openshift-docs icon indicating copy to clipboard operation
openshift-docs copied to clipboard

Published 20 hours ago verified publisher icon openshift

OSDOCS-3940 Enabling GCP Shared VPC IPI installation

Open bscott-rh opened this issue 3 years ago • 10 comments
trafficstars

Enabling GCP Shared VPC installation with installer-provisioned infrastructure.

https://issues.redhat.com/browse/CORS-1774

4.12

Installing a cluster on GCP into a shared VPC

bscott-rh avatar Oct 03 '22 20:10 bscott-rh

🤖 Updated build preview is available at: https://51171--docspreview.netlify.app

Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/3420

ocpdocs-previewbot avatar Oct 03 '22 20:10 ocpdocs-previewbot

@jianli-wei Hello Jianli, PTAL at this documentation for GCP IPI installation on shared VPC. Thank you

bscott-rh avatar Oct 05 '22 19:10 bscott-rh

/lgtm

jstuever avatar Oct 05 '22 20:10 jstuever

@bscott-rh "Table 4. Additional GCP parameters" doesn't list the new parameters introduced by this epic, better to add them. Thanks!

jianli-wei avatar Oct 12 '22 11:10 jianli-wei

@bscott-rh "Table 4. Additional GCP parameters" doesn't list the new parameters introduced by this epic, better to add them. Thanks!

I am intending to create a separate PR to add the new parameters to the installation parameters table alongside https://github.com/openshift/openshift-docs/pull/50178. Could you let me know if the rest of the content in this PR looks good?

bscott-rh avatar Oct 12 '22 20:10 bscott-rh

Could you let me know if the rest of the content in this PR looks good?

@bscott-rh Please see my 3 comments above, thanks!

jianli-wei avatar Oct 13 '22 01:10 jianli-wei

@bscott-rh @jstuever I tested with below config (i.e. no platform.gcp.publicDNSZone or platform.gcp.privateDNSZone settings specified), and found out that one more permission, dns.networks.bindPrivateDNSZone, would be necessary in the host project. Suggest to tell the info in the doc, thanks!

gcp:
  projectID: openshift-qe
  region: us-central1
  computeSubnet: installer-shared-vpc-subnet-2
  controlPlaneSubnet: installer-shared-vpc-subnet-1
  createFirewallRules: Enabled
  network: installer-shared-vpc
  networkProjectID: openshift-qe-shared-vpc

jianli-wei avatar Oct 13 '22 09:10 jianli-wei

Could you let me know if the rest of the content in this PR looks good?

@bscott-rh Please see my 3 comments above, thanks!

Which 3 comments are you referring to? I only see one comment about the config parameters in Table 4, and the updated permissions for private DNS zones. Thank you

bscott-rh avatar Oct 13 '22 17:10 bscott-rh

Which 3 comments are you referring to?

@bscott-rh I'm very sorry, I'd thought I'd submitted the comments but they turn out in Pending. Just submit them along with adding few new comments, PTAL, thanks!

jianli-wei avatar Oct 14 '22 02:10 jianli-wei

@bscott-rh @jstuever I tested with below config (i.e. no platform.gcp.publicDNSZone or platform.gcp.privateDNSZone settings specified), and found out that one more permission, dns.networks.bindPrivateDNSZone, would be necessary in the host project. Suggest to tell the info in the doc, thanks!

gcp:
  projectID: openshift-qe
  region: us-central1
  computeSubnet: installer-shared-vpc-subnet-2
  controlPlaneSubnet: installer-shared-vpc-subnet-1
  createFirewallRules: Enabled
  network: installer-shared-vpc
  networkProjectID: openshift-qe-shared-vpc

If the dns zone(s) exist in the host project, then the user needs to set the publicDNSZone and/or privateDNSZone accordingly. If these are not set, then the dns zone is expected to exist in the service project, and there should be no need for additional permissions in the host project.

jstuever avatar Oct 19 '22 18:10 jstuever

I removed the privateDNSZone parameters from the sample yaml file, and updated the annotations to describe the requirements a bit better.

bscott-rh avatar Oct 19 '22 19:10 bscott-rh

@jianli-wei hello Jianli, can you let me know if these last round of changes look good to you? Thank you

bscott-rh avatar Oct 24 '22 17:10 bscott-rh

@bscott-rh @jstuever

  1. When createFirewallRules is "Enabled", and the google cloud credential doesn't have roles/dns.admin in the host project, it should at least have dns.networks.bindPrivateDNSZone permission in the host project.
  2. If crednetialsMode can also be "Manual", after creating install-config.yaml and before create cluster, additional steps on creating manifests and then the credentials would be needed.
  3. I'm not sure why privateDNSZone parameters were removed from the sample install-config.yaml. According to the two 4.12 epics CORS-1774 and CORS-2211, both privateDNSZone and publicDNSZone would be supported by 4.12, but in the service project only (see CORS-2368).

jianli-wei avatar Oct 26 '22 02:10 jianli-wei

/cc

barbacbd avatar Oct 26 '22 18:10 barbacbd

@jianli-wei @bscott-rh 1. If crednetialsMode can also be "Manual", after creating install-config.yaml and before create cluster, additional steps on creating manifests and then the credentials would be needed.

