Merge pull request #39726 from johnwilkins/bz-1998580

BZ 1998580, BZ 2006334 and BZ 2007529 documentation fixes.

Author: mburke5678

images/210_OpenShift_Baremetal_IPI_Deployment_updates_0122_1.png

@@ -7,13 +7,13 @@ Installer-provisioned installation provides support for installing {product-titl
 
 During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as `provisioner` creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an {product-title} cluster. The bootstrap VM connects to the `baremetal` network and to the `provisioning` network, if present, via the network bridges.
 
-image::71_OpenShift_4.6_Baremetal_IPI_Deployment_1020_1.svg[Deployment phase one]
+image::210_OpenShift_Baremetal_IPI_Deployment_updates_0122_1.png[Deployment phase one]
 
-When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to the control plane nodes.
+When the installation of {product-title} is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to the appropriate nodes accordingly. The API VIP moves to the control plane nodes and the Ingress VIP moves to the worker nodes.
 
-image::161_OpenShift_Baremetal_IPI_Deployment_updates_0521.svg[Deployment phase two]
+image::210_OpenShift_Baremetal_IPI_Deployment_updates_0122_2.png[Deployment phase two]
 
 [IMPORTANT]
 ====
-The `provisioning` network is optional, but it is required for PXE booting. If you deploy without a `provisioning` network, you must use a virtual media BMC addressing option such as `redfish-virtualmedia` or `idrac-virtualmedia`. 
+The `provisioning` network is optional, but it is required for PXE booting. If you deploy without a `provisioning` network, you must use a virtual media BMC addressing option such as `redfish-virtualmedia` or `idrac-virtualmedia`.
 ====

images/210_OpenShift_Baremetal_IPI_Deployment_updates_0122_2.png

@@ -95,14 +95,16 @@ a| `provisioningNetworkInterface` |  | The name of the network interface on node
 
 | `defaultMachinePlatform` | | The default configuration used for machine pools without a platform configuration.
 
-| `apiVIP` | `api.<clustername.clusterdomain>` | The VIP to use for internal API communication.
+| `apiVIP` | | (Optional) The virtual IP address for Kubernetes API communication.
 
-This setting must either be provided or pre-configured in the DNS so that the
-default name resolves correctly.
+This setting must either be provided in the `install-config.yaml` file as a reserved IP from the MachineNetwork or pre-configured in the DNS so that the default name resolves correctly. Use the virtual IP address and not the FQDN when adding a value to the `apiVIP` configuration setting in the `install-config.yaml` file. The IP address must be from the primary IPv4 network when using dual stack networking. If not set, the installer uses `api.<cluster_name>.<base_domain>` to derive the IP address from the DNS.
 
 | `disableCertificateVerification` | `False` | `redfish` and `redfish-virtualmedia` need this parameter to manage BMC addresses. The value should be `True` when using a self-signed certificate for BMC addresses.
 
-| `ingressVIP` | `test.apps.<clustername.clusterdomain>` | The VIP to use for ingress traffic.
+| `ingressVIP` | | (Optional) The virtual IP address for ingress traffic.
+
+This setting must either be provided in the `install-config.yaml` file as a reserved IP from the MachineNetwork or pre-configured in the DNS so that the default name resolves correctly. Use the virtual IP address and not the FQDN when adding a value to the `ingressVIP` configuration setting in the `install-config.yaml` file. The IP address must be from the primary IPv4 network when using dual stack networking. If not set, the installer uses `test.apps.<cluster_name>.<base_domain>` to derive the IP address from the DNS.
+
 
 |===
 

installing/installing_bare_metal_ipi/ipi-install-overview.adoc

@@ -3,9 +3,11 @@
 // ipi-install-configuration-files.adoc
 [id='configure-network-components-to-run-on-the-control-plane_{context}']
 
-= Configure network components to run on the control plane
+= (Optional) Configure network components to run on the control plane
 
