|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// *networking/allocating-load-balancers.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="nw-allocating-load-balancers-to-subnets-procedure_{context}"] |
| 7 | += Specifying AWS subnets for OpenShift API and ingress load balancers at installation |
| 8 | + |
| 9 | +Perform the following steps to allocate API and ingress load balancers to specific subnets. |
| 10 | + |
| 11 | +.Prerequisites |
| 12 | + |
| 13 | +Before you begin, ensure you have: |
| 14 | + |
| 15 | +* An existing AWS virtual private cloud (VPC). |
| 16 | +
|
| 17 | +* Pre-configured AWS subnets intended for use by the OpenShift cluster, with the following considerations: |
| 18 | +
|
| 19 | +** You have a list of their subnet IDs (for example, `subnet-0123456789abcdef0`). These IDs will be used in the `install-config.yaml` file. |
| 20 | + |
| 21 | +** Use subnets spanning at least two availability zones (AZs) for high availability of load balancers and other critical components, like control planes. |
| 22 | + |
| 23 | +** You have sufficient available IP addresses within these subnets for all assigned roles. |
| 24 | + |
| 25 | +** The AWS configuration for these subnets, including network ACLs and security groups, must permit necessary traffic for all roles assigned to them. For subnets hosting an ingress controller, this typically includes TCP ports 80 and 443 from required sources. |
| 26 | + |
| 27 | +* You have the OpenShift installer binary for your target OpenShift version. |
| 28 | +
|
| 29 | +* You have an `install-config.yaml` file. |
| 30 | +
|
| 31 | +.Procedure |
| 32 | + |
| 33 | +. Prepare the `install-config.yaml` file: |
| 34 | ++ |
| 35 | +If you haven't already, generate the installation configuration file using the OpenShift installer: |
| 36 | ++ |
| 37 | +[source,terminal] |
| 38 | +---- |
| 39 | +$ openshift-install create install-config --dir=<your_installation_directory> |
| 40 | +---- |
| 41 | ++ |
| 42 | +This command creates the `install-config.yaml` file in the specified directory. |
| 43 | + |
| 44 | +. Define subnets and assign roles: |
| 45 | ++ |
| 46 | +Open the `install-config.yaml` file located in `<your_installation_directory>` using a text editor. You will define your VPC subnets and their designated roles under the `platform.aws.vpc.subnets` field. |
| 47 | ++ |
| 48 | +For each AWS subnet you intend the cluster to use, you will create an entry specifying its `id` and a list of `roles`. Each role is an object with a `type` key. To designate a subnet for the default Ingress Controller, assign it a role with `type: IngressControllerLB`. |
| 49 | ++ |
| 50 | +[source,yaml] |
| 51 | +---- |
| 52 | +apiVersion: v1 |
| 53 | +baseDomain: example.com <1> |
| 54 | +metadata: |
| 55 | + name: my-cluster # Example cluster name |
| 56 | +platform: |
| 57 | + aws: |
| 58 | + region: us-east-1 <2> |
| 59 | + vpc: <3> |
| 60 | + subnets: <4> |
| 61 | + - id: subnet-0fcf8e0392f0910d5 # Public Subnet in AZ us-east-1a <5> |
| 62 | + roles: |
| 63 | + - type: IngressControllerLB <6> |
| 64 | + - type: BootstrapNode |
| 65 | + - id: subnet-0xxxxxxxxxxxxxxza # Public Subnet in another AZ for HA |
| 66 | + roles: |
| 67 | + - type: IngressControllerLB |
| 68 | + - id: subnet-0fcf8e0392f0910d4 # Private Subnet in AZ us-east-1a |
| 69 | + roles: |
| 70 | + - type: ClusterNode <7> |
| 71 | + - id: subnet-0yyyyyyyyyyyyyyzb # Private Subnet in another AZ for HA |
| 72 | + roles: |
| 73 | + - type: ClusterNode |
| 74 | + # Add other subnet IDs and their roles as needed for your cluster architecture |
