# Adding Compute/Worker nodes This SOP should be used in the following scenario: - Red Hat OpenShift Container Platform 4.x cluster has been installed some time ago (1+ days ago) and additional worker nodes are required to increase the capacity for the cluster. ## Steps 1. Add the new nodes being added to the cluster to the appropriate inventory file in the appropriate group. eg: ``` # ocp, compute/worker: [ocp-ci-compute] newnode1.example.centos.org newnode2.example.centos.org newnode3.example.centos.org newnode4.example.centos.org newnode5.example.centos.org ``` eg: ``` # ocp.stg, compute/worker: [ocp-stg-ci-compute] newnode6.example.centos.org newnode7.example.centos.org newnode8.example.centos.org newnode9.example.centos.org # ocp.stg, master/control plane [ocp-stg-ci-master] newnode10.example.centos.org ``` 2. Examine the `inventory` file for `ocp` or `ocp.stg` and determine which management node corresponds with the group `ocp-ci-management`. eg: ``` [ocp-ci-management] some-managementnode.example.centos.org ``` 3. Find the OCP admin user which is contained in the hostvars for this management node at the key `ocp_service_account`. eg: ``` host_vars/some-managementnode.example.centos.org:ocp_service_account: adminuser ``` 4. SSH to the node identified in step `2`, and become the user identified in step `3`. eg: ``` ssh some-managementnode.example.centos.org sudo su - adminuser ``` 5. Verify that you are authenticated correctly to the Openshift cluster as the `system:admin`. ``` oc whoami system:admin ``` 6. Retrieve the certificate from the internal API and convert the contents to base64 string like so. eg: ``` echo "q" | openssl s_client -connect api-int.ocp.ci.centos.org:22623 -showcerts | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | base64 --wrap=0 DONE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCERTSTOREDASABASE64ENCODEDSTRING= ``` 7. Replace the cert in the compute/worker ignition file, at the `XXXXXXXXREPLACEMEXXXXXXXX=` point, be sure to save this change in SCM, and push. ``` cat filestore/rhcos/compute.ign {"ignition":{"config":{"append":[{"source":"https://api-int.ocp.ci.centos.org:22623/config/worker","verification":{}}]},"security":{"tls":{"certificateAuthorities":[{"source":"data:text/plain;charset=utf-8;base64,XXXXXXXXREPLACEMEXXXXXXXX=","verification":{}}]}},"timeouts":{},"version":"2.2.0"},"networkd":{},"passwd":{},"storage":{"disks":[{"device":"/dev/sdb","wipeTable":true}]},"systemd":{}} ``` 8. Once the ignition file has been updated, run the `adhoc-provision-ocp4-node` playbook to copy the updated ignition files up to the http server, and install the new node(s). When prompted, specify the hostname of the new node. Best to do one at a time, it takes a minute or two per new node being added at this step. eg: ``` ansible-playbook playbooks/adhoc-provision-ocp4-node.yml [WARNING] Nodes to be fully wiped/reinstalled with OCP => : newnode6.example.centos.org ``` 9. As the new nodes are provisioned, they will attempt to join the cluster. They must first be accepted. ``` # List the certs. If you see status pending, this is the worker/compute nodes attempting to join the cluster. It must be approved. oc get csr # Accept all node CSRs one liner oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve ``` 10. Finally run the playbook to update haproxy config to monitor the new nodes. ``` ansible-playbook playbooks/role-haproxy.yml --tags="config" ``` To see more information about adding new worker/compute nodes to a user provisioned infrastructure based OCP4 cluster see the detailed steps at [1],[2]. ### Resources - [1] [How to add Openshift 4 RHCOS worker nodes in UPI <24 hours](https://access.redhat.com/solutions/4246261) - [2] [How to add Openshift 4 RHCOS worker nodes to UPI >24 hours](https://access.redhat.com/solutions/4799921)