This is true, but the configuration is not covered by this enhancement. The manual mode is mentioned in the openshift docs and the setup should follow any steps there.

2. I'm not sure why privateDNSZone parameters were removed from the sample install-config.yaml. According to the two 4.12 epics [CORS-1774](https://issues.redhat.com/browse/CORS-1774) and [CORS-2211](https://issues.redhat.com/browse/CORS-2211), both privateDNSZone and publicDNSZone would be supported by 4.12, but in the service project only (see [CORS-2368](https://issues.redhat.com/browse/CORS-2368)).

privateDNSZone is a small percentage case (jeremiah estimated about 5-10% at most). The example does not include this so that the impression is not given that privateDNSZone is required or often used. We could mention that it is available, but this should seldom be utilized.

barbacbd avatar Oct 26 '22 18:10 barbacbd

/label peer-review-needed

bscott-rh avatar Oct 27 '22 19:10 bscott-rh

some questions/comments for your consideration. It looks great.

stevsmit avatar Oct 27 '22 21:10 stevsmit

@bscott-rh this functionality will be tech preview for 4.12. Can we add some sort of messaging to that effect?

patrickdillon avatar Oct 28 '22 18:10 patrickdillon

@bscott-rh this functionality will be tech preview for 4.12. Can we add some sort of messaging to that effect?

@patrickdillon Thanks for the reminder - I've added our tech preview snippet to the end of the abstract. The preview should be updated in 10 minutes or so.

bscott-rh avatar Oct 28 '22 18:10 bscott-rh

@jianli-wei @bscott-rh 1. If crednetialsMode can also be "Manual", after creating install-config.yaml and before create cluster, additional steps on creating manifests and then the credentials would be needed.

This is true, but the configuration is not covered by this enhancement. The manual mode is mentioned in the openshift docs and the setup should follow any steps there.

2. I'm not sure why privateDNSZone parameters were removed from the sample install-config.yaml. According to the two 4.12 epics [CORS-1774](https://issues.redhat.com/browse/CORS-1774) and [CORS-2211](https://issues.redhat.com/browse/CORS-2211), both privateDNSZone and publicDNSZone would be supported by 4.12, but in the service project only (see [CORS-2368](https://issues.redhat.com/browse/CORS-2368)).

privateDNSZone is a small percentage case (jeremiah estimated about 5-10% at most). The example does not include this so that the impression is not given that privateDNSZone is required or often used. We could mention that it is available, but this should seldom be utilized.

@jianli-wei are there any other comments that you have on this PR or are we good to move forward? Thank you

bscott-rh avatar Nov 02 '22 17:11 bscott-rh

@jianli-wei I've updated the PR with your suggestions, thanks. PTAL and I will update the credentials mode annotation once I have Patrick's feedback.

bscott-rh avatar Nov 07 '22 18:11 bscott-rh

@jianli-wei I've updated the PR with your suggestions, thanks. PTAL and I will update the credentials mode annotation once I have Patrick's feedback.

/lgtm

jianli-wei avatar Nov 08 '22 11:11 jianli-wei

New changes are detected. LGTM label has been removed.

openshift-ci[bot] avatar Nov 08 '22 16:11 openshift-ci[bot]

/label peer-review-needed

Dearest reviewers, this PR has already gone through one round of peer review, but I made several changes through QE/SME review. Please take a second look before I request merge review. Table 4 in the installation configuration parameters is extra wide due to some very long parameter names, but there isn't much we can do about that right now. Thank you

bscott-rh avatar Nov 08 '22 16:11 bscott-rh

/label merge-review-needed

bscott-rh avatar Nov 10 '22 19:11 bscott-rh

/cherrypick enterprise-4.12

jeana-redhat avatar Nov 11 '22 13:11 jeana-redhat

@jeana-redhat: new pull request created: #52732

In response to this:

/cherrypick enterprise-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot avatar Nov 11 '22 13:11 openshift-cherrypick-robot