Merge pull request #57959 from rh-tokeefe/OSSM-3195A

OSSM-3195: Document deploying service mesh to infrastructure node

Author: rolfedh

modules/ossm-config-control-plane-infrastructure-node.adoc

@@ -0,0 +1,42 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/ossm-deployment-models.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-config-control-plane-infrastructure-node_{context}"]
+= Configuring all {SMProductShortName} control plane components to run on infrastructure nodes
+
+This task should only be performed if all of the components deployed by the {SMProductShortName} control plane (including Istiod, Ingress Gateway, and Egress Gateway) along with optional elements (such as Prometheus, Grafana, and Distributed Tracing) are running on infrastructure nodes. 
+
+If the control plane runs on a worker node, skip this task.
+
+.Procedure
+
+. Open the `ServiceMeshControlPlane` resource as a YAML file:
++
+[source,terminal]
+----
+$ oc -n istio-system edit smcp <name> <1>
+----
+<1> `<name>` represents the name of the `ServiceMeshControlPlane` resource.
+
+. To run all of the {SMProductShortName} components deployed by the `ServiceMeshControlPlane` on infrastructure nodes, add the `nodeSelector` and `tolerations` fields to the `spec.runtime.defaults.pod` spec in the `ServiceMeshControlPlane` resource:
++
+[source,yaml]
+----
+spec:
+  runtime:
+    defaults:
+      pod:
+        nodeSelector: <1>
+          node-role.kubernetes.io/infra: ""
+        tolerations: <2>
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/infra
+          value: reserved
+        - effect: NoExecute
+          key: node-role.kubernetes.io/infra
+          value: reserved
+----
+<1> Ensures that the SMCP pods are only scheduled on an infrastructure node.
+<2> Ensures that the pods are accepted by the infrastructure node.

modules/ossm-config-individual-control-plane-infrastructure-node.adoc

@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/ossm-deployment-models.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-config-individual-control-plane-infrastructure-node_{context}"]
+= Configuring individual {SMProductShortName} control plane components to run on infrastructure nodes
+
+This task should only be performed if individual {SMProductShortName} control plane components (such as Istiod, the Ingress Gateway, and the Egress Gateway) will run on infrastructure nodes. 
+
+If the control plane will run on a worker node, skip this task.
+
+.Procedure
+
+. Open the `ServiceMeshControlPlane` resource as a YAML file.
++
+[source,terminal]
+----
+$ oc -n istio-system edit smcp <name> <1>
+----
+<1>  `<name>` represents the name of the `ServiceMeshControlPlane` resource.
+
+. To run the Istiod component on an infrastructure node, add the `nodeSelector` and the `tolerations` fields to the `spec.runtime.components.pilot.pod` spec in the `ServiceMeshControlPlane` resource.
++
+[source,yaml]
+----
+spec:
+  runtime:
+    components:
+      pilot:
+        pod:
+          nodeSelector: <1>
+            node-role.kubernetes.io/infra: ""
+          tolerations: <2>
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/infra
+            value: reserved
+          - effect: NoExecute
+            key: node-role.kubernetes.io/infra
+            value: reserved
+----
+<1> Ensures that the Istiod pod is only scheduled on an infrastructure node.
+<2> Ensures that the pod is accepted by the infrastructure node.
+
+. To run Ingress and Egress Gateways on infrastructure nodes, add the `nodeSelector` and the `tolerations` fields to the `spec.gateways.ingress.runtime.pod` spec and the `spec.gateways.egress.runtime.pod` spec in the `ServiceMeshControlPlane` resource.
++
+[source,yaml]
+----
+spec:
+  gateways:
+    ingress:
+      runtime:
+        pod:
+          nodeSelector: <1>
+            node-role.kubernetes.io/infra: ""
+          tolerations: <2>
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/infra
+            value: reserved
+          - effect: NoExecute
+            key: node-role.kubernetes.io/infra
+            value: reserved
+    egress:
+      runtime:
+        pod:
+          nodeSelector: <1>
+            node-role.kubernetes.io/infra: ""
+          tolerations: <2>
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/infra
+            value: reserved
+          - effect: NoExecute
+            key: node-role.kubernetes.io/infra
+            value: reserved
+----
+<1> Ensures that the gateway pod is only scheduled on an infrastructure node
+<2> Ensures that the pod is accepted by the infrastructure node.

