Skip to content

Commit

Permalink
OVN LB support (#687)
Browse files Browse the repository at this point in the history 
* Fix return value for handling ovn load balancer

Signed-off-by: Roman Hros <[email protected]>

* Support OVN LoadBalancer

Signed-off-by: Roman Hros <[email protected]>

---------

Signed-off-by: Roman Hros <[email protected]>
  • Loading branch information
@chess-knight
chess-knight authored Feb 26, 2024
1 parent d955dbd commit 47f12bb
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 23 deletions.
22 changes: 6 additions & 16 deletions doc/LoadBalancer-ExtTrafficLocal.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,25 +67,15 @@ see the client IPs. This has been validated (and can even be monitored by openst
on SCS clouds that use OVN.

A health-monitor is still needed to ensure that only active members receive requests.
There are unfortunately two problems with the health-monitoring on the OVN provider:
* The health-monitor does correctly detect members that are not responding and stops
routing traffic from the VIP towards the inactive member. Unfortunately the
traffic that comes in from the floating IP associated with the VIP is not treated
the same, but is still distributed to the inactive members, resulting in a good
fraction of the requests to go unanswered. This is tracked in bug
https://bugs.launchpad.net/neutron/+bug/1956035
* The OCCM always tries to create an HTTP health-monitor. The OVN provider however
does not yet support HTTP health-monitors, only TCP. We'll have to wait for (and
possibly help with) HTTP health-monitors to be implemented upstream.

Due to the HTTP health-monitor not being supported, the created loadbalancer is not
considered functional, so the reconciliation loop creates another loadbalancer until
your project runs into quota limits (on the loadbalancer or on ports).
So for now, the feature `use_ovn_lb_provider` should not be enabled.
Health monitors for the ovn provider are only supported on OpenStack Wallaby and later.
See also occm [docs](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md).

OVN LoadBalancer can be enabled by setting `use_ovn_lb_provider = "true"` or `use_ovn_lb_provider = "auto"`.

Note that the `use_ovn_lb_provider` does not affect the LB in front of the kube API.
That one is created by capo and requires other settings. Also note that it would
not yet support the CIDR filtering with `restrict_kubeapi` setting.
not yet support the [CIDR filtering](https://docs.openstack.org/octavia/latest/user/feature-classification/index.html#operation_allowed_cidr)
with `restrict_kubeapi` setting.

# Disabled health-monitor by default

Expand Down
2 changes: 1 addition & 1 deletion doc/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ Optional services deployed to cluster:
| `deploy_metrics` | `DEPLOY_METRICS` | SCS | `true` | `apply_metrics.sh` | Deploy metrics service to nodes to make `kubectl top` work |
| `deploy_nginx_ingress` | `DEPLOY_NGINX_INGRESS` | SCS | `true` | `apply_nginx_ingress.sh` | Deploy NGINX ingress controller (this spawns an OpenStack Loadbalancer), pass version to explicitly choose the version, `true` results in `v1.8.1` (supported k8s >= 1.24) |
| `` | `NGINX_INGRESS_PROXY` | SCS | `true` | (dito) | Configure LB and nginx to get real IP via PROXY protocol; trouble for pod to LB connections has been resolved by setting hostname |
| `use_ovn_lb_provider` | `USE_OVN_LB_PROVIDER` | SCS | `false` | `apply_nginx_ingress.sh` | Clouds using OVN networking can deploy the OVN provider that has low overhead (L3) and makes real client IPs visible without proxy protocol hacks. Set to `auto` to enable; not yet ready for prime time, thus defaults to `false`. |
| `use_ovn_lb_provider` | `USE_OVN_LB_PROVIDER` | SCS | `false` | `apply_nginx_ingress.sh` | Clouds using OVN networking can deploy the OVN provider that has low overhead (L3) and makes real client IPs visible without proxy protocol hacks. Set to `auto` to enable. |
| `deploy_gateway_api` | `DEPLOY_GATEWAY_API` | SCS | `false` | `create_cluster.sh` | Deploy Gateway APIs CRDs and enable ciliums Gateway API implementation. This only works in conjunction with USE_CILIUM=true. Also this will break at least one CNCF conformance test. This feature is considered a tech-review. Keep in mind that Gateway API itself is under development and not GA. Also note that ciliums implementation of Gateway API is considered "beta". |
| `deploy_cert_manager` | `DEPLOY_CERT_MANAGER` | SCS | `false` | `apply_cert_manager.sh` | Deploy cert-manager, pass version (e.g. `v1.14.2`) to explicitly choose a version |
| `deploy_flux` | `DEPLOY_FLUX` | SCS | `false` | `create_cluster.sh` | Deploy flux2 into the cluster |
Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/environment-default.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ service_cidr = "<CIDR>" # defaults to "10.96.0.0/12"
pod_cidr = "<CIDR>" # defaults to "192.168.0.0/16"
anti_affinity = "<boolean>" # defaults to "true"
use_cilium = "version/true/false" # defaults to "true", can also be set to "vx.y.z", also see cilium_binaries
use_ovn_lb_provider = "auto/true/false" # use OVN LB if available (auto) or force (true) or never (false), not yet recommended
use_ovn_lb_provider = "auto/true/false" # use OVN LB if available (auto) or force (true) or never (false)
deploy_nginx_ingress = "version/true/false" # defaults to "true", you can also set vX.Y.Z if you want
deploy_gateway_api = "true/false" # defaults to "false"
deploy_cert_manager = "version/true/false" # defaults to "false", you can also set to vX.Y.Z if you want
Expand Down
6 changes: 1 addition & 5 deletions terraform/files/bin/handle_ovn_lb.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,11 @@ $1=$2" $CLOUDCONF

use_ovn()
{
echo "Warning: use_ovn_lb_provider is a preview feature that does not fully work" 1>&2
if test "$ALLOW_PREVIEW_FEATURES" != "1"; then echo
echo "You need to pass --allow-preview-features to allow using it" 1>&2
exit 1
fi
CLOUDCONF="$HOME/$CLUSTER_NAME/cloud.conf"
set_cfg_octavia "lb-provider" "ovn"
set_cfg_octavia "lb-method" "SOURCE_IP_PORT"
set_cfg_octavia "create-monitor" "true"
return 0
}

disable_ovn()
Expand Down

0 comments on commit 47f12bb

Please sign in to comment.