| 75 | +pullSecret: '...' <8> |
| 76 | +sshKey: '...' <9> |
| 77 | +---- |
| 78 | +<1> Your base domain. |
| 79 | +<2> Your AWS region. |
| 80 | +<3> The vpc object under `platform.aws` contains the subnets list. |
| 81 | +<4> List of all subnet objects that OpenShift will use. Each object defines a subnet id and its roles. |
| 82 | +<5> Replace with your AWS Subnet ID. |
| 83 | +<6> The `type: IngressControllerLB` role specifically designates this subnet for the default Ingress Controller's LoadBalancer. In private/internal cluster, the subnet with `IngressControllerLB` role must be private. |
| 84 | +<7> The `type: ClusterNode` role designates this subnet for control plane and compute nodes. These are typically private subnets. |
| 85 | +<8> Your pull secret. |
| 86 | +<9> Your SSH key. |
| 87 | ++ |
| 88 | +Entries for control plane load balancers in the `subnets` list would follow a similar pattern: |
| 89 | ++ |
| 90 | +[source,yaml] |
| 91 | +---- |
| 92 | +# ... (within platform.aws.vpc.subnets list) |
| 93 | + - id: subnet-0fcf8e0392f0910d6 # Public Subnet for External API LB |
| 94 | + roles: |
| 95 | + - type: ControlPlaneExternalLB |
| 96 | + - id: subnet-0fcf8e0392f0910d7 # Private Subnet for Internal API LB |
| 97 | + roles: |
| 98 | + - type: ControlPlaneInternalLB |
| 99 | +# ... |
| 100 | +---- |
| 101 | ++ |
| 102 | +For the default public Ingress Controller, any subnet assigned the `IngressControllerLB` role in your `install-config.yaml` file must be a public subnet. For example, it must have a route table entry in AWS that directs outbound traffic to an internet gateway (IGW). |
| 103 | ++ |
| 104 | +Ensure you list all necessary subnets, public and private across the AZs, and assign them appropriate roles according to your cluster architecture. |
| 105 | ++ |
| 106 | +Subnet IDs define the subnets in an existing VPC and can optionally specify their intended roles. If no roles are specified on any subnet, the subnet roles are decided automatically. In this case, the VPC must not contain any other non-cluster subnets without the `kubernetes.io/cluster/<cluster-id>` tag. |
| 107 | ++ |
| 108 | +If roles are specified for subnets, each subnet must have at least one assigned role, and the `ClusterNode`, `BootstrapNode`, `IngressControllerLB`, `ControlPlaneExternalLB`, and `ControlPlaneInternalLB` roles must be assigned to at least one subnet. However, if the cluster scope is internal, `ControlPlaneExternalLB` is not required. |
| 109 | + |
| 110 | +. Proceed with the cluster Installation: |
| 111 | ++ |
| 112 | +After saving your changes to the `install-config.yaml` file, create the cluster: |
| 113 | ++ |
| 114 | +[source,terminal] |
| 115 | +---- |
| 116 | +$ openshift-install create cluster --dir=<your_installation_directory> |
| 117 | +---- |
| 118 | ++ |
| 119 | +The installation program will now use the subnet definitions and explicit role assignments from the `platform.aws.vpc.subnets` section of your `install-config.yaml` file to provision cluster resources, including placing the Ingress Controller's LoadBalancer in the subnets you designated with the `IngressControllerLB` role. |
| 120 | + |
| 121 | +[NOTE] |
| 122 | +==== |
| 123 | +The role assignment mechanism within `platform.aws.vpc.subnets`, such as specifying types like `IngressControllerLB`, `ClusterNode`, `ControlPlaneExternalLB`, `ControlPlaneInternalLB`, `BootstrapNode` is the comprehensive way the OpenShift installer identifies suitable subnets for various cluster services and components. |
| 124 | +==== |
0 commit comments