not be created
and external connectivity will be a respopnsibility of the operator.
Floating IPs will be set if available, on an individual basis. The
external network is a requirement for FIPs; if not provided, the
playbooks will error.
The bootstrap FIP is now required to be created manually like the other
FIPs.
As OpenStack allows resources to have the same name, it's
possible that we end up with multiple security groups with
same name, and the deletion of those resources for UPI fails
as currently we're relying on sg Name. This commit fixes the
issue by ensuring the resoruce ID is used instead.
