Bug 1834177 - NSG definition need update in Azure ARM template
Summary: NSG definition need update in Azure ARM template
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.5.0
Assignee: John Hixson
QA Contact: Mike Gahagan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-11 08:55 UTC by Gaoyun Pei
Modified: 2020-07-13 17:37 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:36:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 3583 0 None closed bug 1834177: upi/azure: Use a single network security group for Azure clusters 2020-06-24 02:15:50 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:37:26 UTC

Description Gaoyun Pei 2020-05-11 08:55:52 UTC
Description of problem:
After https://github.com/openshift/installer/pull/3561 merged, we're using only one nsg for Azure clusters in IPI, should also update the nsg definition in https://github.com/openshift/installer/blob/master/upi/azure/01_vnet.json accordingly.

With the existing ARM templates, 4.5 UPI install will fail in provisioning ingress LB, it's looking for '<InfraID>-nsg', while we created '<InfraID>-controlplane-nsg' and '<InfraID>-node-nsg'.


# oc -n openshift-ingress get service router-default
NAME             TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
router-default   LoadBalancer   172.30.4.111   <pending>     80:30404/TCP,443:32032/TCP   3h26m

 oc describe -n openshift-ingress service router-default 
Name:                     router-default
Namespace:                openshift-ingress
Labels:                   app=router
                          ingresscontroller.operator.openshift.io/owning-ingresscontroller=default
                          router=router-default
Annotations:              <none>
Selector:                 ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
Type:                     LoadBalancer
IP:                       172.30.4.111
Port:                     http  80/TCP
TargetPort:               http/TCP
NodePort:                 http  30404/TCP
Endpoints:                10.128.2.3:80,10.131.0.11:80
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  32032/TCP
Endpoints:                10.128.2.3:443,10.131.0.11:443
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     32170
Events:
  Type     Reason                  Age                    From                Message
  ----     ------                  ----                   ----                -------
  Warning  SyncLoadBalancerFailed  125m (x19 over 3h10m)  service-controller  Error syncing load balancer: failed to ensure load balancer: nsg "xxia1-0511-hxzc6-nsg" not found
  Normal   EnsuringLoadBalancer    2s (x44 over 3h10m)    service-controller  Ensuring load balancer
  

Version-Release number of the following components:
registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-05-11-011730

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 3 Mike Gahagan 2020-05-15 20:02:01 UTC
Confirmed this issue is fixed with 4.5.0-0.nightly-2020-05-14-093010, also confirmed affected nightly builds can be installed if you use the updated ARM template for the vnet. 


[m@localhost ~]$ oc -n openshift-ingress get service router-default
NAME             TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
router-default   LoadBalancer   172.30.52.139   52.228.227.186   80:32743/TCP,443:32057/TCP   34m
[m@localhost ~]$ oc describe -n openshift-ingress service router-default
Name:                     router-default
Namespace:                openshift-ingress
Labels:                   app=router
                          ingresscontroller.operator.openshift.io/owning-ingresscontroller=default
                          router=router-default
Annotations:              <none>
Selector:                 ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
Type:                     LoadBalancer
IP:                       172.30.52.139
LoadBalancer Ingress:     52.228.227.186
Port:                     http  80/TCP
TargetPort:               http/TCP
NodePort:                 http  32743/TCP
Endpoints:                10.128.2.10:80,10.131.0.3:80
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  32057/TCP
Endpoints:                10.128.2.10:443,10.131.0.3:443
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     30776
Events:
  Type    Reason                Age   From                Message
  ----    ------                ----  ----                -------
  Normal  EnsuringLoadBalancer  35m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   34m   service-controller  Ensured load balancer
  Normal  EnsuringLoadBalancer  33m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   33m   service-controller  Ensured load balancer
  Normal  EnsuringLoadBalancer  33m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   33m   service-controller  Ensured load balancer
  Normal  EnsuringLoadBalancer  30m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   30m   service-controller  Ensured load balancer
  Normal  EnsuringLoadBalancer  27m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   27m   service-controller  Ensured load balancer
  Normal  EnsuringLoadBalancer  24m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   24m   service-controller  Ensured load balancer
  Normal  UpdatedLoadBalancer   22m   service-controller  Updated load balancer with new hosts
  Normal  EnsuringLoadBalancer  20m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   20m   service-controller  Ensured load balancer
  Normal  EnsuringLoadBalancer  15m   service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   15m   service-controller  Ensured load balancer
[m@localhost ~]$ oc get co
NAME                                       VERSION                             AVAILABLE   PROGRESSING   DEGRADED   SINCE
authentication                             4.5.0-0.nightly-2020-05-14-093010   True        False         False      16m
cloud-credential                           4.5.0-0.nightly-2020-05-14-093010   True        False         False      44m
cluster-autoscaler                         4.5.0-0.nightly-2020-05-14-093010   True        False         False      34m
config-operator                            4.5.0-0.nightly-2020-05-14-093010   True        False         False      34m
console                                    4.5.0-0.nightly-2020-05-14-093010   True        False         False      19m
csi-snapshot-controller                    4.5.0-0.nightly-2020-05-14-093010   True        False         False      23m
dns                                        4.5.0-0.nightly-2020-05-14-093010   True        False         False      40m
etcd                                       4.5.0-0.nightly-2020-05-14-093010   True        False         False      39m
image-registry                             4.5.0-0.nightly-2020-05-14-093010   True        False         False      23m
ingress                                    4.5.0-0.nightly-2020-05-14-093010   True        False         False      23m
insights                                   4.5.0-0.nightly-2020-05-14-093010   True        False         False      35m
kube-apiserver                             4.5.0-0.nightly-2020-05-14-093010   True        False         False      38m
kube-controller-manager                    4.5.0-0.nightly-2020-05-14-093010   True        False         False      39m
kube-scheduler                             4.5.0-0.nightly-2020-05-14-093010   True        False         False      38m
kube-storage-version-migrator              4.5.0-0.nightly-2020-05-14-093010   True        False         False      23m
machine-api                                4.5.0-0.nightly-2020-05-14-093010   True        False         False      30m
machine-approver                           4.5.0-0.nightly-2020-05-14-093010   True        False         False      37m
machine-config                             4.5.0-0.nightly-2020-05-14-093010   True        False         False      33m
marketplace                                4.5.0-0.nightly-2020-05-14-093010   True        False         False      34m
monitoring                                 4.5.0-0.nightly-2020-05-14-093010   True        False         False      17m
network                                    4.5.0-0.nightly-2020-05-14-093010   True        False         False      41m
node-tuning                                4.5.0-0.nightly-2020-05-14-093010   True        False         False      41m
openshift-apiserver                        4.5.0-0.nightly-2020-05-14-093010   True        False         False      33m
openshift-controller-manager               4.5.0-0.nightly-2020-05-14-093010   True        False         False      34m
openshift-samples                          4.5.0-0.nightly-2020-05-14-093010   True        False         False      33m
operator-lifecycle-manager                 4.5.0-0.nightly-2020-05-14-093010   True        False         False      40m
operator-lifecycle-manager-catalog         4.5.0-0.nightly-2020-05-14-093010   True        False         False      40m
operator-lifecycle-manager-packageserver   4.5.0-0.nightly-2020-05-14-093010   True        False         False      35m
service-ca                                 4.5.0-0.nightly-2020-05-14-093010   True        False         False      41m
storage                                    4.5.0-0.nightly-2020-05-14-093010   True        False         False      35m

Comment 4 errata-xmlrpc 2020-07-13 17:36:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.