From a9dd1a494a7b76fe2b38ebb9972dc045f052e2cd Mon Sep 17 00:00:00 2001 From: "Oleksandr K." Date: Fri, 25 Oct 2024 19:54:08 +0200 Subject: [PATCH] [ATMOSPHERE-497] [stable/2024.1] chart: sync ovn with upstream (#2028) Co-authored-by: okozachenko1203 Co-authored-by: Mohammed Naser --- .charts.yml | 5 +- charts/ovn/Chart.yaml | 2 +- .../templates/bin/_ovn-controller-init.sh.tpl | 19 +- .../templates/daemonset-controller-gw.yaml | 191 ------------- .../ovn/templates/daemonset-controller.yaml | 135 +++++++++- charts/ovn/templates/deployment-northd.yaml | 1 + .../ovn/templates/statefulset-ovsdb-nb.yaml | 5 +- .../ovn/templates/statefulset-ovsdb-sb.yaml | 4 +- charts/ovn/values.yaml | 95 +++---- .../ovn/0001-switch-to-ovn-kubernetes.patch | 250 ++++++------------ .../patches/ovn/0002-add-logging-parser.patch | 183 ++++--------- .../ovn/0003-oci-image-registry-secret.patch | 14 - molecule/aio/group_vars/all/molecule.yml | 2 - roles/defaults/vars/main.yml | 1 + roles/ovn/vars/main.yml | 3 + 15 files changed, 323 insertions(+), 587 deletions(-) delete mode 100644 charts/ovn/templates/daemonset-controller-gw.yaml delete mode 100644 charts/patches/ovn/0003-oci-image-registry-secret.patch diff --git a/.charts.yml b/.charts.yml index c19c5ef57..4c3e37195 100644 --- a/.charts.yml +++ b/.charts.yml @@ -172,14 +172,13 @@ charts: repository: *openstack_helm_infra_repository dependencies: *openstack_helm_dependencies - name: ovn - version: 0.1.4 + version: 0.1.13 repository: *openstack_helm_infra_repository dependencies: *openstack_helm_dependencies patches: gerrit: review.opendev.org: - - 893739 - - 914807 + - 933333 - name: placement version: 0.3.9 repository: *openstack_helm_repository diff --git a/charts/ovn/Chart.yaml b/charts/ovn/Chart.yaml index 8ac48b43b..00f498b4b 100644 --- a/charts/ovn/Chart.yaml +++ b/charts/ovn/Chart.yaml @@ -9,4 +9,4 @@ name: ovn sources: - https://github.com/ovn-org/ovn - https://opendev.org/openstack/openstack-helm -version: 0.1.4 +version: 0.1.13 diff --git a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl index 77e1e687a..1d303c8d9 100644 --- a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl +++ b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl @@ -18,7 +18,7 @@ ANNOTATION_KEY="atmosphere.cloud/ovn-system-id" function get_ip_address_from_interface { local interface=$1 - local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $1}') + local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' 'NR==1 {print $1}') if [ -z "${ip}" ] ; then exit 1 fi @@ -27,7 +27,7 @@ function get_ip_address_from_interface { function get_ip_prefix_from_interface { local interface=$1 - local prefix=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $2}') + local prefix=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' 'NR==1 {print $2}') if [ -z "${prefix}" ] ; then exit 1 fi @@ -70,7 +70,7 @@ function migrate_ip_from_nic { elif [[ -z "${bridge_ip}" && -z "${ip}" ]]; then echo "Interface and bridge have no ips configured. Leaving as is." else - echo "Interface ${name} has invalid IP address. IP:[${ip}]; Prefix:[${prefix}]..." + echo "Interface ${src_nic} has invalid IP address. IP:[${ip}]; Prefix:[${prefix}]..." exit 1 fi @@ -144,13 +144,20 @@ ovs-vsctl set open . external-ids:rundir="/var/run/openvswitch" ovs-vsctl set open . external-ids:ovn-encap-type="{{ .Values.conf.ovn_encap_type }}" ovs-vsctl set open . external-ids:ovn-bridge="{{ .Values.conf.ovn_bridge }}" ovs-vsctl set open . external-ids:ovn-bridge-mappings="{{ .Values.conf.ovn_bridge_mappings }}" -ovs-vsctl set open . external-ids:ovn-cms-options="${OVN_CMS_OPTIONS}" + +GW_ENABLED=$(cat /tmp/gw-enabled/gw-enabled) +if [[ ${GW_ENABLED} == {{ .Values.labels.ovn_controller_gw.node_selector_value }} ]]; then + ovs-vsctl set open . external-ids:ovn-cms-options={{ .Values.conf.ovn_cms_options_gw_enabled }} +else + ovs-vsctl set open . external-ids:ovn-cms-options={{ .Values.conf.ovn_cms_options }} +fi + {{ if .Values.conf.ovn_bridge_datapath_type -}} ovs-vsctl set open . external-ids:ovn-bridge-datapath-type="{{ .Values.conf.ovn_bridge_datapath_type }}" {{- end }} # Configure hostname -{{- if .Values.conf.use_fqdn.compute }} +{{- if .Values.pod.use_fqdn.compute }} ovs-vsctl set open . external-ids:hostname="$(hostname -f)" {{- else }} ovs-vsctl set open . external-ids:hostname="$(hostname)" @@ -164,7 +171,7 @@ do bridge=${bmap%:*} iface=${bmap#*:} ovs-vsctl --may-exist add-br $bridge -- set bridge $bridge protocols=OpenFlow13 - if [ -n "$iface" ] && [ "$iface" != "null" ] + if [ -n "$iface" ] && [ "$iface" != "null" ] && ( ip link show $iface 1>/dev/null 2>&1 ); then ovs-vsctl --may-exist add-port $bridge $iface migrate_ip_from_nic $iface $bridge diff --git a/charts/ovn/templates/daemonset-controller-gw.yaml b/charts/ovn/templates/daemonset-controller-gw.yaml deleted file mode 100644 index 3ecd81dc8..000000000 --- a/charts/ovn/templates/daemonset-controller-gw.yaml +++ /dev/null @@ -1,191 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- define "controllerGatewayReadinessProbeTemplate" }} -exec: - command: - - /usr/bin/ovn-kube-util - - readiness-probe - - -t - - ovn-controller -{{- end }} - -{{- if .Values.manifests.daemonset_ovn_controller_gw }} -{{- $envAll := . }} - -{{- $configMapName := "ovn-etc" }} -{{- $serviceAccountName := "ovn-controller-gw" }} -{{ tuple $envAll "ovn_controller_gw" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovn-controller-gw - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - labels: -{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - type: gw -spec: - selector: - matchLabels: -{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - type: gw - template: - metadata: - labels: -{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - type: gw - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - spec: - serviceAccountName: {{ $serviceAccountName }} - hostNetwork: true - dnsPolicy: {{ .Values.pod.dns_policy }} - nodeSelector: - {{ .Values.labels.ovn_controller_gw.node_selector_key }}: {{ .Values.labels.ovn_controller_gw.node_selector_value }} - initContainers: -{{- tuple $envAll "ovn_controller_gw" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - - name: controller-init -{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "controller_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /tmp/ovn-controller-init.sh - env: - - name: OVN_CMS_OPTIONS - value: {{ .Values.conf.gw_ovn_cms_options | quote }} - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: ovn-bin - mountPath: /tmp/ovn-controller-init.sh - subPath: ovn-controller-init.sh - readOnly: true - - name: run-openvswitch - mountPath: /run/openvswitch - - name: ovn-etc - mountPath: /tmp/auto_bridge_add - subPath: auto_bridge_add - readOnly: true - containers: - - name: controller - command: - - /root/ovnkube.sh - - ovn-controller -{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -{{ dict "envAll" . "component" "ovn_controller_gw" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerGatewayReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} - env: - - name: OVN_DAEMONSET_VERSION - value: "3" - - name: OVN_LOGLEVEL_CONTROLLER - value: "-vconsole:info -vfile:info" - - name: OVN_KUBERNETES_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OVN_KUBERNETES_NB_STATEFULSET - value: ovn-ovsdb-nb - - name: OVN_KUBERNETES_SB_STATEFULSET - value: ovn-ovsdb-sb - - name: OVN_SSL_ENABLE - value: "no" - volumeMounts: - - name: run-openvswitch - mountPath: /var/run/ovn - - name: run-openvswitch - mountPath: /var/run/openvswitch - - name: shared - mountPath: /var/log/ovn/ - {{- if .Values.pod.sidecars.vector }} - - name: vector -{{ tuple $envAll "vector" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - vector - - --config - - /etc/vector/vector.toml - volumeMounts: - - name: vector-config - mountPath: /etc/vector - - name: shared - mountPath: /logs - - name: vector-data - mountPath: /var/lib/vector - {{- end }} - {{- if .Values.pod.sidecars.ovn_logging_parser }} - - name: log-parser -{{ tuple $envAll "ovn_logging_parser" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /tmp/ovn-network-logging-parser.sh - - start - env: - - name: VECTOR_HTTP_ENDPOINT - value: http://localhost:5001 - ports: - - name: http - containerPort: {{ tuple "ovn_logging_parser" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - protocol: TCP - volumeMounts: - - name: neutron-etc - mountPath: /etc/neutron/neutron.conf - subPath: neutron.conf - readOnly: true - - name: ovn-bin - mountPath: /tmp/ovn-network-logging-parser.sh - subPath: ovn-network-logging-parser.sh - readOnly: true - - name: ovn-etc - mountPath: /etc/neutron/neutron-ovn-network-logging-parser-uwsgi.ini - subPath: neutron-ovn-network-logging-parser-uwsgi.ini - readOnly: true - {{- end }} - volumes: - - name: ovn-bin - configMap: - name: ovn-bin - defaultMode: 0777 - - name: run-openvswitch - hostPath: - path: /run/openvswitch - type: DirectoryOrCreate - - name: ovn-etc - secret: - secretName: {{ $configMapName }} - defaultMode: 0444 - - name: shared - emptyDir: {} - {{- if .Values.pod.sidecars.vector }} - - name: vector-config - secret: - secretName: ovn-vector-config - - name: vector-data - emptyDir: {} - {{- end }} - {{- if .Values.pod.sidecars.ovn_logging_parser }} - - name: neutron-etc - secret: - secretName: neutron-etc - defaultMode: 0444 - {{- end }} -{{- end }} diff --git a/charts/ovn/templates/daemonset-controller.yaml b/charts/ovn/templates/daemonset-controller.yaml index b6b0b048d..82b70f782 100644 --- a/charts/ovn/templates/daemonset-controller.yaml +++ b/charts/ovn/templates/daemonset-controller.yaml @@ -26,7 +26,33 @@ exec: {{- $configMapName := "ovn-etc" }} {{- $serviceAccountName := "ovn-controller" }} +{{- $serviceAccountNamespace := $envAll.Release.Namespace }} {{ tuple $envAll "ovn_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovn-controller-list-nodes-role-{{ $serviceAccountNamespace }} +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["list", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn-controller-list-nodes-rolebinding-{{ $serviceAccountNamespace }} +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $serviceAccountNamespace }} +roleRef: + kind: ClusterRole + name: ovn-controller-list-nodes-role-{{ $serviceAccountNamespace }} + apiGroup: rbac.authorization.k8s.io + --- kind: DaemonSet apiVersion: apps/v1 @@ -37,17 +63,14 @@ metadata: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} labels: {{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - type: hv spec: selector: matchLabels: {{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - type: hv template: metadata: labels: {{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - type: hv annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} @@ -55,19 +78,35 @@ spec: spec: serviceAccountName: {{ $serviceAccountName }} hostNetwork: true + hostPID: true + hostIPC: true dnsPolicy: {{ .Values.pod.dns_policy }} nodeSelector: {{ .Values.labels.ovn_controller.node_selector_key }}: {{ .Values.labels.ovn_controller.node_selector_value }} initContainers: {{- tuple $envAll "ovn_controller" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: get-gw-enabled +{{ tuple $envAll "ovn_controller_kubectl" | include "helm-toolkit.snippets.image" | indent 10 }} + command: + - /bin/bash + - -c + - | + kubectl get node ${NODENAME} -o jsonpath='{.metadata.labels.