modules/ossm-config-operator-infrastructure-node.adoc

@@ -0,0 +1,46 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/ossm-deployment-models.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-config-operator-infrastructure-node_{context}"]
+= Configuring the {SMProductShortName} Operator to run on infrastructure nodes
+
+This task should only be performed if the {SMProductShortName} Operator runs on an infrastructure node. 
+
+If the operator will run on a worker node, skip this task.
+
+.Prerequisites
+
+* The {SMProductShortName} Operator must be installed.
+
+* One of the nodes comprising the deployment must be an infrastructure node. For more information, see "Creating infrastructure machine sets."
+
+.Procedure
+
+. Edit the {SMProductShortName} Operator `Subscription` resource to specify where the operator should run:
++
+[source,terminal]
+----
+$ oc -n openshift-operators edit subscription <name> <1>
+----
+<1> `<name>` represents the name of the `Subscription` resource.
+
+. Add the `nodeSelector` and `tolerations` to `spec.config` in the `Subscription` resource:
++
+[source,yaml]
+----
+spec:
+ config:
+   nodeSelector: <1>
+     node-role.kubernetes.io/infra: ""
+   tolerations: <2>
+   - effect: NoSchedule
+     key: node-role.kubernetes.io/infra
+     value: reserved
+   - effect: NoExecute
+     key: node-role.kubernetes.io/infra
+     value: reserved
+----
+<1> Ensures that the operator pod is only scheduled on an infrastructure node.
+<2> Ensures that the pod is accepted by the infrastructure node.

modules/ossm-confirm-operator-infrastructure-node.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/installing-ossm.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-confirm-operator-infrastructure-node_{context}"]
+= Verifying the {SMProductShortName} Operator is running on infrastructure node
+
+.Procedure
+
+* Verify that the node associated with the Operator pod is an infrastructure node:
++
+[source,terminal]
+----
+$ oc -n openshift-operators get po -l name=istio-operator -owide
+----

modules/ossm-confirm-smcp-infrastructure-node.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/installing-ossm.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-confirm-smcp-infrastructure-node_{context}"]
+= Verifying the {SMProductShortName} control plane is running on infrastructure nodes
+
+.Procedure
+
+* Confirm that the nodes associated with Istiod, Ingress Gateway, and Egress Gateway pods are infrastructure nodes:
++
+[source,terminal]
+----
+$ oc -n istio-system get pods -owide
+----

service_mesh/v2x/installing-ossm.adoc

@@ -28,6 +28,10 @@ Do not install Community versions of the Operators. Community Operators are not
 
 include::modules/ossm-install-ossm-operator.adoc[leveloffset=+1]
 
+include::modules/ossm-config-operator-infrastructure-node.adoc[leveloffset=+1]
+
+include::modules/ossm-confirm-operator-infrastructure-node.adoc[leveloffset=+1]
+
 == Next steps
 
-The {SMProductName} Operator does not create the various {SMProductShortName} custom resource definitions (CRDs) until you deploy a {SMProductShortName} control plane. You use the `ServiceMeshControlPlane` resource to install and configure the {SMProductShortName} components. For more information, see xref:../../service_mesh/v2x/ossm-create-smcp.adoc#ossm-create-smcp[Creating the ServiceMeshControlPlane].
+* The {SMProductName} Operator does not create the {SMProductShortName} custom resource definitions (CRDs) until you deploy a {SMProductShortName} control plane. You can use the `ServiceMeshControlPlane` resource to install and configure the {SMProductShortName} components. For more information, see xref:../../service_mesh/v2x/ossm-create-smcp.adoc#ossm-create-smcp[Creating the ServiceMeshControlPlane].

service_mesh/v2x/ossm-create-smcp.adoc

@@ -29,6 +29,12 @@ include::modules/ossm-control-plane-cli.adoc[leveloffset=+1]
 
 include::modules/ossm-validate-smcp-cli.adoc[leveloffset=+1]
 
+include::modules/ossm-config-control-plane-infrastructure-node.adoc[leveloffset=+1]
+
+include::modules/ossm-config-individual-control-plane-infrastructure-node.adoc[leveloffset=+1]
+
+include::modules/ossm-confirm-smcp-infrastructure-node.adoc[leveloffset=+1]
+
 include::modules/ossm-validate-smcp-kiali.adoc[leveloffset=+1]
 
 include::modules/ossm-install-rosa.adoc[leveloffset=+1]
@@ -40,4 +46,4 @@ include::modules/ossm-install-rosa.adoc[leveloffset=+1]
 
 == Next steps
 
-Create a `ServiceMeshMemberRoll` resource to specify the namespaces associated with the {SMProductShortName}. For more information, see xref:../../service_mesh/v2x/ossm-create-mesh.adoc#ossm-create-mesh[Adding services to a service mesh].
+* Create a `ServiceMeshMemberRoll` resource to specify the namespaces associated with the {SMProductShortName}. For more information, see xref:../../service_mesh/v2x/ossm-create-mesh.adoc#ossm-create-mesh[Adding services to a service mesh].