diff --git a/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc b/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc index 52d491c9..7666d445 100644 --- a/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc +++ b/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc @@ -38,6 +38,46 @@ while ! curl --connect-timeout 1 "${API_URL}/healthz" -k &>/dev/null; do done && echo -e "\nAPI is up" ---- +. Patch Cilium config to allow control plane bootstrap to succeed ++ +[NOTE] +==== +We need to temporarily adjust the Cilium config to not use full kube-proxy replacement, since we currently don't have a way to disable the initial OpenShift-managed kube-proxy deployment. +Additionally, Because the cloudscale Cloud Controller Manager accesses the K8s API via service IP, we need to configure Cilium to provide partial kube-proxy replacement so that the CCM can start and untaint the control plane nodes so that other pods can be scheduled. +==== ++ +[source,bash] +---- +export KUBECONFIG="${INSTALLER_DIR}/auth/kubeconfig" + +while ! kubectl get ciliumconfig -A &>/dev/null; do + echo -n "." + sleep 2 +done && echo -e "\nCiliumConfig CR is present" + +kubectl patch -n cilium ciliumconfig cilium-enterprise --type=merge \ + -p '{ + "spec": { + "cilium": { + "kubeProxyReplacement": "false", + "nodePort": { + "enabled": true + }, + "socketLB": { + "enabled": true + }, + "sessionAffinity": true, + "externalIPs": { + "enabled": true + }, + "hostPort": { + "enabled": true + } + } + } + }' +---- + . Deploy control plane nodes + [source,bash,subs="attributes+"] @@ -92,6 +132,20 @@ terraform apply popd ---- +. Disable OpenShift kube-proxy deployment and revert Cilium patch ++ +[source,bash] +---- +kubectl patch network.operator cluster --type=merge \ + -p '{"spec":{"deployKubeProxy":false}}' +kubectl -n cilium replace -f catalog/manifests/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml +while ! kubectl -n cilium get cm cilium-config -oyaml | grep 'kube-proxy-replacement: "true"' &>/dev/null; do + echo -n "." + sleep 2 +done && echo -e "\nCilium config updated" +kubectl -n cilium rollout restart ds/cilium +---- + . Review and merge the LB hieradata MR (listed in Terraform output `hieradata_mr`) and run Puppet on the LBs after the deploy job has completed + [source,bash] @@ -103,11 +157,6 @@ done . Approve node certs + -[source,bash] ----- -export KUBECONFIG="${INSTALLER_DIR}/auth/kubeconfig" ----- -+ include::partial$install/approve-node-csrs.adoc[] . Label infra nodes