-Configure networking components to run exclusively on the control plane nodes. By default, {product-title} allows any node in the machine config pool to host the `apiVIP` and `ingressVIP` virtual IP addresses. However, many environments deploy worker nodes in separate subnets from the control plane nodes. Consequently, you must place the `apiVIP` and `ingressVIP` virtual IP addresses exclusively with the control plane nodes.
+You can configure networking components to run exclusively on the control plane nodes. By default, {product-title} allows any node in the machine config pool to host the `ingressVIP` virtual IP address. However, some environments deploy worker nodes in separate subnets from the control plane nodes. When deploying remote workers in separate subnets, you must place the `ingressVIP` virtual IP address exclusively with the control plane nodes.
+
+image::161_OpenShift_Baremetal_IPI_Deployment_updates_0521.svg[Installer-provisioned networking]
 
 .Procedure
 
@@ -44,38 +46,15 @@ spec:
   config:
     ignition:
       version: 3.2.0
-    systemd:
-      units:
-      - name: nodeip-configuration.service
-        enabled: true
-        contents: |
-          [Unit]
-          Description=Writes IP address configuration so that kubelet and crio services select a valid node IP
-          Wants=network-online.target
-          After=network-online.target ignition-firstboot-complete.service
-          Before=kubelet.service crio.service
-          [Service]
-          Type=oneshot
-          ExecStart=/bin/bash -c "exit 0 "
-          [Install]
-          WantedBy=multi-user.target
     storage:
       files:
         - path: /etc/kubernetes/manifests/keepalived.yaml
           mode: 0644
           contents:
             source: data:,
-        - path: /etc/kubernetes/manifests/mdns-publisher.yaml
-          mode: 0644
-          contents:
-            source: data:,
-        - path: /etc/kubernetes/manifests/coredns.yaml
-          mode: 0644
-          contents:
-            source: data:,
 ----
 +
-This manifest places the `apiVIP` and `ingressVIP` virtual IP addresses on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:
+This manifest places the `ingressVIP` virtual IP address on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:
 +
 * `openshift-ingress-operator`
 +
@@ -109,12 +88,5 @@ $ sed -i "s;mastersSchedulable: false;mastersSchedulable: true;g" clusterconfigs
 +
 [NOTE]
 ====
-If control plane nodes are not schedulable, deploying the cluster will fail.
-====
-
-. Before deploying the cluster, ensure that the `api.<cluster-name>.<domain>` domain name is resolvable in the external DNS server. When you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works for worker nodes, which is an expected outcome.
-+
-[IMPORTANT]
-====
-Failure to create a DNS record for the `api.<cluster-name>.<domain>` domain name in the external DNS server precludes worker nodes from joining the cluster.
+If control plane nodes are not schedulable after completing this procedure, deploying the cluster will fail.
 ====

modules/ipi-install-additional-install-config-parameters.adoc

@@ -7,6 +7,8 @@
 
 Installer-provisioned installation of {product-title} involves several network requirements. First, installer-provisioned installation involves an optional non-routable `provisioning` network for provisioning the operating system on each bare metal node. Second, installer-provisioned installation involves a routable `baremetal` network.
 
+image::210_OpenShift_Baremetal_IPI_Deployment_updates_0122_2.png[Installer-provisioned networking]
+
 [discrete]
 == Configuring NICs
 
@@ -26,25 +28,56 @@ When using a VLAN, each NIC must be on a separate VLAN corresponding to the appr
 ====
 
 [discrete]
-== Configuring the DNS server
+== DNS requirements
 
 Clients access the {product-title} cluster nodes over the `baremetal` network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.
 
+[source,text]
 ----
-<cluster_name>.<domain>
+<cluster_name>.<base_domain>
 ----
 
 For example:
 
+[source,text]
 ----
 test-cluster.example.com
 ----
 
 {product-title} includes functionality that uses cluster membership information to generate A/AAAA records. This resolves the node names to their IP addresses. After the nodes are registered with the API, the cluster can disperse node information without using CoreDNS-mDNS. This eliminates the network traffic associated with multicast DNS.
 
