SDN-3708: Support configurable masquerade subnet in ovn-k

[bpickard22]

Adds the necessary knobs in the cno to consume the api change (openshift/api#1410) exposing the internal masquerade subnet in ovn-k where we reserve addresses for ip masquerading

[bpickard22]

/hold depends on openshift/api#1410

[tssurya]

/assign @tssurya

[flavio-fernandes]

NIT align all lines above and below this to accommodate the longer string

[ricky-rav]

The IDE should do it automagically :)

[ricky-rav]

@bpickard22 let's make sure CNO builds with the changes in ovn_kubernetes.go :)
https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_cluster-network-operator/1807/pull-ci-openshift-cluster-network-operator-master-verify/1687179374593314816

[ricky-rav]

I gave the PR a first pass. We need the OVNK PR to merge first, the API PR second, and then once we update vendor/github.com/openshift/api/ with the new API, we can finally test this CNO PR.

[ricky-rav]

The IDE should do it automagically :)

[ricky-rav]

let's print what v4InternalSubnet is

[bpickard22]

this is the join subnet which is not part of this feature, but we can go ahead and update that log

[ricky-rav]

let's print what v6InternalSubnet is

[ricky-rav]

@bpickard22 so in order to test CNO against the API changes that are still to be merged, you can modify the go.mod file to point to your own fork of openshift/api with the commit hash from your API PR. I tried it here: ricky-rav@94ac16e

Basically in the "replace" part of the go.mod file, you type:
github.com/openshift/api => github.com/bpickard22/api 680fd20165a4385e0b92a50ecd91d6c3763bd5d1

Then you run go mod vendor and it will rewrite the commit ID into the "v0.0.0..." form:
github.com/openshift/api => github.com/bpickard22/api v0.0.0-20230804184907-680fd20165a4

Of course you'll undo this once the API PR merges, but at least we can move forward with this CNO in the meantime :)

[zshi-redhat]

@bpickard22 Is this PR ready to merge?

[jcaamano]

I think that the first commit needs to be dropped as it should be merged already.

[jcaamano]

I don't think that this will cause a rollout/restart of ovn-k, making it a day-1 only configuration parameter. Is that ok?

[bpickard22]

yes that is the current intended behavior

[jcaamano]

I see in other places that the error returned from net.ParseCIDR is ignored, I suspect because it is assumed to be properly validated by the API server. But here you don't. If there is an error here, are you sure you can derenference safely *v4Net later on?

[bpickard22]

correct the api would catch any invalid subnet configuration (or at least it should), just being cautious here to catch anything that i missed with my api validations. I am unsure if a value that could cause a panic would occur here because we already check for nil

[jcaamano]

Where do you check for nil?

[bpickard22]

we check that the gatewayConfig is not nil, so if no value is passed into the internalMasqueradeSubnet it should just be an empty string im pretty sure

[jcaamano]

So you have

_, v4MasqNet, err = net.ParseCIDR(oc.GatewayConfig.IPv4.InternalMasqueradeSubnet)

if that returns non-nil err and potentially nil v4MasqNet then you just append the error but continue on

out = append(out, errors.Errorf("v4InternalMasqueradeSubnet is invalid: %s", err)

and then a few lines below you dereference v4MasqNet which will panic if it is nil

if iputil.NetsOverlap(*v4MasqNet, *v4ClusterNet)

[bpickard22]

@jcaamano added a check to make sure that the v4/v6 masqNet return isnt nil

[jcaamano]

Should we check that there is no overlap with the join subnet as well? Perhaps it would be useful to have an utility method to pass a map of network names to networks, that just checks that there are no overlaps among any of them.

[bpickard22]

I think I would like to get this in before code freeze and then add some utility that allows us to check for overlap when we add the transit switch config this coming release, I can add a todo here if thats alright.

[jcaamano]

Regardless of the utility, don't you think we need to check for overlaps with the join subnet in this PR?

[bpickard22]

yes will add that now

[bpickard22]

@jcaamano added a check for just the join and masq subnets here, will add a utility when the transit swtich config is introduced here

[bpickard22]

/retest-required

[bpickard22]

/retest-required

[jcaamano]

If v4JoinNet == nil then err != nil so it doesn't make sense to check and append an error for both things.
Also this method is trying to validate all without breaking out early, I think we can keep doing that.

I would do this

_, v4JoinNet, err = net.ParseCIDR(oc.V4InternalSubnet)
if err != nil {
    out = append(out, errors.Errorf("v4InternalSubnet is invalid: %s", err))
} else if !isV4InternalSubnetLargeEnough(conf) {
    out = append(out, errors.Errorf("v4InternalSubnet %s is not large enough for the maximum number of nodes which can be supported by ClusterNetwork", oc.V4InternalSubnet))
}

...
...

    if v4JoinNet != nil {
        _, v4ClusterNet, _ := net.ParseCIDR(cn.CIDR)
	if iputil.NetsOverlap(*v4JoinNet, *v4ClusterNet) {
	    out = append(out, errors.Errorf("v4InternalSubnet %s overlaps with ClusterNetwork %s", oc.V4InternalSubnet, cn.CIDR))
	}
    }

Similar approach on the other instances.

[bpickard22]

latest change implements this

[jcaamano]

You missed the second part, I added a comment for it

[bpickard22]

/retest-required

[jcaamano]

You should replace oc.V4InternalSubnet != "" with v4JoinNet != nil

Similar in other instances

[bpickard22]

I actually think that is a redundant if check that can just be removed

[bpickard22]

/retest-required

[jcaamano]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bpickard22, jcaamano, ricky-rav

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jcaamano]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@bpickard22: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.15-upgrade-from-stable-4.14-images	6a66258	link	true	/test 4.15-upgrade-from-stable-4.14-images
ci/prow/4.15-upgrade-from-stable-4.14-e2e-gcp-ovn-upgrade	6a66258	link	false	/test 4.15-upgrade-from-stable-4.14-e2e-gcp-ovn-upgrade
ci/prow/4.15-upgrade-from-stable-4.14-e2e-azure-ovn-upgrade	6a66258	link	false	/test 4.15-upgrade-from-stable-4.14-e2e-azure-ovn-upgrade
ci/prow/4.15-upgrade-from-stable-4.14-e2e-aws-ovn-upgrade	6a66258	link	false	/test 4.15-upgrade-from-stable-4.14-e2e-aws-ovn-upgrade
ci/prow/e2e-azure-ovn-dualstack	b8fe87e	link	false	/test e2e-azure-ovn-dualstack
ci/prow/e2e-azure-ovn	1b4d11d	link	false	/test e2e-azure-ovn
ci/prow/e2e-openstack-ovn	1b4d11d	link	false	/test e2e-openstack-ovn
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6	1b4d11d	link	false	/test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/4.16-upgrade-from-stable-4.15-e2e-azure-ovn-upgrade	1b4d11d	link	false	/test 4.16-upgrade-from-stable-4.15-e2e-azure-ovn-upgrade
ci/prow/e2e-aws-hypershift-ovn-kubevirt	1b4d11d	link	false	/test e2e-aws-hypershift-ovn-kubevirt
ci/prow/4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-upgrade	1b4d11d	link	false	/test 4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@bpickard22: This pull request references SDN-3708 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Adds the necessary knobs in the cno to consume the api change (openshift/api#1410) exposing the internal masquerade subnet in ovn-k where we reserve addresses for ip masquerading

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 2e23c82 and 2 for PR HEAD 1b4d11d in total