Adding a Day 2 service node

This section provides the steps for adding a Day 2 service node to an existing IBM Fusion HCI rack.

Before you begin

Ensure that you meet these prerequisites before adding a Day 2 service node:

Create DNS entry:
1. Create a DNS record for the service node by using the format servicenode-1.<domain.com>.
2. Ensure that both forward (A/AAAA) and reverse (PTR) lookups are properly configured.
DHCP configuration (if applicable):
If the existing cluster uses DHCP-based IP assignment, create a DHCP reservation for the service node by using its MAC address. For more information about DHCP setup, see Setting up DHCP.
Cluster information:
Keep the following cluster details readily available:
- OpenShift® Bare metal VLAN ID
- Rack generation type (Gen1 or Gen2)
Switch IP addresses:
Retrieve the IP addresses of the following switches:
- High-Speed Switch 1 (RU20)
- High-Speed Switch 2 (RU21)
- Management Switch 1 (RU18)
- Management Switch 2 (RU19)
To obtain the IP addresses, follow these steps:
1. Log in to the OpenShift console user interface and go to Workloads > ConfigMaps.
2. Select the project ibm-spectrum-fusion-ns.
3. Search for kickstart and open the kickstart-<serial> ConfigMap.
4. Scroll down to locate the IPv4 addresses of the switches. If IPv4 is not available, retrieve the IPv6 addresses.
Switch credentials (ISFUSER):
Obtain the password for user ISFUSER on all switches (RU18, RU19, RU20, RU21).
To retrieve the passwords:
1. Log in to the OpenShift console user interface and go to Workloads > Secrets.
2. Select the project ibm-spectrum-fusion-ns.
3. Search by using:
  - hspeed1 (High-Speed Switch 1), hspeed2 (High-Speed Switch 2)
  - mgmt1 (Management Switch 1)
  - mgmt2 (Management Switch 2)
4. Open the secret named in the format <switch-name>-<serial>-<secret>.
Static IP configuration (if applicable):
If the cluster uses static IP addressing, keep the following details available for the service node:
- Bare metal network IP (for example: 10.1.1.100/24)
- Gateway IP
- DNS server IP
- NTP server IP
Upsize the service node only when the cluster, switches and nodes are healthy and no maintenance activities are in progress.

Procedure

To add a Day 2 service node to an existing IBM Fusion HCI rack, follow these steps:

Install the service node in the existing IBM Fusion HCI rack.
Place the service node at RU33 for a Gen1 rack, or place it at RU23.
Tip: A rack is considered as a Gen1 rack if its control nodes are models 9155-C01 or 9155-C05.
Cable the service node at your site.
Note: The connection and wiring remain the same for Gen1, Gen2, and later versions of existing racks.
1. Connect the high‑speed network interfaces:
  1. Connect Service Node 25GbE Port 1 to High-Speed Switch 1 (RU20), Port 1 using a QSFP-to-SFP adapter, and a 25GbE cable.
  2. Connect Service Node 25GbE Port 2 to High-Speed Switch 2 (RU21), Port 1 using a QSFP-to-SFP adapter, and a 25GbE cable.
2. Connect the service node to the management switches:
  1. Connect the Service Node IMM/BMC port to Management Switch 1 (RU18), Port 33.
  2. Connect Service Node 4-port 1GbE NIC – Port 1 to Management Switch 2 (RU19), Port 33.
  3. Connect Service Node 4-port 1GbE NIC – Port 2 to Management Switch 1 (RU18), Port 35.
  4. Connect Service Node 4-port 1GbE NIC – Port 3 to Management Switch 2 (RU19), Port 35.
3. Connect the out‑of‑band interface of the service node:
  1. Connect Service Node 4-port 1GbE NIC - Port 4 to the customer data center network to carry out-of-band traffic.
Power on the service node and connect with KVM. Then log in to the RHEL OS using default user kni and password passw0rd.
Change to the following directory:
```
cd /home/kni/isfconfig
```
Run the following command to change the permission for the script:
```
chmod +x servicenode_script_1.sh
```
Locate the script servicenode_script_1.sh in the current directory and run the script 1:
```
./servicenode_script_1.sh
```
After script 1 completes successfully, IBM Fusion HCI automatically discovers the node, performs the required scale‑up operation, and displays the node in the IBM Fusion HCI user interface.
To set up vault secrets and certification, execute the servicenode_script2_2.13.sh script as mentioned in the following steps.
Important:
- If the IBM Fusion HCI rack is using an IPv6 stack on the provisioning network, run the ./servicenode_script_2.sh script. After running the script, the service node appears in the IBM Fusion HCI user interface.
- If the IBM Fusion HCI rack is using an IPv4 stack on the provisioning network, skip running the ./servicenode_script_2.sh script as mentioned in the following steps.
Set the IBM Fusion HCI namespace environment variable to ibm-spectrum-fusion-ns.
For example:
```
export FUSION_NAMESPACE="ibm-spectrum-fusion-ns"
```
Ensure that the following files are present in the /home/kni/isfconfig directory:
- kickstart.json
- appliance-info.json

