A cli tool and set of libraries that verify the pre-configured networking components for ROSA and OSD CCS clusters.
osd-network-verifier can be used prior to or after the installation of osd/rosa clusters to ensure the network configuration is correctly set up per OSD requirements listed on https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-vpc.html#installation-custom-aws-vpc-requirements_installing-aws-vpc
It currently verifies:
- Egress from VPC subnets to essential OSD domains
- DNS resolution in a VPC
The recommended workflow of diagnostic use of ONV is shown in the following flow diagram:
make build: Builds osd-network-verifier executable in base directory
If interested, please fork this repo and create pull requests to the main branch.
This lists of essential domains for egress verification should be maintained in pkg/data/egress_lists. The network verifier will dynamically pull down the list of endpoints from the most recent commit. This means that egress lists can be updated quickly without the need of a new osd-network-verifier release.
Network-verifier knows which list to pull from by using the platform interface. For example, if the AWSClassic platform type is used, network-verifier will pull down the egress list associated with that platform type.
It is also possible to pass in a custom list of egress endpoints by using the --egress-list-location flag.
Probes within the verifier are responsible for a number of important tasks. These include the following:
- determining which machine images are to be used
- parsing cloud instance console output
- configuring instructions to the cloud instance
Probes are cloud-platform-agnostic by design, meaning that their implementations are not specific to any one cloud provider. All probes must honor the contract defined by the base probe interface. By default, the verifier uses the curl probe.
Each probe is responsible for determining its list of approved machine images.
The list of images (RHEL base images) that osd-network-verifier selects
from to run in is maintained in pkg/probes/<probe_name>/machine_images.go.
Which image is selected is based on the platform, region and cpu architecture type.
By default, "X86" is used unless manually overridden by the --cpu-arch flag.
Version ID required for IAM permissions may need update to match specification in AWS docs.
The Terraform scripts in this repository's (under /examples/aws/terraform/) allow you to quickly deploy temporary AWS VPCs for testing the network verifier against several common network scenarios. See each subdirectory's README for more details and usage instructions:
- VPC with no firewall
- VPC with an egress firewall
- VPC with an explicit proxy server
- VPC with a transparent proxy server
The platform struct type is used to inform network-verifier of the platform type it is running on (AWSClassic, GCPClassic, etc) and can be referred to by supported aliases. For example, "aws" and "aws-classic" are both mapped to "AWSClassic". These platform types are used to determine information such as which egress verification list, machine type, and cpu type to use.
type Platform struct {
// names holds 3 unique lowercase names of the Platform (e.g., "aws"). We use a fixed-
// size array so that this struct remains comparable. Any of the 3 values can be used to refer
// to this specific Platform via Platform.ByName(), but only the first (element
// 0) element will be the "preferred name" returned by Platform.String()
names [3]string
}
Currently network-verifier supports four implementations for Platform types.
- AWSClassic
- AWSHCP
- AWSHCPZeroEgress
- GCPClassic
Network-verifier uses these supported platform types to determine information such as which egress verification list, machine type, and cpu type to use.
See RELEASE.md