feat: support vip

kubeovn · Sep 17, 2021 · 7fd8cf4 · 7fd8cf4
1 parent f250602
commit 7fd8cf4
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 28 deletions.
diff --git a/pkg/controller/node.go b/pkg/controller/node.go
@@ -266,7 +266,7 @@ func (c *Controller) handleAddNode(key string) error {
 	}
 
 	ipStr := util.GetStringIP(v4IP, v6IP)
-	if err := c.ovnClient.CreatePort(c.config.NodeSwitch, portName, ipStr, subnet.Spec.CIDRBlock, mac, "", "", false, ""); err != nil {
+	if err := c.ovnClient.CreatePort(c.config.NodeSwitch, portName, ipStr, mac, "", "", false, "", ""); err != nil {
 		return err
 	}
 

diff --git a/pkg/controller/pod.go b/pkg/controller/pod.go
@@ -220,7 +220,9 @@ func (c *Controller) enqueueUpdatePod(oldObj, newObj interface{}) {
 		newSecurity := newPod.Annotations[fmt.Sprintf(util.PortSecurityAnnotationTemplate, podNet.ProviderName)]
 		oldSg := oldPod.Annotations[fmt.Sprintf(util.SecurityGroupAnnotationTemplate, podNet.ProviderName)]
 		newSg := newPod.Annotations[fmt.Sprintf(util.SecurityGroupAnnotationTemplate, podNet.ProviderName)]
-		if oldSecurity != newSecurity || oldSg != newSg {
+		oldVips := oldPod.Annotations[fmt.Sprintf(util.PortVipAnnotationTemplate, podNet.ProviderName)]
+		newVips := newPod.Annotations[fmt.Sprintf(util.PortVipAnnotationTemplate, podNet.ProviderName)]
+		if oldSecurity != newSecurity || oldSg != newSg || oldVips != newVips {
 			c.updatePodSecurityQueue.Add(key)
 			break
 		}
@@ -495,15 +497,26 @@ func (c *Controller) handleAddPod(key string) error {
 			}
 
 			securityGroupAnnotation := pod.Annotations[fmt.Sprintf(util.SecurityGroupAnnotationTemplate, podNet.ProviderName)]
+			vips := pod.Annotations[fmt.Sprintf(util.PortVipAnnotationTemplate, podNet.ProviderName)]
+			for _, ip := range strings.Split(vips, ",") {
+				if ip != "" && net.ParseIP(ip) == nil {
+					klog.Errorf("invalid vip address '%s' for pod %s", ip, name)
+					vips = ""
+					break
+				}
+			}
 			portName := ovs.PodNameToPortName(name, namespace, podNet.ProviderName)
-			if err := c.ovnClient.CreatePort(subnet.Name, portName, ipStr, subnet.Spec.CIDRBlock, mac, pod.Name, pod.Namespace, portSecurity, securityGroupAnnotation); err != nil {
+			if err := c.ovnClient.CreatePort(subnet.Name, portName, ipStr, mac, pod.Name, pod.Namespace, portSecurity, securityGroupAnnotation, vips); err != nil {
 				c.recorder.Eventf(pod, v1.EventTypeWarning, "CreateOVNPortFailed", err.Error())
 				return err
 			}
 
 			if portSecurity {
 				sgNames := strings.Split(securityGroupAnnotation, ",")
 				for _, sgName := range sgNames {
+					if sgName == "" {
+						continue
+					}
 					c.syncSgPortsQueue.Add(sgName)
 				}
 			}
@@ -634,6 +647,14 @@ func (c *Controller) handleUpdatePodSecurity(key string) error {
 				return err
 			}
 		}
+
+		mac := pod.Annotations[fmt.Sprintf(util.MacAddressAnnotationTemplate, podNet.ProviderName)]
+		ipStr := pod.Annotations[fmt.Sprintf(util.IpAddressAnnotationTemplate, podNet.ProviderName)]
+		vips := pod.Annotations[fmt.Sprintf(util.PortVipAnnotationTemplate, podNet.ProviderName)]
+		if err = c.ovnClient.SetPortSecurity(portSecurity, ovs.PodNameToPortName(name, namespace, podNet.ProviderName), mac, ipStr, vips); err != nil {
+			klog.Errorf("setPortSecurity failed. %v", err)
+			return err
+		}
 	}
 	return nil
 }

diff --git a/pkg/ovs/ovn-nbctl.go b/pkg/ovs/ovn-nbctl.go
@@ -135,36 +135,41 @@ func (c Client) SetPortExternalIds(port, key, value string) error {
 	return nil
 }
 
