NETOBSERV-220 implement ovn-kubernetes reconciler #97
Conversation
|
Skipping CI for Draft Pull Request. |
|
cc @eranra |
jotak
changed the title
| HostNetwork: hostNetwork, | ||
| DNSPolicy: corev1.DNSClusterFirst, |
There was a problem hiding this comment.
As already commented in another thread:
- You don't need to use the host network. I could confirm in a manual deployment that (1) the FLP Daemonset can be deployed without
hostNetwork: trueand (2) the agent can anyway use the HostIP + FLP Port to only send flows to its own host. - If anyway you want to use
hostNetwork: trueby any other reason I'm not aware of, you need to setDNSPolicy: corev1.DNSClusterFirstWithHostNetto allow FLP to access K8s services by its name, such aslokiwhile keeping the host network.
| if err := ovsConfigController.Reconcile(ctx, desired, gfReconciler.GetServiceName(desired.Spec.Kafka)); err != nil { | ||
| return ctrl.Result{}, | ||
| fmt.Errorf("failed to reconcile ovs-flows-config ConfigMap: %w", err) | ||
| if desired.Spec.ClusterNetworkOperator.Namespace != "" { |
There was a problem hiding this comment.
maybe I should replace the namespace check with something more explicit like a new field Spec.ClusterNetworkOperator.Enabled to switch between ovn-k and CNO
There was a problem hiding this comment.
To avoid user intervention by means of configuration, in some other parts of the we try to discover if components are enabled by fetching concrete ApiService, e.g:
- https://github.com/netobserv/network-observability-operator/blob/main/pkg/discover/discover.go#L32-L43
- https://github.com/netobserv/network-observability-operator/blob/main/controllers/flowcollector_controller.go#L216-L224
I don't know if this could be useful also in this case.
There was a problem hiding this comment.
Actually I see that you are already using discovery here.
Can we assume that any OpenShift cluster with OVN-K will have the CNO already installed?
Off-topic: as a future task, it would be nice to discover OVN-K or another CNI and then deploy IPFIX or eBPF by default.
There was a problem hiding this comment.
So I'm using the discovery client to check for presence of the CNO now.
I haven't done the ebpf switch as you suggest although I agree it will be nice
| @@ -110,26 +110,17 @@ Note that the `FlowCollector` resource must be unique and must be named `cluster | |||
|
|
|||
| ## Enabling OVS IPFIX export | |||
|
|
|||
| If you use OpenShift 4.10, you don't have anything to do: the operator will configure OVS *via* the Cluster Network Operator. Else, some manual steps are still required: | |||
| If you use OpenShift 4.10 or the upstream ovn-kubernetes without OpenShift, you don't have anything to do: the operator will configure OVS *via* OpenShift Cluster Network Operator, or the ovn-kubernetes layer directly. | |||
There was a problem hiding this comment.
I'd create a new JIRA issue to document eBPF as an alternative to IPFIX that is not restricted to OVN and might work out of the box with OpenShift 4.8/4.9
There was a problem hiding this comment.
oh yes exactly, I wanted to ask you if you had that planned already :)
There was a problem hiding this comment.
Created JIRA issue: https://issues.redhat.com/browse/NETOBSERV-370
| if err := ovsConfigController.Reconcile(ctx, desired, gfReconciler.GetServiceName(desired.Spec.Kafka)); err != nil { | ||
| return ctrl.Result{}, | ||
| fmt.Errorf("failed to reconcile ovs-flows-config ConfigMap: %w", err) | ||
| if desired.Spec.ClusterNetworkOperator.Namespace != "" { |
There was a problem hiding this comment.
To avoid user intervention by means of configuration, in some other parts of the we try to discover if components are enabled by fetching concrete ApiService, e.g:
- https://github.com/netobserv/network-observability-operator/blob/main/pkg/discover/discover.go#L32-L43
- https://github.com/netobserv/network-observability-operator/blob/main/controllers/flowcollector_controller.go#L216-L224
I don't know if this could be useful also in this case.
| if err := ovsConfigController.Reconcile(ctx, desired, gfReconciler.GetServiceName(desired.Spec.Kafka)); err != nil { | ||
| return ctrl.Result{}, | ||
| fmt.Errorf("failed to reconcile ovs-flows-config ConfigMap: %w", err) | ||
| if desired.Spec.ClusterNetworkOperator.Namespace != "" { |
There was a problem hiding this comment.
Actually I see that you are already using discovery here.
Can we assume that any OpenShift cluster with OVN-K will have the CNO already installed?
Off-topic: as a future task, it would be nice to discover OVN-K or another CNI and then deploy IPFIX or eBPF by default.
| ) | ||
|
|
||
| const ( | ||
| // Make configurable? |
There was a problem hiding this comment.
I think we should find a way, with the difficulty that the default value would be openshift-ovn-kubernetes for downstream OpenShift and ovn-kubernetes for upstream OVN-K.
But I don't think it's something mandatory right now.
There was a problem hiding this comment.
done, there's a new entry in CR now to define upstream ovnk setup
I don't think it's very useful to handle the upstream ovnk case with openshift, I guess we can assume that the CNO will be used in that case.
| return err | ||
| } | ||
|
|
||
| ovnkubeNode := reconcilers.FindContainer(¤t.Spec.Template.Spec, "ovnkube-node") |
There was a problem hiding this comment.
instead of the literal, shall you use the constant ovnkDSName?
There was a problem hiding this comment.
I actually introduced it as a config
Distinct case openshift / other for hostnetwork - With Openshift use its SCC API - Else use pod's spec hostnetwork Update documentation
- Configure ovnk (namespace, daemonset, container name). Defaults should work in most cases. - Detect CNO presence to switch between CNO or upstream ovnk - Merge the existing Console detection in a new "AvailableAPIs" mechanism in the existing dicover package
| @@ -0,0 +1,51 @@ | |||
| package discover | |||
There was a problem hiding this comment.
Nice! In a future patch I'll merge here the Openshift/Vanilla kubernetes
There was a problem hiding this comment.
yeah I wasn't sure if your permissions code could be merged or if there was some additional logic
| if !apis.HasCNO() { | ||
| log.Info("CNO not detected: using ovnKubernetes config and reconciler") | ||
| } |
There was a problem hiding this comment.
Is the intention here only to log a message?
There was a problem hiding this comment.
yes, I find it useful while checking the logs :)
|
thanks @mariomac ! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jotak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
It's creating a new reconciler for upstream ovn-k daemonset config