Installation of HA w/o LB supported

Brigman, Larry Thu, 02 May 2019 16:51:56 -0700

 I'm looking for the proper way to configure OpenShift HA without a LB.  
The inventory file says it can be done but nothing I try actually gets 
the cluster into a state that allows logins or API responses from 
anything other than the first node the cluster.


Note: It is prompted by this comment in the sample inventory files from 3.6 
through 3.11.
# openshift_master_cluster_hostname must resolve to the load balancer
# or to one or all of the masters defined in the inventory if no load
# balancer is present.
#openshift_master_cluster_hostname=openshift-ansible.test.example.com

Cluster:
oc get nodes
NAME                   STATUS    ROLES                  AGE       VERSION
host-t1.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
host-t2.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
host-t3.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0

Details login message:
oc -v=10 login -u system:admin host-t2.example.com:8443
I0502 16:25:42.809795   29979 loader.go:359] Config loaded from file 
/root/.kube/config
I0502 16:25:42.811040   29979 loader.go:359] Config loaded from file 
/root/.kube/config
I0502 16:25:42.811446   29979 round_trippers.go:386] curl -k -v -XHEAD  
'https://host-t2.example.com:8443/'
I0502 16:25:42.846243   29979 round_trippers.go:405] HEAD 
https://host-t2.example.com:8443/  in 34 milliseconds
I0502 16:25:42.846297   29979 round_trippers.go:411] Response Headers:
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could 
be intercepted by others.
Use insecure connections? (y/n): yes

I0502 16:25:52.654386   29979 round_trippers.go:386] curl -k -v -XGET  -H 
"X-Csrf-Token: 1" 
'https://host-t2.example.com:8443/.well-known/oauth-authorization-server'
I0502 16:25:52.666730   29979 round_trippers.go:405] GET 
https://host-t2.example.com:8443/.well-known/oauth-authorization-server 200 OK 
in 12 milliseconds
I0502 16:25:52.666763   29979 round_trippers.go:411] Response Headers:
I0502 16:25:52.666775   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 
23:25:52 GMT
I0502 16:25:52.666785   29979 round_trippers.go:414]     Cache-Control: no-store
I0502 16:25:52.666811   29979 round_trippers.go:414]     Content-Type: 
application/json
I0502 16:25:52.666821   29979 round_trippers.go:414]     Content-Length: 552
I0502 16:25:52.667136   29979 round_trippers.go:386] curl -k -v -XGET  -H 
"X-Csrf-Token: 1" 
'https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code'
I0502 16:25:52.670384   29979 round_trippers.go:405] GET 
https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code
 400 Bad Request in 3 milliseconds
I0502 16:25:52.670418   29979 round_trippers.go:411] Response Headers:
I0502 16:25:52.670525   29979 round_trippers.go:414]     Content-Length: 196
I0502 16:25:52.670539   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 
23:25:52 GMT
I0502 16:25:52.670549   29979 round_trippers.go:414]     Cache-Control: 
no-cache, no-store, max-age=0, must-revalidate
I0502 16:25:52.670564   29979 round_trippers.go:414]     Content-Type: 
application/json
I0502 16:25:52.670574   29979 round_trippers.go:414]     Expires: Fri, 01 Jan 
1990 00:00:00 GMT
I0502 16:25:52.670698   29979 round_trippers.go:414]     Pragma: no-cache
I0502 16:25:52.670972   29979 helpers.go:201] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "Internal error occurred: unexpected response: 400",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "message": "unexpected response: 400"
      }
    ]
  },
  "code": 500
}]
F0502 16:25:52.671034   29979 helpers.go:119] Error from server 
(InternalError): Internal error occurred: unexpected response: 400


Providing a Round-Robin DNS address that resolves to all hosts seemed the most 
likely to work
but things still only get routed to the first host.

At one point either in 3.7 or 3.9, I tested this and it seemed to work 
correctly but it has been too long
ago to replicate to prove that point.

_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Installation of HA w/o LB supported

Reply via email to