I’d be keen to see this described as well. Initially I had a total of 6 nodes in my lab but I’ve grown it a bit since I tried the initial (unsuccessful) deployment. I now have 8 physical hosts, and am nearly ready to try again
The issues I encountered were mostly around internal vs external certs, but having some guidance on what architecture configurations are expected / supposed to work (for some reasonable value of work) would be helpful. > On May 2, 2019, at 17:50, Brigman, Larry <[email protected]> wrote: > > I'm looking for the proper way to configure OpenShift HA without a LB. > The inventory file says it can be done but nothing I try actually gets > the cluster into a state that allows logins or API responses from > anything other than the first node the cluster. > > Note: It is prompted by this comment in the sample inventory files from 3.6 > through 3.11. > # openshift_master_cluster_hostname must resolve to the load balancer > # or to one or all of the masters defined in the inventory if no load > # balancer is present. > #openshift_master_cluster_hostname=openshift-ansible.test.example.com > > Cluster: > oc get nodes > NAME STATUS ROLES AGE VERSION > host-t1.example.com Ready compute,infra,master 29m > v1.11.0+d4cacc0 > host-t2.example.com Ready compute,infra,master 29m > v1.11.0+d4cacc0 > host-t3.example.com Ready compute,infra,master 29m > v1.11.0+d4cacc0 > > Details login message: > oc -v=10 login -u system:admin host-t2.example.com:8443 > I0502 16:25:42.809795 29979 loader.go:359] Config loaded from file > /root/.kube/config > I0502 16:25:42.811040 29979 loader.go:359] Config loaded from file > /root/.kube/config > I0502 16:25:42.811446 29979 round_trippers.go:386] curl -k -v -XHEAD > 'https://host-t2.example.com:8443/' > I0502 16:25:42.846243 29979 round_trippers.go:405] HEAD > https://host-t2.example.com:8443/ in 34 milliseconds > I0502 16:25:42.846297 29979 round_trippers.go:411] Response Headers: > The server uses a certificate signed by an unknown authority. > You can bypass the certificate check, but any data you send to the server > could be intercepted by others. > Use insecure connections? (y/n): yes > > I0502 16:25:52.654386 29979 round_trippers.go:386] curl -k -v -XGET -H > "X-Csrf-Token: 1" > 'https://host-t2.example.com:8443/.well-known/oauth-authorization-server' > I0502 16:25:52.666730 29979 round_trippers.go:405] GET > https://host-t2.example.com:8443/.well-known/oauth-authorization-server 200 > OK in 12 milliseconds > I0502 16:25:52.666763 29979 round_trippers.go:411] Response Headers: > I0502 16:25:52.666775 29979 round_trippers.go:414] Date: Thu, 02 May > 2019 23:25:52 GMT > I0502 16:25:52.666785 29979 round_trippers.go:414] Cache-Control: > no-store > I0502 16:25:52.666811 29979 round_trippers.go:414] Content-Type: > application/json > I0502 16:25:52.666821 29979 round_trippers.go:414] Content-Length: 552 > I0502 16:25:52.667136 29979 round_trippers.go:386] curl -k -v -XGET -H > "X-Csrf-Token: 1" > 'https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code' > I0502 16:25:52.670384 29979 round_trippers.go:405] GET > https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code > 400 Bad Request in 3 milliseconds > I0502 16:25:52.670418 29979 round_trippers.go:411] Response Headers: > I0502 16:25:52.670525 29979 round_trippers.go:414] Content-Length: 196 > I0502 16:25:52.670539 29979 round_trippers.go:414] Date: Thu, 02 May > 2019 23:25:52 GMT > I0502 16:25:52.670549 29979 round_trippers.go:414] Cache-Control: > no-cache, no-store, max-age=0, must-revalidate > I0502 16:25:52.670564 29979 round_trippers.go:414] Content-Type: > application/json > I0502 16:25:52.670574 29979 round_trippers.go:414] Expires: Fri, 01 Jan > 1990 00:00:00 GMT > I0502 16:25:52.670698 29979 round_trippers.go:414] Pragma: no-cache > I0502 16:25:52.670972 29979 helpers.go:201] server response object: [{ > "metadata": {}, > "status": "Failure", > "message": "Internal error occurred: unexpected response: 400", > "reason": "InternalError", > "details": { > "causes": [ > { > "message": "unexpected response: 400" > } > ] > }, > "code": 500 > }] > F0502 16:25:52.671034 29979 helpers.go:119] Error from server > (InternalError): Internal error occurred: unexpected response: 400 > > > Providing a Round-Robin DNS address that resolves to all hosts seemed the > most likely to work > but things still only get routed to the first host. > > At one point either in 3.7 or 3.9, I tested this and it seemed to work > correctly but it has been too long > ago to replicate to prove that point. > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
