From e46925fb24a1a395a4acef825c08b4d7f731fc87 Mon Sep 17 00:00:00 2001 From: Manuel Rodriguez Date: Mon, 14 Aug 2023 13:51:16 -0400 Subject: [PATCH] add extra VIPs support for dualstack on OCP >= 4.12 This change allows to pass extra VIPS for dualstack deployments using extra_api_vip and extra_ingress_vip variables. Fixes: #261 --- docs/inventory.md | 10 ++++++- roles/generate_manifests/defaults/main.yml | 3 +++ roles/generate_manifests/tasks/main.yml | 14 ++++++++++ .../templates/install-config.yaml.j2 | 8 ++++-- roles/validate_dns_records/defaults/main.yml | 9 ++++++- roles/validate_inventory/tasks/ai.yml | 27 +++++++++++++++++++ 6 files changed, 67 insertions(+), 4 deletions(-) diff --git a/docs/inventory.md b/docs/inventory.md index 4bb730a1..c9f68967 100644 --- a/docs/inventory.md +++ b/docs/inventory.md @@ -271,7 +271,10 @@ To enable assisted installer to communicate via IPv6 you must first have the hos #### Dual Stack -Openshift currently only allows the ingress and API VIPs to be single stack so you must choose IPv4 or IPv6. Then crucible offers 3 variables for the extra network configuration (`extra_machine_networks`, `extra_service_networks` and `extra_cluster_networks`): +Crucible offers 3 variables for the extra network configuration (`extra_machine_networks`, `extra_service_networks` and `extra_cluster_networks`), and for the VIPs there are two main configurations: + +- Openshift 4.11 and below only allow the ingress and API VIPs to be single stack so you must choose IPv4 or IPv6. +- Openshift 4.12 and above allow an IPv4 and IPv6 address, hence you can use 2 extra variables to define them: `extra_api_vip` and `extra_ingress_vip`. ```yaml all: @@ -292,6 +295,11 @@ all: extra_cluster_networks: - cidr: fd01::/48 host_prefix: 64 + + # Next two variables only supported on OCP >= 4.12 + extra_api_vip: fd00:6:6:2051::96 + extra_ingress_vip: fd00:6:6:2051::97 + ... children: masters: diff --git a/roles/generate_manifests/defaults/main.yml b/roles/generate_manifests/defaults/main.yml index 2e09e7b3..c41c7b66 100644 --- a/roles/generate_manifests/defaults/main.yml +++ b/roles/generate_manifests/defaults/main.yml @@ -18,3 +18,6 @@ extra_manifests: [] manifest_templates: "{{ extra_manifests }}" fetched_dest: "{{ repo_root_path }}/fetched" + +api_vips: ['{{ api_vip }}'] +ingress_vips: ['{{ ingress_vip }}'] diff --git a/roles/generate_manifests/tasks/main.yml b/roles/generate_manifests/tasks/main.yml index 56389529..40bb182c 100644 --- a/roles/generate_manifests/tasks/main.yml +++ b/roles/generate_manifests/tasks/main.yml @@ -27,6 +27,20 @@ }}" when: use_local_mirror_registry | bool +- name: Update api_vips variable when extra_api_vip is defined + ansible.builtin.set_fact: + api_vips: "{{ api_vips + [extra_api_vip] }}" + when: + - extra_api_vip is defined + - extra_api_vip | length > 0 + +- name: Update ingress_vips variable when extra_ingress_vip is defined + ansible.builtin.set_fact: + ingress_vips: "{{ ingress_vips + [extra_ingress_vip] }}" + when: + - extra_ingress_vip is defined + - extra_ingress_vip | length > 0 + - name: Render agent-config templates ansible.builtin.template: src: "{{ item }}" diff --git a/roles/generate_manifests/templates/install-config.yaml.j2 b/roles/generate_manifests/templates/install-config.yaml.j2 index cb47a3c9..6309b537 100644 --- a/roles/generate_manifests/templates/install-config.yaml.j2 +++ b/roles/generate_manifests/templates/install-config.yaml.j2 @@ -37,9 +37,13 @@ platform: {% else %} baremetal: apiVips: - - {{ api_vip }} + {% for vip in api_vips %} + - {{ vip }} + {% endfor %} ingressVips: - - {{ ingress_vip }} + {% for vip in ingress_vips %} + - {{ vip }} + {% endfor %} {% endif %} sshKey: {{ ssh_public_key }} pullSecret: '{{ pull_secret | to_json }}' diff --git a/roles/validate_dns_records/defaults/main.yml b/roles/validate_dns_records/defaults/main.yml index 2073c06f..65846189 100644 --- a/roles/validate_dns_records/defaults/main.yml +++ b/roles/validate_dns_records/defaults/main.yml @@ -3,10 +3,17 @@ required_domains: "api-int": "api-int.{{ domain }}" "apps": "*.apps.{{ domain }}" -expected_answers: +expected_answers: |- "api": "{{ api_vip }}" "api-int": "{{ api_vip }}" "apps": "{{ ingress_vip }}" + {% if extra_api_vip is defined %} + "api": "{{ extra_api_vip }}" + "api-int": "{{ extra_api_vip }}" + {% endif %} + {% if extra_ingress_vip is defined %} + "apps": "{{ extra_ingress_vip }}" + {% endif %} required_binary: dig required_binary_provided_in_package: bind-utils diff --git a/roles/validate_inventory/tasks/ai.yml b/roles/validate_inventory/tasks/ai.yml index 509a1986..ef1b93e3 100644 --- a/roles/validate_inventory/tasks/ai.yml +++ b/roles/validate_inventory/tasks/ai.yml @@ -28,3 +28,30 @@ fail_msg: "{{ item }} is not within the machine network!" when: vip_dhcp_allocation == false loop: "{{ groups['masters'] + (groups['workers'] | default([])) }}" # This should not include day2_workers as they can be RWNs + +- name: Validate extra VIPs for dualstack + block: + - name: Assert that Openshift version is supported for dualstack VIPs + assert: + that: + - openshift_full_version is version('4.12', '>=') + fail_msg: "openshift_full_version must be >= 4.12. to support dualstack VIPs" + + - name: Assert extra api VIP is within the extra machine networks + assert: + that: + - hostvars['assisted_installer']['extra_api_vip'] | ansible.utils.ipaddr(item.cidr) | ansible.utils.ipaddr('bool') + fail_msg: "{{ extra_api_vip }} is not within the extra machine networks!" + when: vip_dhcp_allocation == false + loop: hostvars['assisted_installer']['extra_machine_networks'] + + - name: Assert extra ingress VIP is within the extra machine networks + assert: + that: + - hostvars['assisted_installer']['extra_ingress_vip'] | ansible.utils.ipaddr(item.cidr) | ansible.utils.ipaddr('bool') + fail_msg: "{{ extra_ingress_vip }} is not within the extra machine networks!" + when: vip_dhcp_allocation == false + loop: hostvars['assisted_installer']['extra_machine_networks'] + when: + - extra_api_vip is defined + - extra_ingress_vip is defined