-[IMPORTANT]
+In {product-title} deployments, DNS name resolution is required for the following components:
+
+* The Kubernetes API
+* The {product-title} application wildcard ingress API
+
+A/AAAA records are used for name resolution and PTR records are used for reverse name resolution. {op-system-first} uses the reverse records or DHCP to set the hostnames for all the nodes.
+
+Installer-provisioned installation includes functionality that uses cluster membership information to generate A/AAAA records. This resolves the node names to their IP addresses. In each record, `<cluster_name>` is the cluster name and `<base_domain>` is the base domain that you specify in the `install-config.yaml` file. A complete DNS record takes the form: `<component>.<cluster_name>.<base_domain>.`.
+
+.Required DNS records
+[cols="1a,3a,5a",options="header"]
+|===
+
+|Component
+|Record
+|Description
+
+.2+a|Kubernetes API
+|`api.<cluster_name>.<base_domain>.`
+|An A/AAAA record, and a PTR record, identify the API load balancer. These records must be resolvable by both clients external to the cluster and from all the nodes within the cluster.
+
+|Routes
+|`*.apps.<cluster_name>.<base_domain>.`
+|The wildcard A/AAAA record refers to the application ingress load balancer. The application ingress load balancer targets the nodes that run the Ingress Controller pods. The Ingress Controller pods run on the worker nodes by default. These records must be resolvable by both clients external to the cluster and from all the nodes within the cluster.
+
+For example, `console-openshift-console.apps.<cluster_name>.<base_domain>` is used as a wildcard route to the {product-title} console.
+
+|===
+
+[TIP]
 ====
-You must create a DNS entry for the `api.<cluster_name>.<domain>` domain name on the external DNS because removing CoreDNS causes the local entry to disappear. Failure to create a DNS record for the `api.<cluster_name>.<domain>` domain name in the external DNS server precludes worker nodes from joining the cluster.
+You can use the `dig` command to verify DNS resolution.
 ====
 
 [discrete]
@@ -59,10 +92,10 @@ Network administrators must reserve IP addresses for each node in the {product-t
 
 For the `baremetal` network, a network administrator must reserve a number of IP addresses, including:
 
-. Two virtual IP addresses.
+. Two unique virtual IP addresses.
 +
-- One IP address for the API endpoint
-- One IP address for the wildcard ingress endpoint
+- One virtual IP address for the API endpoint.
+- One virtual IP address for the wildcard ingress endpoint.
 +
 . One IP address for the provisioner node.
 . One IP address for each control plane (master) node.
@@ -85,17 +118,22 @@ The following table provides an exemplary embodiment of fully qualified domain n
 [width="100%", cols="3,5,2", options="header"]
 |=====
 | Usage | Host Name | IP
-| API | `api.<cluster_name>.<domain>` | `<ip>`
-| Ingress LB (apps) |  `*.apps.<cluster_name>.<domain>`  | `<ip>`
-| Provisioner node | `provisioner.<cluster_name>.<domain>` | `<ip>`
-| Master-0 | `openshift-master-0.<cluster_name>.<domain>` | `<ip>`
-| Master-1 | `openshift-master-1.<cluster_name>-.<domain>` | `<ip>`
-| Master-2 | `openshift-master-2.<cluster_name>.<domain>` | `<ip>`
-| Worker-0 | `openshift-worker-0.<cluster_name>.<domain>` | `<ip>`
-| Worker-1 | `openshift-worker-1.<cluster_name>.<domain>` | `<ip>`
-| Worker-n | `openshift-worker-n.<cluster_name>.<domain>` | `<ip>`
+| API | `api.<cluster_name>.<base_domain>` | `<ip>`
+| Ingress LB (apps) |  `*.apps.<cluster_name>.<base_domain>`  | `<ip>`
+| Provisioner node | `provisioner.<cluster_name>.<base_domain>` | `<ip>`
+| Master-0 | `openshift-master-0.<cluster_name>.<base_domain>` | `<ip>`
+| Master-1 | `openshift-master-1.<cluster_name>-.<base_domain>` | `<ip>`
+| Master-2 | `openshift-master-2.<cluster_name>.<base_domain>` | `<ip>`
+| Worker-0 | `openshift-worker-0.<cluster_name>.<base_domain>` | `<ip>`
+| Worker-1 | `openshift-worker-1.<cluster_name>.<base_domain>` | `<ip>`
+| Worker-n | `openshift-worker-n.<cluster_name>.<base_domain>` | `<ip>`
 |=====
 