Run the following oc login command to log in to the OpenShift Container Platform cluster:

KUBECONFIG=/tmp/remote-ocp-config oc login --token=sha256~TOKEN --server=https://api.rackName.fusion.tadn.ibm.com:6443 --insecure-skip-tls-verify=true

Run the following command to verify whether you are logged in to the cluster or not.
```
KUBECONFIG=/tmp/remote-ocp-config oc get secret -n ${FUSION_NAMESPACE}
```
If you are unable to see the secret list in ibm-spectrum-fusion namespace, then check the oc login command again and make sure that you get the correct remote access to the cluster.
Run the following command to change the permission for the script:
```
chmod +x servicenode_script_2_2.13.sh
```
Run the following command to keep a backup of the vault files:
```
sudo cp -r /var/vault /var/vault_backup/
```

Check if the service node entry is present in the KickStart configmap by running the following command:

KUBECONFIG=/tmp/remote-ocp-config KICKSTART_CM=$(kubectl get configmap appliance-info -n ibm-spectrum-fusion-ns -o json | jq -r '.data | to_entries[0].value | fromjson | .kickstartCM') && kubectl get configmap "$KICKSTART_CM" -n ibm-spectrum-fusion-ns -o json | jq -r '.data."kickstart.json"' | jq -r '.computeNodeIntegratedManagementModules[] | select(.type=="servicenode")'

If the command returns a result for "servicenode-*", proceed to the next step. Otherwise, wait until the entry is added to the KickStart configmap.

If the service node entry is not added to the KickStart configmap after 10 minutes, contact IBM Support.

Important: To run the servicenode_script_2_2.13.sh script, remote login to the OpenShift Container Platform cluster is required. Ensure that you have the correct access credentials before executing the script. If login issues occur, resolve them before proceeding with script execution.
Run the servicenode_script_2_2.13.sh script that is located in the /home/kni/isfconfig/directory by using the following command:
```
KUBECONFIG=/tmp/remote-ocp-config /home/kni/isfconfig/servicenode_script_2_2.13.sh
```
Ensure that the script execution is successful.
Ensure that you must back up the vault-secret and vault-login-secret from the OpenShift Container Platform for future reference.
Important: Download and securely store the vault-secret and vault-login-secret YAML from OpenShift Container Platform in ibm-spectrum-fusion-ns namespace after a successful servicenode_script_2_2.13.sh execution.
After completing the previous steps, run the following command to delete the temporary configuration file.
```
rm /tmp/remote-ocp-config ; rm /tmp/extracted_* 
```
If you backed up the vault secret and vault login secret, then you can delete the /var/vault_backup directory from the newly added service node.
```
rm -rf /var/vault_backup/
```
To enable automated credential rotation, manually update the base rack PlatformConfig file after successfully adding the service node. For more information, see Enabling password rotation for IBM Fusion HCI system.

If the service node does not appear in the IBM Fusion HCI user interface, contact IBM Support.