{{ .Values.labels.ovn_controller_gw.node_selector_key }}}' > /tmp/gw-enabled/gw-enabled + env: + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: gw-enabled + mountPath: /tmp/gw-enabled + readOnly: false - name: controller-init -{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} {{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} command: - /tmp/ovn-controller-init.sh env: - - name: OVN_CMS_OPTIONS - value: {{ .Values.conf.ovn_cms_options | quote }} - name: NODE_NAME valueFrom: fieldRef: @@ -83,14 +122,17 @@ spec: mountPath: /tmp/auto_bridge_add subPath: auto_bridge_add readOnly: true + - name: gw-enabled + mountPath: /tmp/gw-enabled + readOnly: true containers: - name: controller - command: - - /root/ovnkube.sh - - ovn-controller {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /root/ovnkube.sh + - ovn-controller {{ dict "envAll" . "component" "ovn_controller" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} env: - name: OVN_DAEMONSET_VERSION @@ -109,9 +151,57 @@ spec: value: "no" volumeMounts: - name: run-openvswitch - mountPath: /var/run/ovn + mountPath: /run/openvswitch + - name: logs + mountPath: /var/log/ovn - name: run-openvswitch - mountPath: /var/run/openvswitch + mountPath: /run/ovn + {{- if .Values.pod.sidecars.vector }} + - name: vector +{{ tuple $envAll "vector" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ovn_controller" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - vector + - --config + - /etc/vector/vector.toml + volumeMounts: + - name: vector-config + mountPath: /etc/vector + - name: logs + mountPath: /logs + - name: vector-data + mountPath: /var/lib/vector + {{- end }} + {{- if .Values.pod.sidecars.ovn_logging_parser }} + - name: log-parser +{{ tuple $envAll "ovn_logging_parser" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ovn_controller" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/ovn-network-logging-parser.sh + - start + env: + - name: VECTOR_HTTP_ENDPOINT + value: http://localhost:5001 + ports: + - name: http + containerPort: {{ tuple "ovn_logging_parser" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + protocol: TCP + volumeMounts: + - name: neutron-etc + mountPath: /etc/neutron/neutron.conf + subPath: neutron.conf + readOnly: true + - name: ovn-bin + mountPath: /tmp/ovn-network-logging-parser.sh + subPath: ovn-network-logging-parser.sh + readOnly: true + - name: ovn-etc + mountPath: /etc/neutron/neutron-ovn-network-logging-parser-uwsgi.ini + subPath: neutron-ovn-network-logging-parser-uwsgi.ini + readOnly: true + {{- end }} volumes: - name: ovn-bin configMap: @@ -125,4 +215,27 @@ spec: secret: secretName: {{ $configMapName }} defaultMode: 0444 + - name: logs + hostPath: + path: /var/log/ovn + type: DirectoryOrCreate + - name: run-ovn + hostPath: + path: /run/ovn + type: DirectoryOrCreate + - name: gw-enabled + emptyDir: {} + {{- if .Values.pod.sidecars.vector }} + - name: vector-config + secret: + secretName: ovn-vector-config + - name: vector-data + emptyDir: {} + {{- end }} + {{- if .Values.pod.sidecars.ovn_logging_parser }} + - name: neutron-etc + secret: + secretName: neutron-etc + defaultMode: 0444 + {{- end }} {{- end }} diff --git a/charts/ovn/templates/deployment-northd.yaml b/charts/ovn/templates/deployment-northd.yaml index ae31b357a..f945bb248 100644 --- a/charts/ovn/templates/deployment-northd.yaml +++ b/charts/ovn/templates/deployment-northd.yaml @@ -62,6 +62,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "ovn_northd" "container" "northd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "readiness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} +{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "liveness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} env: - name: OVN_DAEMONSET_VERSION value: "3" diff --git a/charts/ovn/templates/statefulset-ovsdb-nb.yaml b/charts/ovn/templates/statefulset-ovsdb-nb.yaml index 4866074e1..98e70adaa 100644 --- a/charts/ovn/templates/statefulset-ovsdb-nb.yaml +++ b/charts/ovn/templates/statefulset-ovsdb-nb.yaml @@ -73,6 +73,7 @@ spec: {{ tuple $envAll "ovn_ovsdb_nb" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" . "component" "ovn_ovsdb_nb" "container" "ovsdb" "type" "readiness" "probeTemplate" (include "ovnnbReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + ports: - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} @@ -110,7 +111,9 @@ spec: mountPath: /etc/ovn volumes: - name: run-openvswitch - emptyDir: {} + hostPath: + path: /run/openvswitch + type: DirectoryOrCreate {{- if not .Values.volume.ovn_ovsdb_nb.enabled }} - name: data emptyDir: {} diff --git a/charts/ovn/templates/statefulset-ovsdb-sb.yaml b/charts/ovn/templates/statefulset-ovsdb-sb.yaml index 92af96de3..694348b23 100644 --- a/charts/ovn/templates/statefulset-ovsdb-sb.yaml +++ b/charts/ovn/templates/statefulset-ovsdb-sb.yaml @@ -110,7 +110,9 @@ spec: mountPath: /etc/ovn volumes: - name: run-openvswitch - emptyDir: {} + hostPath: + path: /run/openvswitch + type: DirectoryOrCreate {{- if not .Values.volume.ovn_ovsdb_sb.enabled }} - name: data emptyDir: {} diff --git a/charts/ovn/values.yaml b/charts/ovn/values.yaml index 