+func (c Client) SetPortSecurity(portSecurity bool, port, mac, ipStr, vips string) error {
+	var addresses []string
+	if portSecurity {
+		addresses = append(addresses, mac)
+		addresses = append(addresses, strings.Split(ipStr, ",")...)
+		addresses = append(addresses, strings.Split(vips, ",")...)
+	}
+	if _, err := c.ovnNbCommand("lsp-set-port-security", port, strings.Join(addresses, " ")); err != nil {
+		klog.Errorf("set port %s security failed: %v", port, err)
+		return err
+	}
+	return nil
+}
+
 // CreatePort create logical switch port in ovn
-func (c Client) CreatePort(ls, port, ip, cidr, mac, pod, namespace string, portSecurity bool, securityGroups string) error {
+func (c Client) CreatePort(ls, port, ip, mac, pod, namespace string, portSecurity bool, securityGroups string, vips string) error {
 	var ovnCommand []string
-	if util.CheckProtocol(cidr) == kubeovnv1.ProtocolDual {
-		// ips := strings.Split(ip, ",")
-		ovnCommand = []string{MayExist, "lsp-add", ls, port, "--",
-			"lsp-set-addresses", port, mac}
-
-		ipAddr := util.GetIpAddrWithMask(ip, cidr)
-		ipAddrs := strings.Split(ipAddr, ",")
-		if portSecurity {
-			ovnCommand = append(ovnCommand,
-				"--", "lsp-set-port-security", port, fmt.Sprintf("%s %s %s", mac, ipAddrs[0], ipAddrs[1]))
-		}
-	} else {
-		ovnCommand = []string{MayExist, "lsp-add", ls, port, "--",
-			"lsp-set-addresses", port, mac}
+	ovnCommand = []string{MayExist, "lsp-add", ls, port, "--",
+		"lsp-set-addresses", port, mac}
+
+	if portSecurity {
+		var addresses []string
+		addresses = append(addresses, mac)
+		addresses = append(addresses, strings.Split(ip, ",")...)
+		addresses = append(addresses, strings.Split(vips, ",")...)
+		ovnCommand = append(ovnCommand,
+			"--", "lsp-set-port-security", port, strings.Join(addresses, " "))
 
-		if portSecurity {
+		if securityGroups != "" {
+			sgList := strings.Split(securityGroups, ",")
 			ovnCommand = append(ovnCommand,
-				"--", "lsp-set-port-security", port, fmt.Sprintf("%s %s", mac, ip))
-
-			if securityGroups != "" {
-				sgList := strings.Split(securityGroups, ",")
+				"--", "set", "logical_switch_port", port, fmt.Sprintf("external_ids:security_groups=%s", securityGroups))
+			for _, sg := range sgList {
 				ovnCommand = append(ovnCommand,
-					"--", "set", "logical_switch_port", port, fmt.Sprintf("external_ids:security_groups=%s", securityGroups))
-				for _, sg := range sgList {
-					ovnCommand = append(ovnCommand,
-						"--", "set", "logical_switch_port", port, fmt.Sprintf("external_ids:associated_sg_%s=true", sg))
-				}
+					"--", "set", "logical_switch_port", port, fmt.Sprintf("external_ids:associated_sg_%s=true", sg))
 			}
 		}
 	}

diff --git a/pkg/util/const.go b/pkg/util/const.go
@@ -30,6 +30,7 @@ const (
 	VpcAnnotation           = "ovn.kubernetes.io/vpc"
 
 	PortSecurityAnnotationTemplate = "%s.kubernetes.io/port_security"
+	PortVipAnnotationTemplate      = "%s.kubernetes.io/port_vips"
 	PortSecurityAnnotation         = "ovn.kubernetes.io/port_security"
 	NorthGatewayAnnotation         = "ovn.kubernetes.io/north_gateway"