Hi
I configured ip failover using infra nodes:
https://docs.openshift.com/container-platform/3.11/admin_guide/high_availability.html#configuring-ip-failover
Then, you can choose a floating IP in your DNS server for your
*.apps.example.com .
The same approach cannot be used to master nodes because ip failover is
configured by an openshift cluster running, and masters are not running
yet after a full cluster reboot.
Maybe you can configure manually a ip failover using keepalived in
masters.
El 2019-05-03 02:16, Wolf Noble escribió:
> I'd be keen to see this described as well.
> Initially I had a total of 6 nodes in my lab but I've grown it a bit since I
> tried the initial (unsuccessful) deployment. I now have 8 physical hosts, and
> am nearly ready to try again
>
> The issues I encountered were mostly around internal vs external certs, but
> having some guidance on what architecture configurations are expected /
> supposed to work (for some reasonable value of work) would be helpful.
>
>> On May 2, 2019, at 17:50, Brigman, Larry <[email protected]> wrote:
>>
>> I'm looking for the proper way to configure OpenShift HA without a LB.
>> The inventory file says it can be done but nothing I try actually gets
>> the cluster into a state that allows logins or API responses from
>> anything other than the first node the cluster.
>>
>> Note: It is prompted by this comment in the sample inventory files from 3.6
>> through 3.11.
>> # openshift_master_cluster_hostname must resolve to the load balancer
>> # or to one or all of the masters defined in the inventory if no load
>> # balancer is present.
>> #openshift_master_cluster_hostname=openshift-ansible.test.example.com
>>
>> Cluster:
>> oc get nodes
>> NAME STATUS ROLES AGE VERSION
>> host-t1.example.com Ready compute,infra,master 29m
>> v1.11.0+d4cacc0
>> host-t2.example.com Ready compute,infra,master 29m
>> v1.11.0+d4cacc0
>> host-t3.example.com Ready compute,infra,master 29m
>> v1.11.0+d4cacc0
>>
>> Details login message:
>> oc -v=10 login -u system:admin host-t2.example.com:8443
>> I0502 16:25:42.809795 29979 loader.go:359] Config loaded from file
>> /root/.kube/config
>> I0502 16:25:42.811040 29979 loader.go:359] Config loaded from file
>> /root/.kube/config
>> I0502 16:25:42.811446 29979 round_trippers.go:386] curl -k -v -XHEAD
>> 'https://host-t2.example.com:8443/'
>> I0502 16:25:42.846243 29979 round_trippers.go:405] HEAD
>> https://host-t2.example.com:8443/ in 34 milliseconds
>> I0502 16:25:42.846297 29979 round_trippers.go:411] Response Headers:
>> The server uses a certificate signed by an unknown authority.
>> You can bypass the certificate check, but any data you send to the server
>> could be intercepted by others.
>> Use insecure connections? (y/n): yes
>>
>> I0502 16:25:52.654386 29979 round_trippers.go:386] curl -k -v -XGET -H
>> "X-Csrf-Token: 1"
>> 'https://host-t2.example.com:8443/.well-known/oauth-authorization-server'
>> I0502 16:25:52.666730 29979 round_trippers.go:405] GET
>> https://host-t2.example.com:8443/.well-known/oauth-authorization-server 200
>> OK in 12 milliseconds
>> I0502 16:25:52.666763 29979 round_trippers.go:411] Response Headers:
>> I0502 16:25:52.666775 29979 round_trippers.go:414] Date: Thu, 02 May
>> 2019 23:25:52 GMT
>> I0502 16:25:52.666785 29979 round_trippers.go:414] Cache-Control:
>> no-store
>> I0502 16:25:52.666811 29979 round_trippers.go:414] Content-Type:
>> application/json
>> I0502 16:25:52.666821 29979 round_trippers.go:414] Content-Length: 552
>> I0502 16:25:52.667136 29979 round_trippers.go:386] curl -k -v -XGET -H
>> "X-Csrf-Token: 1"
>> 'https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code'
>> I0502 16:25:52.670384 29979 round_trippers.go:405] GET
>> https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code
>> 400 Bad Request in 3 milliseconds
>> I0502 16:25:52.670418 29979 round_trippers.go:411] Response Headers:
>> I0502 16:25:52.670525 29979 round_trippers.go:414] Content-Length: 196
>> I0502 16:25:52.670539 29979 round_trippers.go:414] Date: Thu, 02 May
>> 2019 23:25:52 GMT
>> I0502 16:25:52.670549 29979 round_trippers.go:414] Cache-Control:
>> no-cache, no-store, max-age=0, must-revalidate
>> I0502 16:25:52.670564 29979 round_trippers.go:414] Content-Type:
>> application/json
>> I0502 16:25:52.670574 29979 round_trippers.go:414] Expires: Fri, 01
>> Jan 1990 00:00:00 GMT
>> I0502 16:25:52.670698 29979 round_trippers.go:414] Pragma: no-cache
>> I0502 16:25:52.670972 29979 helpers.go:201] server response object: [{
>> "metadata": {},
>> "status": "Failure",
>> "message": "Internal error occurred: unexpected response: 400",
>> "reason": "InternalError",
>> "details": {
>> "causes": [
>> {
>> "message": "unexpected response: 400"
>> }
>> ]
>> },
>> "code": 500
>> }]
>> F0502 16:25:52.671034 29979 helpers.go:119] Error from server
>> (InternalError): Internal error occurred: unexpected response: 400
>>
>> Providing a Round-Robin DNS address that resolves to all hosts seemed the
>> most likely to work
>> but things still only get routed to the first host.
>>
>> At one point either in 3.7 or 3.9, I tested this and it seemed to work
>> correctly but it has been too long
>> ago to replicate to prove that point.
>>
>> _______________________________________________
>> users mailing list
>> [email protected]
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