5c35a2f57..8c99d50e5 100644 --- a/charts/ovn/values.yaml +++ b/charts/ovn/values.yaml @@ -20,11 +20,12 @@ release_group: null images: tags: - ovn_ovsdb_nb: docker.io/openstackhelm/ovn:latest-ubuntu_focal - ovn_ovsdb_sb: docker.io/openstackhelm/ovn:latest-ubuntu_focal - ovn_northd: docker.io/openstackhelm/ovn:latest-ubuntu_focal - ovn_controller: docker.io/openstackhelm/ovn:latest-ubuntu_focal - dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + ovn_ovsdb_nb: docker.io/openstackhelm/ovn:ubuntu_focal + ovn_ovsdb_sb: docker.io/openstackhelm/ovn:ubuntu_focal + ovn_northd: docker.io/openstackhelm/ovn:ubuntu_focal + ovn_controller: docker.io/openstackhelm/ovn:ubuntu_focal + ovn_controller_kubectl: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy + dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal image_repo_sync: docker.io/library/docker:17.07.0 vector: docker.io/timberio/vector:0.39.0-debian ovn_logging_parser: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy @@ -37,19 +38,19 @@ images: labels: ovn_ovsdb_nb: - node_selector_key: openstack-compute-node + node_selector_key: openstack-network-node node_selector_value: enabled ovn_ovsdb_sb: - node_selector_key: openstack-compute-node + node_selector_key: openstack-network-node node_selector_value: enabled ovn_northd: - node_selector_key: openstack-compute-node + node_selector_key: openstack-network-node node_selector_value: enabled ovn_controller: - node_selector_key: openstack-compute-node + node_selector_key: openvswitch node_selector_value: enabled ovn_controller_gw: - node_selector_key: openstack-control-plane + node_selector_key: l3-agent node_selector_value: enabled volume: @@ -72,7 +73,7 @@ network: conf: ovn_cms_options: "availability-zones=nova" - gw_ovn_cms_options: "enable-chassis-as-gw,availability-zones=nova" + ovn_cms_options_gw_enabled: "enable-chassis-as-gw,availability-zones=nova" ovn_encap_type: geneve ovn_bridge: br-int ovn_bridge_mappings: external:br-ex @@ -84,10 +85,6 @@ conf: # br-public: eth1 auto_bridge_add: {} - # NOTE: should be same as nova.conf.use_fqdn.compute - use_fqdn: - compute: true - ovn_network_logging_parser_uwsgi: uwsgi: add-header: "Connection: close" @@ -107,6 +104,9 @@ conf: wsgi-file: /var/lib/openstack/bin/neutron-ovn-network-logging-parser-wsgi pod: + # NOTE: should be same as nova.pod.use_fqdn.compute + use_fqdn: + compute: true security_context: ovn_northd: container: @@ -117,21 +117,11 @@ pod: ovn_controller: container: controller_init: + readOnlyRootFilesystem: true privileged: true - runAsUser: 0 controller: - capabilities: - add: - - SYS_NICE - ovn_controller_gw: - container: - controller_init: + readOnlyRootFilesystem: true privileged: true - runAsUser: 0 - controller: - capabilities: - add: - - SYS_NICE ovn_logging_parser: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -147,8 +137,6 @@ pod: enabled: false ovn_controller: enabled: false - ovn_controller_gw: - enabled: false affinity: anti: type: @@ -224,10 +212,6 @@ pod: enabled: true min_ready_seconds: 0 max_unavailable: 1 - ovn_controller_gw: - enabled: true - min_ready_seconds: 0 - max_unavailable: 1 resources: enabled: false ovs: @@ -259,28 +243,20 @@ pod: limits: memory: "1024Mi" cpu: "2000m" - ovn_controller_gw: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - ovn_controller_gw: - ovn_logging_parser: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "500m" - vector: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "500m" + ovn_logging_parser: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "500m" + vector: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "500m" jobs: image_repo_sync: requests: @@ -289,6 +265,7 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + sidecars: ovn_logging_parser: false vector: false @@ -387,9 +364,6 @@ network_policy: ovn_controller: ingress: - {} - ovn_controller_gw: - ingress: - - {} egress: - {} @@ -415,10 +389,6 @@ dependencies: services: - endpoint: internal service: ovn-ovsdb-sb - ovn_controller_gw: - services: - - endpoint: internal - service: ovn-ovsdb-sb pod: - requireSameNode: true labels: @@ -439,6 +409,5 @@ manifests: statefulset_ovn_ovsdb_sb: true deployment_ovn_northd: true daemonset_ovn_controller: true - daemonset_ovn_controller_gw: true job_image_repo_sync: true ... diff --git a/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch b/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch index f8dc4c1bb..35719dd82 100644 --- a/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch +++ b/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch @@ -1,7 +1,7 @@ -diff --git b/ovn/templates/bin/_ovn-controller-init.sh.tpl a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl -index 1e61577d..77e1e687 100644 ---- b/ovn/templates/bin/_ovn-controller-init.sh.tpl -+++ a/ovn/templates/bin/_ovn-controller-init.sh.tpl +diff --git a/ovn/templates/bin/_ovn-controller-init.sh.tpl b/ovn/templates/bin/_ovn-controller-init.sh.tpl +index 55cc2ecb..885204a0 100644 +--- a/ovn/templates/bin/_ovn-controller-init.sh.tpl ++++ b/ovn/templates/bin/_ovn-controller-init.sh.tpl @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. @@ -10,7 +10,7 @@ index 1e61577d..77e1e687 100644 + function get_ip_address_from_interface { local interface=$1 - local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $1}') + local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' 'NR==1 {print $1}') @@ -75,6 +77,19 @@ function migrate_ip_from_nic { set -e } @@ -63,21 +63,22 @@ index 1e61577d..77e1e687 100644 # Configure