From 4693148de5a4302233c03e42a8d1d6ee71453d3e Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 4 Sep 2025 14:11:16 +0200 Subject: [PATCH 1/4] Deploy cert-manager immediately after provisioning master nodes --- .../partials/install/bootstrap-nodes.adoc | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc b/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc index 0e4c70c5..3c0fd86b 100644 --- a/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc +++ b/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc @@ -150,7 +150,38 @@ terraform apply ifeval::["{provider}" == "cloudscale"] . Add the DNS records for etcd shown in output variable `dns_entries` from the previous step to the cluster's parent zone +endif::[] + +. Wait for master nodes to become ready ++ +TIP: This is optional, but will make the subsequent steps less likely to run into weird timeouts. ++ +[source,bash] +---- +kubectl wait --for condition=ready node -l node-role.kubernetes.io/master +---- + +. Deploy cert-manager ++ +[NOTE] +==== +We need to deploy cert-manager early so we can use the cert-manager integration in the Cilium Helm chart. +ifeval::["{provider}" == "cloudscale"] + +On cloudscale, we additionally need cert-manager in order to deploy the cloudscale-loadbalancer-controller. +endif::[] +==== ++ +[source,bash] +---- +kubectl apply -f ../cert-manager/00_namespace.yaml +kubectl apply -Rf ../cert-manager/10_cert_manager +kubectl -n syn-cert-manager patch --type=merge \ + $(kubectl -n syn-cert-manager get deploy -oname) \ + -p '{"spec":{"template":{"spec":{"tolerations":[{"operator":"Exists"}]}}}}' +---- +ifeval::["{provider}" == "cloudscale"] . Apply the manifests for the cloudscale machine-api provider + [source,bash,subs="attributes+"] From 379d2473467296c115d5986be5a24ad1a807adfe Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Fri, 5 Sep 2025 10:02:10 +0200 Subject: [PATCH 2/4] Remove unnecessary step to set infra and worker count to 0 in tenant repo We now set these variables to 0 in the global defaults. --- .../install/prepare-syn-config-machine-api.adoc | 12 ------------ .../ROOT/partials/install/prepare-syn-config.adoc | 4 ---- 2 files changed, 16 deletions(-) delete mode 100644 docs/modules/ROOT/partials/install/prepare-syn-config-machine-api.adoc diff --git a/docs/modules/ROOT/partials/install/prepare-syn-config-machine-api.adoc b/docs/modules/ROOT/partials/install/prepare-syn-config-machine-api.adoc deleted file mode 100644 index 2ec7eda4..00000000 --- a/docs/modules/ROOT/partials/install/prepare-syn-config-machine-api.adoc +++ /dev/null @@ -1,12 +0,0 @@ -ifeval::["{provider}" == "cloudscale"] -. Prepare cloudscale machine-api provider -+ -[source,bash,subs="attributes+"] ----- -yq eval -i ".parameters.openshift4_terraform.terraform_variables.worker_count = 0" \ - ${CLUSTER_ID}.yml - -yq eval -i ".parameters.openshift4_terraform.terraform_variables.infra_count = 0" \ - ${CLUSTER_ID}.yml ----- -endif::[] diff --git a/docs/modules/ROOT/partials/install/prepare-syn-config.adoc b/docs/modules/ROOT/partials/install/prepare-syn-config.adoc index a2a42fa1..d232cf82 100644 --- a/docs/modules/ROOT/partials/install/prepare-syn-config.adoc +++ b/docs/modules/ROOT/partials/install/prepare-syn-config.adoc @@ -53,7 +53,6 @@ yq eval -i ".parameters.openshift4_version.spec.channel = \"fast-{ocp-minor-vers ifeval::["{provider}" == "cloudscale"] :is-terraform: yes -:use-machine-api: yes endif::[] ifeval::["{provider}" == "exoscale"] :is-terraform: yes @@ -65,9 +64,6 @@ endif::[] ifeval::["{is-terraform}" == "yes"] include::partial$install/prepare-syn-config-terraform.adoc[] endif::[] -ifeval::["{use-machine-api}" == "yes"] -include::partial$install/prepare-syn-config-machine-api.adoc[] -endif::[] ifeval::["{provider}" == "vsphere"] include::partial$install/prepare-syn-config-vsphere.adoc[] endif::[] From 53281aaf40d3bf39399f4606e4823bc400d564e0 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Fri, 5 Sep 2025 10:02:45 +0200 Subject: [PATCH 3/4] Add step to delete cloudscale loadbalancer instances in decommissioning instructions --- .../ROOT/pages/how-tos/cloudscale/decommission.adoc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc b/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc index 9e699b05..993bf1ef 100644 --- a/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc +++ b/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc @@ -52,6 +52,13 @@ include::partial$decommission-disable-syn.adoc[] kubectl delete svc --field-selector spec.type=LoadBalancer -A ---- +. Delete all loadbalancers ++ +[source,bash] +---- +kubectl delete loadbalancers -A --all +---- + . Delete all PVs + [source,bash] From 2cbc156d2c5591f93feb06589a0209354b4706d4 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 4 Sep 2025 14:11:21 +0200 Subject: [PATCH 4/4] Override Cilium Hubble config and deploy Cilium cert-manager CA --- docs/modules/ROOT/partials/install/bootstrap-nodes.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc b/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc index 3c0fd86b..d20fbcd1 100644 --- a/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc +++ b/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc @@ -124,6 +124,11 @@ kubectl patch -n cilium ciliumconfig cilium-enterprise --type=merge \ }, "hostPort": { "enabled": true + }, + "hubble": { + "tls": { + "enabled": false + } } } } @@ -179,6 +184,9 @@ kubectl apply -Rf ../cert-manager/10_cert_manager kubectl -n syn-cert-manager patch --type=merge \ $(kubectl -n syn-cert-manager get deploy -oname) \ -p '{"spec":{"template":{"spec":{"tolerations":[{"operator":"Exists"}]}}}}' +kubectl -n syn-cert-manager wait --for condition=available \ + deploy cert-manager-webhook +kubectl apply -f ../cilium/20_cilium_ca.yaml ---- ifeval::["{provider}" == "cloudscale"]