add node-joiner.sh script and related documentation

andfasano · andfasano · commit 36159433a81a · 2024-04-24T07:52:24.000-04:00
diff --git a/docs/user/agent/add-nodes.md b/docs/user/agent/add-nodes.md
@@ -0,0 +1,97 @@
+# Adding a node via the node-joiner tool
+
+## Pre-requisites
+1. The `oc` tool must be available in the execution environment (the "user host").
+2. The user host has a valid network connection to the target OpenShift cluster to be expanded.
+3. The user host has a valid pull-secret.
+
+## Setup
+1. Download the [node-joiner.sh](./node-joiner.sh) script in a working directory in
+   the user host (the "assets folder").
+2. Create a `nodes-config.yaml` in the assets folder. This configuration file must contain the 
+   list of all the nodes that the user wants to add to the target cluster. For each node it must be
+   specified at least the name and the primary interface mac address, for example:
+```
+hosts:
+    - hostname: extra-worker-0
+      interfaces:
+        - name: eth0
+          macAddress: 00:02:46:e3:9e:7c
+    - hostname: extra-worker-1
+      interfaces:
+        - name: eth0
+          macAddress: 00:02:46:e3:9e:8c
+    - hostname: extra-worker-2
+      interfaces:
+        - name: eth0
+          macAddress: 00:02:46:e3:9e:9c
+```
+3. Optionally, it's possible to specify - for each node - an `NMState` configuration block
+   (it will be applied during the first boot), for example:
+```
+hosts:
+    - hostname: extra-worker-0
+      interfaces:
+        - name: eth0
+          macAddress: 00:02:46:e3:9e:7c
+      networkConfig:
+        interfaces:
+          - name: eth0
+            type: ethernet
+            state: up
+            mac-address: 00:02:46:e3:9e:7c
+            ipv4:
+              enabled: true
+              address:
+                - ip: 192.168.111.90
+                  prefix-length: 24
+              dhcp: false
+        dns-resolver:
+          config:
+            server:
+              - 192.168.111.1
+        routes:
+          config:
+            - destination: 0.0.0.0/0 
+              next-hop-address: 192.168.111.1
+              next-hop-interface: eth0
+              table-id: 254
+    - hostname: extra-worker-1
+      interfaces:
+        - name: eth0
+          macAddress: 00:02:46:e3:9e:8c
+    - hostname: extra-worker-2
+      interfaces:
+        - name: eth0
+          macAddress: 00:02:46:e3:9e:9c
+
+## ISO generation
+Run the [node-joiner.sh](./node-joiner.sh) by specifying the location of the current pull secret:
+```bash
+$ ./node-joiner.sh ~/config/pull-secret
+```
+The script will generate a temporary namespace `openshift-node-joiner` in the target cluster,
+where a pod will be launched to execute the effective node-joiner workload.
+In case of success, the `agent-addnodes.x86_64.iso` ISO image will be downloaded in the assets folder.
+
+## Nodes joining
+Use the iso image to boot all the nodes listed in the `nodes-config.yaml` file, and wait for the related
+certificate signing requests (CSRs) to appear. When adding a new node to the cluster, two pending CSRs will
+be generated, and they must be manually approved by the user.
+Use the following command to monitor the pending certificates:
+```
+$ oc get csr
+```
+User the `oc` `approve` command to approve them:
+```
+$ oc adm certificate approve <csr_name>
+```
+Once all the pendings certificates will be approved, then the new node will become available:
+```
+$ oc get nodes
+NAME            STATUS   ROLES                  AGE   VERSION
+extra-worker-0  Ready    worker                  1h   v1.29.3+8628c3c                                        
+master-0        Ready    control-plane,master   31h   v1.29.3+8628c3c
+master-1        Ready    control-plane,master   32h   v1.29.3+8628c3c
+master-2        Ready    control-plane,master   32h   v1.29.3+8628c3c
+```
diff --git a/docs/user/agent/node-joiner.sh b/docs/user/agent/node-joiner.sh
@@ -0,0 +1,131 @@
+#!/bin/bash
+
+if [ $# -lt 1 ]; then
+    echo "./node-joiner.sh <pull secret path>"
+    echo "Usage example:"
+    echo "$ ./node-joiner.sh ~/config/my-pull-secret"
+
+    exit 1
+fi
+pullSecret=$1
+
+# Extract the installer image pullspec and release version.
+releaseImage=$(oc get clusterversion version -o=jsonpath='{.status.history[?(@.state == "Completed")].image}')
+nodeJoinerPullspec=$(oc adm release info -a "$pullSecret" --image-for=installer "$releaseImage")
+
+# Create the namespace to run the node-joiner, along with the required roles and bindings.
+staticResources=$(cat <<EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-node-joiner
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-joiner
+  namespace: openshift-node-joiner
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-joiner
+rules:
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - clusterversions
+  - proxies
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  - nodes
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-joiner
+subjects:
+- kind: ServiceAccount
+  name: node-joiner
+  namespace: openshift-node-joiner
+roleRef:
+  kind: ClusterRole
+  name: node-joiner
+  apiGroup: rbac.authorization.k8s.io
+EOF
+)
+echo "$staticResources" | oc apply -f -
+
+# Generate a configMap to store the user configuration
+oc create configmap nodes-config --from-file=nodes-config.yaml -n openshift-node-joiner -o yaml --dry-run=client | oc apply -f -
+
+# Runt the node-joiner pod to generate the ISO
+nodeJoinerPod=$(cat <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: node-joiner
+  namespace: openshift-node-joiner
+  annotations:
+    openshift.io/scc: anyuid
+  labels:
+    app: node-joiner    
+spec:
+  restartPolicy: Never
+  serviceAccountName: node-joiner
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
+  containers:
+  - name: node-joiner
+    imagePullPolicy: IfNotPresent
+    image: $nodeJoinerPullspec
+    volumeMounts:
+    - name: nodes-config
+      mountPath: /config
+    - name: assets
+      mountPath: /assets
+    command: ["/bin/sh", "-c", "cp /config/nodes-config.yaml /assets; HOME=/assets node-joiner add-nodes --dir=/assets --log-level=debug; echo \$? > /assets/completed; sleep 600"]    
+  volumes:
+  - name: nodes-config
+    configMap: 
+      name: nodes-config
+      namespace: openshift-node-joiner
+  - name: assets
+    emptyDir: 
+      sizeLimit: "4Gi"
+EOF
+)
+echo "$nodeJoinerPod" | oc apply -f -
+
+# Wait until the node-joiner was completed.
+while true; do 
+  if oc exec node-joiner -n openshift-node-joiner -- test -e /assets/completed >/dev/null 2>&1; then
+    break
+  else 
+    echo "Waiting for node-joiner pod to complete..."
+    sleep 10s
+  fi
+done
+
+# In case of success, let's extract the ISO, otherwise the logs are shown for troubleshooting the error.
+completed=$(oc exec node-joiner -n openshift-node-joiner -- cat /assets/completed)
+if [ "$completed" = 0 ]; then
+  echo "node-joiner successfully completed, extracting ISO image..."
+  oc cp -n openshift-node-joiner node-joiner:/assets/agent-addnodes.x86_64.iso agent-addnodes.x86_64.iso
+else
+  oc logs node-joiner -n openshift-node-joiner 
+  echo "node-joiner failed"
+fi
+
+# Remove all the resources previously created.
+echo "Cleaning up"
+oc delete namespace openshift-node-joiner --grace-period=0 >/dev/null 2>&1 &