OVN remote {{- if empty .Values.conf.ovn_remote -}} -@@ -118,6 +145,9 @@ ovs-vsctl set open . external-ids:ovn-encap-type="{{ .Values.conf.ovn_encap_type - ovs-vsctl set open . external-ids:ovn-bridge="{{ .Values.conf.ovn_bridge }}" - ovs-vsctl set open . external-ids:ovn-bridge-mappings="{{ .Values.conf.ovn_bridge_mappings }}" - ovs-vsctl set open . external-ids:ovn-cms-options="${OVN_CMS_OPTIONS}" +@@ -125,6 +152,10 @@ else + ovs-vsctl set open . external-ids:ovn-cms-options={{ .Values.conf.ovn_cms_options }} + fi + +{{ if .Values.conf.ovn_bridge_datapath_type -}} +ovs-vsctl set open . external-ids:ovn-bridge-datapath-type="{{ .Values.conf.ovn_bridge_datapath_type }}" +{{- end }} - ++ # Configure hostname - {{- if .Values.conf.use_fqdn.compute }} -diff --git b/ovn/templates/clusterrole-controller.yaml a/charts/ovn/templates/clusterrole-controller.yaml + {{- if .Values.pod.use_fqdn.compute }} + ovs-vsctl set open . external-ids:hostname="$(hostname -f)" +diff --git a/ovn/templates/clusterrole-controller.yaml b/ovn/templates/clusterrole-controller.yaml new file mode 100644 index 00000000..8291f65a --- /dev/null -+++ a/ovn/templates/clusterrole-controller.yaml ++++ b/ovn/templates/clusterrole-controller.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole @@ -91,11 +92,11 @@ index 00000000..8291f65a + verbs: + - get + - patch -diff --git b/ovn/templates/clusterrolebinding-controller.yaml a/charts/ovn/templates/clusterrolebinding-controller.yaml +diff --git a/ovn/templates/clusterrolebinding-controller.yaml b/ovn/templates/clusterrolebinding-controller.yaml new file mode 100644 index 00000000..c95ef5e9 --- /dev/null -+++ a/ovn/templates/clusterrolebinding-controller.yaml ++++ b/ovn/templates/clusterrolebinding-controller.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding @@ -112,10 +113,10 @@ index 00000000..c95ef5e9 +- kind: ServiceAccount + name: ovn-controller-gw + namespace: {{ .Release.Namespace }} -diff --git b/ovn/templates/configmap-bin.yaml a/charts/ovn/templates/configmap-bin.yaml +diff --git a/ovn/templates/configmap-bin.yaml b/ovn/templates/configmap-bin.yaml index a849dd8a..82001f99 100644 ---- b/ovn/templates/configmap-bin.yaml -+++ a/ovn/templates/configmap-bin.yaml +--- a/ovn/templates/configmap-bin.yaml ++++ b/ovn/templates/configmap-bin.yaml @@ -24,12 +24,6 @@ data: image-repo-sync.sh: | {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} @@ -129,89 +130,10 @@ index a849dd8a..82001f99 100644 - ovn-controller.sh: | -{{ tuple "bin/_ovn-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} -diff --git b/ovn/templates/daemonset-controller-gw.yaml a/charts/ovn/templates/daemonset-controller-gw.yaml -index 6307bbab..eb309c5e 100644 ---- b/ovn/templates/daemonset-controller-gw.yaml -+++ a/ovn/templates/daemonset-controller-gw.yaml -@@ -12,6 +12,15 @@ See the License for the specific language governing permissions and - limitations under the License. - */}} - -+{{- define "controllerGatewayReadinessProbeTemplate" }} -+exec: -+ command: -+ - /usr/bin/ovn-kube-util -+ - readiness-probe -+ - -t -+ - ovn-controller -+{{- end }} -+ - {{- if .Values.manifests.daemonset_ovn_controller_gw }} - {{- $envAll := . }} - -@@ -59,6 +68,10 @@ spec: - env: - - name: OVN_CMS_OPTIONS - value: {{ .Values.conf.gw_ovn_cms_options | quote }} -+ - name: NODE_NAME -+ valueFrom: -+ fieldRef: -+ fieldPath: spec.nodeName - volumeMounts: - - name: ovn-bin - mountPath: /tmp/ovn-controller-init.sh -@@ -72,25 +85,33 @@ spec: - readOnly: true - containers: - - name: controller -+ command: -+ - /root/ovnkube.sh -+ - ovn-controller - {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - {{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -- command: -- - /tmp/ovn-controller.sh -- - start -- lifecycle: -- preStop: -- exec: -- command: -- - /tmp/ovn-controller.sh -- - stop -+{{ dict "envAll" . "component" "ovn_controller_gw" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerGatewayReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} -+ env: -+ - name: OVN_DAEMONSET_VERSION -+ value: "3" -+ - name: OVN_LOGLEVEL_CONTROLLER -+ value: "-vconsole:info -vfile:info" -+ - name: OVN_KUBERNETES_NAMESPACE -+ valueFrom: -+ fieldRef: -+ fieldPath: metadata.namespace -+ - name: OVN_KUBERNETES_NB_STATEFULSET -+ value: ovn-ovsdb-nb -+ - name: OVN_KUBERNETES_SB_STATEFULSET -+ value: ovn-ovsdb-sb -+ - name: OVN_SSL_ENABLE -+ value: "no" - volumeMounts: -- - name: ovn-bin -- mountPath: /tmp/ovn-controller.sh -- subPath: ovn-controller.sh -- readOnly: true - - name: run-openvswitch -- mountPath: /run/openvswitch -+ mountPath: /var/run/ovn -+ - name: run-openvswitch -+ mountPath: /var/run/openvswitch - volumes: - - name: ovn-bin - configMap: -diff --git b/ovn/templates/daemonset-controller.yaml a/charts/ovn/templates/daemonset-controller.yaml -index 85daf70b..b6b0b048 100644 ---- b/ovn/templates/daemonset-controller.yaml -+++ a/ovn/templates/daemonset-controller.yaml +diff --git a/ovn/templates/daemonset-controller.yaml b/ovn/templates/daemonset-controller.yaml +index 4cd5d9b2..fae94512 100644 +--- a/ovn/templates/daemonset-controller.yaml ++++ b/ovn/templates/daemonset-controller.yaml @@ -12,6 +12,15 @@ See the License for the specific language governing permissions and limitations under the License. */}} @@ -228,10 +150,11 @@ index 85daf70b..b6b0b048 100644 {{- if .Values.manifests.daemonset_ovn_controller }} {{- $envAll := . }} -@@ -59,6 +68,10 @@ spec: - env: - - name: OVN_CMS_OPTIONS - value: {{ .Values.conf.ovn_cms_options | quote }} +@@ -106,6 +106,11 @@ spec: + {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} + command: + - /tmp/ovn-controller-init.sh ++ env: + - name: NODE_NAME + valueFrom: + fieldRef: @@ -239,17 +162,10 @@ index 85daf70b..b6b0b048 100644 volumeMounts: - name: ovn-bin mountPath: /tmp/ovn-controller-init.sh -@@ -72,25 +85,33 @@ spec: - readOnly: true - containers: - - name: controller -+ command: -+ - /root/ovnkube.sh -+ - ovn-controller - {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} +@@ -117,17 +122,23 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -- command: + command: - - /tmp/ovn-controller.sh - - start - lifecycle: @@ -258,6 +174,8 @@ index 85daf70b..b6b0b048 100644 - command: - - /tmp/ovn-controller.sh - - stop ++ - /root/ovnkube.sh ++ - ovn-controller +{{ dict "envAll" . "component" "ovn_controller" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + env: + - name: OVN_DAEMONSET_VERSION @@ -280,17 +198,19 @@ index 85daf70b..b6b0b048 100644 - subPath: ovn-controller.sh - readOnly: true - name: run-openvswitch -- mountPath: /run/openvswitch -+ mountPath: /var/run/ovn +@@ -154,7 +154,7 @@ spec: + mountPath: /run/openvswitch + - name: logs + mountPath: /var/log/ovn +- - name: run-ovn + - name: run-openvswitch -+ mountPath: /var/run/openvswitch - volumes: - - name: ovn-bin - configMap: -diff --git b/ovn/templates/deployment-northd.yaml a/charts/ovn/templates/deployment-northd.yaml + mountPath: /run/ovn + {{- if .Values.pod.sidecars.vector }} + - name: vector +diff --git a/ovn/templates/deployment-northd.yaml b/ovn/templates/deployment-northd.yaml index e3afdd05..ae31b357 100644 ---- b/ovn/templates/deployment-northd.yaml -+++ a/ovn/templates/deployment-northd.yaml +--- a/ovn/templates/deployment-northd.yaml ++++ b/ovn/templates/deployment-northd.yaml @@ -12,18 +12,13 @@ See the License for the specific language governing permissions and limitations under the License. */}} @@ -315,7 +235,7 @@ index e3afdd05..ae31b357 100644 {{- end }} {{- if .Values.manifests.deployment_northd }} -@@ -60,28 +55,26 @@ spec: +@@ -60,28 +55,27 @@ spec: {{- tuple $envAll "ovn_northd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: northd @@ -347,6 +267,7 @@ index e3afdd05..ae31b357 100644 - name: ovn-bin - defaultMode: 0555 +{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "readiness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} ++{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "liveness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + env: + - name: OVN_DAEMONSET_VERSION + value: "3" @@ -363,11 +284,11 @@ index e3afdd05..ae31b357 100644 + - name: OVN_SSL_ENABLE + value: "no" {{- end }} -diff --git b/ovn/templates/role-controller.yaml a/charts/ovn/templates/role-controller.yaml +diff --git a/ovn/templates/role-controller.yaml b/ovn/templates/role-controller.yaml new file mode 100644 index 00000000..de3cfa6d --- /dev/null -+++ a/ovn/templates/role-controller.yaml ++++ b/ovn/templates/role-controller.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role @@ -380,11 +301,11 @@ index 00000000..de3cfa6d + - endpointslices + verbs: + - list -diff --git b/ovn/templates/role-northd.yaml a/charts/ovn/templates/role-northd.yaml +diff --git a/ovn/templates/role-northd.yaml b/ovn/templates/role-northd.yaml new file mode 100644 index 00000000..ca02fae6 --- /dev/null -+++ a/ovn/templates/role-northd.yaml ++++ b/ovn/templates/role-northd.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role @@ -397,11 +318,11 @@ index 00000000..ca02fae6 + - endpointslices + verbs: + - list -diff --git b/ovn/templates/role-ovsdb.yaml a/charts/ovn/templates/role-ovsdb.yaml +diff --git a/ovn/templates/role-ovsdb.yaml b/ovn/templates/role-ovsdb.yaml new file mode 100644 index 00000000..10e0e239 --- /dev/null -+++ a/ovn/templates/role-ovsdb.yaml ++++ b/ovn/templates/role-ovsdb.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role @@ -422,11 +343,11 @@ index 00000000..10e0e239 + verbs: + - list + - get -diff --git b/ovn/templates/rolebinding-controller.yaml a/charts/ovn/templates/rolebinding-controller.yaml +diff --git a/ovn/templates/rolebinding-controller.yaml b/ovn/templates/rolebinding-controller.yaml new file mode 100644 index 00000000..7973c7e2 --- /dev/null -+++ a/ovn/templates/rolebinding-controller.yaml ++++ b/ovn/templates/rolebinding-controller.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding @@ -441,11 +362,11 @@ index 00000000..7973c7e2 + name: ovn-controller +- kind: ServiceAccount + name: ovn-controller-gw -diff --git b/ovn/templates/rolebinding-northd.yaml a/charts/ovn/templates/rolebinding-northd.yaml +diff --git a/ovn/templates/rolebinding-northd.yaml b/ovn/templates/rolebinding-northd.yaml new file mode 100644 index 00000000..428a4707 --- /dev/null -+++ a/ovn/templates/rolebinding-northd.yaml ++++ b/ovn/templates/rolebinding-northd.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding @@ -458,11 +379,11 @@ index 00000000..428a4707 +subjects: +- kind: ServiceAccount + name: ovn-northd -diff --git b/ovn/templates/rolebinding-ovsdb.yaml a/charts/ovn/templates/rolebinding-ovsdb.yaml +diff --git a/ovn/templates/rolebinding-ovsdb.yaml b/ovn/templates/rolebinding-ovsdb.yaml new file mode 100644 index 00000000..f32382bc --- /dev/null -+++ a/ovn/templates/rolebinding-ovsdb.yaml ++++ b/ovn/templates/rolebinding-ovsdb.