+[NOTE]
+====
+If you do not create DHCP reservations, the installer requires reverse DNS resolution to set the hostnames for the Kubernetes API node, the provisioner node, the control plane nodes, and the worker nodes.
+====
+
 [discrete]
 == Network Time Protocol (NTP)
 
@@ -106,7 +144,7 @@ Each {product-title} node in the cluster must have access to an NTP server. {pro
 Define a consistent clock date and time format in each cluster node's BIOS settings, or installation might fail.
 ====
 
-You may reconfigure the control plane nodes to act as NTP servers on disconnected clusters, and reconfigure worker nodes to retrieve time from the control plane nodes.
+You can reconfigure the control plane nodes to act as NTP servers on disconnected clusters, and reconfigure worker nodes to retrieve time from the control plane nodes.
 
 [discrete]
 == State-driven network configuration requirements (Technology Preview)
@@ -123,4 +161,4 @@ State-driven network configuration requires installing `kubernetes-nmstate`, and
 [discrete]
 == Port access for the out-of-band management IP address
 
-The out-of-band management IP address is on a separate network from the node. To ensure that the out-of-band management can communicate with the `baremetal` node during installation, the out-of-band management IP address address must be granted access to the TCP 6180 port.
+The out-of-band management IP address is on a separate network from the node. To ensure that the out-of-band management can communicate with the `baremetal` node during installation, the out-of-band management IP address address must be granted access to the TCP 6180 port.

modules/ipi-install-configure-network-components-to-run-on-the-control-plane.adoc

@@ -6,8 +6,8 @@
 [id="out-of-band-management_{context}"]
 = Out-of-band management
 
-Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the `provisioner` node.
+Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.
 
-Each node must be accessible via out-of-band management. When using an out-of-band management network, the `provisioner` node requires access to the out-of-band management network for a successful {product-title} 4 installation.
+Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful {product-title} 4 installation.
 
-The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the `provisioning` network or the `baremetal` network are valid options.
+The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

modules/ipi-install-network-requirements.adoc

@@ -15,9 +15,9 @@ Prior to the installation of the {product-title} cluster, gather the following i
 
 .When using the `provisioning` network
 
-* NIC1 (`provisioning`) MAC address
-* NIC2 (`baremetal`) MAC address
+* NIC (`provisioning`) MAC address
+* NIC (`baremetal`) MAC address
 
 .When omitting the `provisioning` network
 
-* NICx (`baremetal`) MAC address
+* NIC (`baremetal`) MAC address

modules/ipi-install-out-of-band-management.adoc

@@ -8,19 +8,21 @@
 
 .When using the `provisioning` network
 
-* [ ] NIC1 VLAN is configured for the `provisioning` network. (optional)
-* [ ] NIC1 is PXE-enabled on the provisioner, control plane (master), and worker nodes when using a `provisioning` network. (optional)
+* [ ] NIC1 VLAN is configured for the `provisioning` network.
+* [ ] NIC1 for the `provisioning` network is PXE-enabled on the provisioner, control plane (master), and worker nodes.
 * [ ] NIC2 VLAN is configured for the `baremetal` network.
 * [ ] PXE has been disabled on all other NICs.
+* [ ] DNS is configured with API and Ingress endpoints.
 * [ ] Control plane and worker nodes are configured.
 * [ ] All nodes accessible via out-of-band management.
-* [ ] A separate management network has been created. (optional)
+* [ ] (Optional) A separate management network has been created.
 * [ ] Required data for installation.
 
 .When omitting the `provisioning` network
 
-* [ ] NICx VLAN is configured for the `baremetal` network.
+* [ ] NIC1 VLAN is configured for the `baremetal` network.
+* [ ] DNS is configured with API and Ingress endpoints.
 * [ ] Control plane and worker nodes are configured.
 * [ ] All nodes accessible via out-of-band management.
-* [ ] A separate management network has been created. (optional)
+* [ ] (Optional) A separate management network has been created.
 * [ ] Required data for installation.