add extra VIPs support for dualstack on OCP >= 4.12

This change allows to pass extra VIPS for dualstack deployments using extra_api_vip and extra_ingress_vip variables. Fixes: #261
redhat-partner-solutions · Aug 14, 2023 · e46925f · e46925f
1 parent 7411b3a
commit e46925f
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 4 deletions.
diff --git a/docs/inventory.md b/docs/inventory.md
@@ -271,7 +271,10 @@ To enable assisted installer to communicate via IPv6 you must first have the hos
 
 #### Dual Stack
 
-Openshift currently only allows the ingress and API VIPs to be single stack so you must choose IPv4 or IPv6. Then crucible offers 3 variables for the extra network configuration (`extra_machine_networks`, `extra_service_networks` and `extra_cluster_networks`):
+Crucible offers 3 variables for the extra network configuration (`extra_machine_networks`, `extra_service_networks` and `extra_cluster_networks`), and for the VIPs there are two main configurations:
+
+- Openshift 4.11 and below only allow the ingress and API VIPs to be single stack so you must choose IPv4 or IPv6.
+- Openshift 4.12 and above allow an IPv4 and IPv6 address, hence you can use 2 extra variables to define them: `extra_api_vip` and `extra_ingress_vip`.
 
 ```yaml
 all:
@@ -292,6 +295,11 @@ all:
     extra_cluster_networks:
       - cidr: fd01::/48
         host_prefix: 64
+
+    # Next two variables only supported on OCP >= 4.12
+    extra_api_vip: fd00:6:6:2051::96
+    extra_ingress_vip: fd00:6:6:2051::97
+
 ...
       children:
         masters:

diff --git a/roles/generate_manifests/defaults/main.yml b/roles/generate_manifests/defaults/main.yml
@@ -18,3 +18,6 @@ extra_manifests: []
 manifest_templates: "{{ extra_manifests }}"
 
 fetched_dest: "{{ repo_root_path }}/fetched"
+
+api_vips: ['{{ api_vip }}']
+ingress_vips: ['{{ ingress_vip }}']
diff --git a/roles/generate_manifests/tasks/main.yml b/roles/generate_manifests/tasks/main.yml
@@ -27,6 +27,20 @@
       }}"
   when: use_local_mirror_registry  | bool
 
+- name: Update api_vips variable when extra_api_vip is defined
+  ansible.builtin.set_fact:
+    api_vips: "{{ api_vips + [extra_api_vip] }}"
+  when:
+    - extra_api_vip is defined
+    - extra_api_vip | length > 0
+
+- name: Update ingress_vips variable when extra_ingress_vip is defined
+  ansible.builtin.set_fact:
+    ingress_vips: "{{ ingress_vips + [extra_ingress_vip] }}"
+  when:
+    - extra_ingress_vip is defined
+    - extra_ingress_vip | length > 0
+
 - name: Render agent-config templates
   ansible.builtin.template:
     src: "{{ item }}"

diff --git a/roles/generate_manifests/templates/install-config.yaml.j2 b/roles/generate_manifests/templates/install-config.yaml.j2
@@ -37,9 +37,13 @@ platform:
   {% else %}
   baremetal:
     apiVips:
-      - {{ api_vip }}
+      {% for vip in api_vips %}
+      - {{ vip }}
+      {% endfor %}
     ingressVips:
-      - {{ ingress_vip }}
+      {% for vip in ingress_vips %}
+      - {{ vip }}
+      {% endfor %}
   {% endif %}
 sshKey: {{ ssh_public_key }}
 pullSecret: '{{ pull_secret | to_json }}'

diff --git a/roles/validate_dns_records/defaults/main.yml b/roles/validate_dns_records/defaults/main.yml
@@ -3,10 +3,17 @@ required_domains:
   "api-int": "api-int.{{ domain }}"
   "apps": "*.apps.{{ domain }}"
 
-expected_answers:
+expected_answers: |-
   "api": "{{ api_vip }}"
   "api-int": "{{ api_vip }}"
   "apps": "{{ ingress_vip }}"
+  {% if extra_api_vip is defined %}
+  "api": "{{ extra_api_vip }}"
+  "api-int": "{{ extra_api_vip }}"
+  {% endif %}
+  {% if extra_ingress_vip is defined %}
+  "apps": "{{ extra_ingress_vip }}"
+  {% endif %}
 
 required_binary: dig
 required_binary_provided_in_package: bind-utils

diff --git a/roles/validate_inventory/tasks/ai.yml b/roles/validate_inventory/tasks/ai.yml
@@ -28,3 +28,30 @@
     fail_msg: "{{ item }} is not within the machine network!"
   when: vip_dhcp_allocation == false
   loop: "{{ groups['masters'] + (groups['workers'] | default([])) }}"  # This should not include day2_workers as they can be RWNs
+
+- name: Validate extra VIPs for dualstack
+  block:
+    - name: Assert that Openshift version is supported for dualstack VIPs
+      assert:
+        that:
+          - openshift_full_version is version('4.12', '>=')
+        fail_msg: "openshift_full_version  must be >= 4.12. to support dualstack VIPs"
+
+    - name: Assert extra api VIP is within the extra machine networks
+      assert:
+        that:
+          - hostvars['assisted_installer']['extra_api_vip'] | ansible.utils.ipaddr(item.cidr) | ansible.utils.ipaddr('bool')
+        fail_msg: "{{ extra_api_vip }} is not within the extra machine networks!"
+      when: vip_dhcp_allocation == false
+      loop: hostvars['assisted_installer']['extra_machine_networks']
+
+    - name: Assert extra ingress VIP is within the extra machine networks
+      assert:
+        that:
+          - hostvars['assisted_installer']['extra_ingress_vip'] | ansible.utils.ipaddr(item.cidr) | ansible.utils.ipaddr('bool')
+        fail_msg: "{{ extra_ingress_vip }} is not within the extra machine networks!"
+      when: vip_dhcp_allocation == false
+      loop: hostvars['assisted_installer']['extra_machine_networks']
+  when:
+    - extra_api_vip is defined
+    - extra_ingress_vip is defined