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding @@ -477,10 +398,10 @@ index 00000000..f32382bc + name: ovn-ovsdb-nb +- kind: ServiceAccount + name: ovn-ovsdb-sb -diff --git b/ovn/templates/service-ovsdb-nb.yaml a/charts/ovn/templates/service-ovsdb-nb.yaml +diff --git a/ovn/templates/service-ovsdb-nb.yaml b/ovn/templates/service-ovsdb-nb.yaml index b93da9b8..56f7cd09 100644 ---- b/ovn/templates/service-ovsdb-nb.yaml -+++ a/ovn/templates/service-ovsdb-nb.yaml +--- a/ovn/templates/service-ovsdb-nb.yaml ++++ b/ovn/templates/service-ovsdb-nb.yaml @@ -20,6 +20,7 @@ kind: Service metadata: name: {{ tuple "ovn-ovsdb-nb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} @@ -489,10 +410,10 @@ index b93da9b8..56f7cd09 100644 ports: - name: ovsdb port: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} -diff --git b/ovn/templates/service-ovsdb-sb.yaml a/charts/ovn/templates/service-ovsdb-sb.yaml +diff --git a/ovn/templates/service-ovsdb-sb.yaml b/ovn/templates/service-ovsdb-sb.yaml index 70f62c6e..4a6b5864 100644 ---- b/ovn/templates/service-ovsdb-sb.yaml -+++ a/ovn/templates/service-ovsdb-sb.yaml +--- a/ovn/templates/service-ovsdb-sb.yaml ++++ b/ovn/templates/service-ovsdb-sb.yaml @@ -20,6 +20,7 @@ kind: Service metadata: name: {{ tuple "ovn-ovsdb-sb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} @@ -501,10 +422,10 @@ index 70f62c6e..4a6b5864 100644 ports: - name: ovsdb port: {{ tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} -diff --git b/ovn/templates/statefulset-ovsdb-nb.yaml a/charts/ovn/templates/statefulset-ovsdb-nb.yaml -index c8198279..4866074e 100644 ---- b/ovn/templates/statefulset-ovsdb-nb.yaml -+++ a/ovn/templates/statefulset-ovsdb-nb.yaml +diff --git a/ovn/templates/statefulset-ovsdb-nb.yaml b/ovn/templates/statefulset-ovsdb-nb.yaml +index 04958165..98e70ada 100644 +--- a/ovn/templates/statefulset-ovsdb-nb.yaml ++++ b/ovn/templates/statefulset-ovsdb-nb.yaml @@ -12,6 +12,19 @@ See the License for the specific language governing permissions and limitations under the License. */}} @@ -533,7 +454,7 @@ index c8198279..4866074e 100644 replicas: {{ .Values.pod.replicas.ovn_ovsdb_nb }} selector: matchLabels: -@@ -49,41 +63,54 @@ spec: +@@ -49,43 +63,57 @@ spec: {{- tuple $envAll "ovn_ovsdb_nb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ovsdb @@ -547,6 +468,7 @@ index c8198279..4866074e 100644 {{ tuple $envAll "ovn_ovsdb_nb" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" . "component" "ovn_ovsdb_nb" "container" "ovsdb" "type" "readiness" "probeTemplate" (include "ovnnbReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} ++ ports: - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} @@ -602,7 +524,9 @@ index c8198279..4866074e 100644 + mountPath: /etc/ovn volumes: - name: run-openvswitch - emptyDir: {} + hostPath: + path: /run/openvswitch + type: DirectoryOrCreate - - name: ovn-bin - configMap: - name: ovn-bin @@ -610,10 +534,10 @@ index c8198279..4866074e 100644 {{- if not .Values.volume.ovn_ovsdb_nb.enabled }} - name: data emptyDir: {} -diff --git b/ovn/templates/statefulset-ovsdb-sb.yaml a/charts/ovn/templates/statefulset-ovsdb-sb.yaml -index 916ef94d..92af96de 100644 ---- b/ovn/templates/statefulset-ovsdb-sb.yaml -+++ a/ovn/templates/statefulset-ovsdb-sb.yaml +diff --git a/ovn/templates/statefulset-ovsdb-sb.yaml b/ovn/templates/statefulset-ovsdb-sb.yaml +index 9e7b6670..694348b2 100644 +--- a/ovn/templates/statefulset-ovsdb-sb.yaml ++++ b/ovn/templates/statefulset-ovsdb-sb.yaml @@ -12,6 +12,19 @@ See the License for the specific language governing permissions and limitations under the License. */}} @@ -642,7 +566,7 @@ index 916ef94d..92af96de 100644 replicas: {{ .Values.pod.replicas.ovn_ovsdb_sb }} selector: matchLabels: -@@ -49,41 +63,54 @@ spec: +@@ -49,43 +63,56 @@ spec: {{- tuple $envAll "ovn_ovsdb_sb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ovsdb @@ -711,7 +635,9 @@ index 916ef94d..92af96de 100644 + mountPath: /etc/ovn volumes: - name: run-openvswitch - emptyDir: {} + hostPath: + path: /run/openvswitch + type: DirectoryOrCreate - - name: ovn-bin - configMap: - name: ovn-bin @@ -719,7 +645,7 @@ index 916ef94d..92af96de 100644 {{- if not .Values.volume.ovn_ovsdb_sb.enabled }} - name: data emptyDir: {} -@@ -93,10 +120,10 @@ spec: +@@ -95,10 +122,10 @@ spec: name: data spec: accessModes: ["ReadWriteOnce"] @@ -731,11 +657,11 @@ index 916ef94d..92af96de 100644 {{- end }} {{- end }} -diff --git b/ovn/values.yaml a/charts/ovn/values.yaml -index 518dd71e..214dd16f 100644 ---- b/ovn/values.yaml -+++ a/ovn/values.yaml -@@ -52,12 +52,10 @@ labels: +diff --git a/ovn/values.yaml b/ovn/values.yaml +index a18184ab..b07a0f5a 100644 +--- a/ovn/values.yaml ++++ b/ovn/values.yaml +@@ -51,12 +51,10 @@ labels: volume: ovn_ovsdb_nb: @@ -757,7 +683,7 @@ index 518dd71e..214dd16f 100644 # auto_bridge_add: # br-private: eth0 -@@ -138,13 +138,41 @@ pod: +@@ -135,13 +135,41 @@ pod: readiness: enabled: true params: @@ -804,7 +730,7 @@ index 518dd71e..214dd16f 100644 dns_policy: "ClusterFirstWithHostNet" replicas: ovn_ovsdb_nb: 1 -@@ -179,18 +207,18 @@ pod: +@@ -176,18 +204,18 @@ pod: ovs: ovn_ovsdb_nb: requests: diff --git a/charts/patches/ovn/0002-add-logging-parser.patch b/charts/patches/ovn/0002-add-logging-parser.patch index f9643690a..69a74a0b2 100644 --- a/charts/patches/ovn/0002-add-logging-parser.patch +++ b/charts/patches/ovn/0002-add-logging-parser.patch @@ -69,21 +69,19 @@ index 47b84be8..0d221f19 100644 {{- end }} {{- end }} -diff --git a/ovn/templates/daemonset-controller-gw.yaml b/ovn/templates/daemonset-controller-gw.yaml -index eb309c5e..3ecd81dc 100644 ---- a/ovn/templates/daemonset-controller-gw.yaml -+++ b/ovn/templates/daemonset-controller-gw.yaml -@@ -112,6 +112,54 @@ spec: - mountPath: /var/run/ovn - - name: run-openvswitch - mountPath: /var/run/openvswitch -+ - name: shared -+ mountPath: /var/log/ovn/ +diff --git a/ovn/templates/daemonset-controller.yaml b/ovn/templates/daemonset-controller.yaml +index e421794f..843cbeaa 100644 +--- a/ovn/templates/daemonset-controller.yaml ++++ b/ovn/templates/daemonset-controller.yaml +@@ -156,6 +156,52 @@ spec: + mountPath: /var/log/ovn + - name: run-ovn + mountPath: /run/ovn + {{- if .Values.pod.sidecars.vector }} + - name: vector +{{ tuple $envAll "vector" | include "helm-toolkit.snippets.image" | indent 10 }} -+{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -+{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} ++{{ tuple $envAll $envAll.Values.pod.resources.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} ++{{ dict "envAll" $envAll "application" "ovn_controller" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - vector + - --config @@ -91,7 +89,7 @@ index eb309c5e..3ecd81dc 100644 + volumeMounts: + - name: vector-config + mountPath: /etc/vector -+ - name: shared ++ - name: logs + mountPath: /logs + - name: vector-data + mountPath: /var/lib/vector @@ -99,8 +97,8 @@ index eb309c5e..3ecd81dc 100644 + {{- if .Values.pod.sidecars.ovn_logging_parser }} + - name: log-parser +{{ tuple $envAll "ovn_logging_parser" | include "helm-toolkit.snippets.image" | indent 10 }} -+{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -+{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} ++{{ tuple $envAll $envAll.Values.pod.resources.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} ++{{ dict "envAll" $envAll "application" "ovn_controller" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/ovn-network-logging-parser.sh + - start @@ -128,12 +126,10 @@ index eb309c5e..3ecd81dc 100644 volumes: - name: ovn-bin configMap: -@@ -125,4 +173,19 @@ spec: - secret: - secretName: {{ $configMapName }} - defaultMode: 0444 -+ - name: shared -+ emptyDir: {} +@@ -225,4 +225,17 @@ + type: DirectoryOrCreate + - name: gw-enabled + emptyDir: {} + {{- if .Values.pod.sidecars.vector }} + - name: vector-config + secret: @@ -211,21 +207,20 @@ index 00000000..028e8a9a + tenant_id = "{{`{{ project_id }}`}}" +{{- end }} diff --git a/ovn/values.yaml b/ovn/values.yaml -index 214dd16f..d0f2406b 100644 ---- a/ovn/values.yaml -+++ b/ovn/values.yaml -@@ -26,6 +26,8 @@ images: - ovn_controller: docker.io/openstackhelm/ovn:latest-ubuntu_focal - dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 +index b07a0f5a..79fde2c2 100644 +--- a/ovn//values.yaml ++++ b/ovn//values.yaml +@@ -26,5 +26,7 @@ images: + dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal image_repo_sync: docker.io/library/docker:17.07.0 + vector: docker.io/timberio/vector:0.39.0-debian + ovn_logging_parser: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy pull_policy: "IfNotPresent" local_registry: active: false -@@ -86,6 +88,24 @@ conf: - use_fqdn: - compute: true +@@ -82,6 +84,24 @@ conf: + # br-public: eth1 + auto_bridge_add: {} + ovn_network_logging_parser_uwsgi: + uwsgi: @@ -246,12 +241,12 @@ index 214dd16f..d0f2406b 100644 + wsgi-file: /var/lib/openstack/bin/neutron-ovn-network-logging-parser-wsgi + pod: - security_context: - ovn_northd: -@@ -112,6 +132,12 @@ pod: - capabilities: - add: - - SYS_NICE + # NOTE: should be same as nova.pod.use_fqdn.compute + use_fqdn: +@@ -109,6 +129,12 @@ pod: + controller: + readOnlyRootFilesystem: true + privileged: true + ovn_logging_parser: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true @@ -261,39 +256,40 @@ index 214dd16f..d0f2406b 100644 tolerations: ovn_ovsdb_nb: enabled: false -@@ -240,6 +266,21 @@ pod: +@@ -237,6 +263,20 @@ pod: limits: memory: "1024Mi" cpu: "2000m" -+ ovn_controller_gw: -+ ovn_logging_parser: -+ requests: -+ memory: "128Mi" -+ cpu: "100m" -+ limits: -+ memory: "256Mi" -+ cpu: "500m" -+ vector: -+ requests: -+ memory: "128Mi" -+ cpu: "100m" -+ limits: -+ memory: "256Mi" -+ cpu: "500m" ++ ovn_logging_parser: ++ requests: ++ memory: "128Mi" ++ cpu: "100m" ++ limits: ++ memory: "256Mi" ++ cpu: "500m" ++ vector: ++ requests: ++ memory: "128Mi" ++ cpu: "100m" ++ limits: ++ memory: "256Mi" ++ cpu: "500m" jobs: image_repo_sync: requests: -@@ -248,6 +289,9 @@ pod: +@@ -245,7 +286,11 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + + sidecars: + ovn_logging_parser: false + vector: false - ++ secrets: oci_image_registry: -@@ -311,6 +355,22 @@ endpoints: + ovn: ovn-oci-image-registry-key +@@ -304,6 +349,22 @@ endpoints: default: 6642 raft: default: 6644 @@ -316,80 +312,3 @@ index 214dd16f..d0f2406b 100644 network_policy: ovn_ovsdb_nb: -diff --git a/images/neutron/Dockerfile b/images/neutron/Dockerfile -index 7032319b..992091b6 100644 ---- a/images/neutron/Dockerfile -+++ b/images/neutron/Dockerfile -@@ -13,12 +13,16 @@ RUN git -C /src/neutron-vpnaas fetch --unshallow - ARG POLICY_SERVER_GIT_REF=4a86b140d5510823a8fb8a59137feddf5b111b26 - ADD --keep-git-dir=true https://github.com/vexxhost/neutron-policy-server.git#${POLICY_SERVER_GIT_REF} /src/neutron-policy-server - RUN git -C /src/neutron-policy-server fetch --unshallow -+ARG LOG_PASER_GIT_REF=3bc113d9fc0eb3264feca5900e550f6ed15503c2 -+ADD --keep-git-dir=true https://github.com/vexxhost/neutron-ovn-network-logging-parser.git#${LOG_PASER_GIT_REF} /src/neutron-ovn-network-logging-parser -+RUN git -C /src/neutron-ovn-network-logging-parser fetch --unshallow - RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <