New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SDN-3708: Support configurable masquerade subnet in ovn-k #1807
Conversation
/hold depends on openshift/api#1410 |
/assign @tssurya |
pkg/network/ovn_kubernetes_test.go
Outdated
@@ -179,6 +179,7 @@ func TestRenderedOVNKubernetesConfig(t *testing.T) { | |||
egressIPConfig *operv1.EgressIPConfig | |||
masterIPs []string | |||
v4InternalSubnet string | |||
v4InternalMasqueradeSubnet string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT align all lines above and below this to accommodate the longer string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The IDE should do it automagically :)
@bpickard22 let's make sure CNO builds with the changes in ovn_kubernetes.go :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/network/ovn_kubernetes_test.go
Outdated
@@ -179,6 +179,7 @@ func TestRenderedOVNKubernetesConfig(t *testing.T) { | |||
egressIPConfig *operv1.EgressIPConfig | |||
masterIPs []string | |||
v4InternalSubnet string | |||
v4InternalMasqueradeSubnet string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The IDE should do it automagically :)
pkg/network/ovn_kubernetes.go
Outdated
} | ||
_, v4Net, err = net.ParseCIDR(oc.V4InternalSubnet) | ||
if err != nil { | ||
out = append(out, errors.Errorf("v4InternalSubnet is invalid: %s", err)) | ||
} | ||
if !isV4InternalSubnetLargeEnough(conf) { | ||
out = append(out, errors.Errorf("v4InternalSubnet is no large enough for the maximum number of nodes which can be supported by ClusterNetwork")) | ||
out = append(out, errors.Errorf("v4InternalSubnet is not large enough for the maximum number of nodes which can be supported by ClusterNetwork")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's print what v4InternalSubnet is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the join subnet which is not part of this feature, but we can go ahead and update that log
pkg/network/ovn_kubernetes.go
Outdated
@@ -920,7 +923,7 @@ func validateOVNKubernetes(conf *operv1.NetworkSpec) []error { | |||
out = append(out, errors.Errorf("v6InternalSubnet is invalid: %s", err)) | |||
} | |||
if !isV6InternalSubnetLargeEnough(conf) { | |||
out = append(out, errors.Errorf("v6InternalSubnet is no large enough for the maximum number of nodes which can be supported by ClusterNetwork")) | |||
out = append(out, errors.Errorf("v6InternalSubnet is not large enough for the maximum number of nodes which can be supported by ClusterNetwork")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's print what v6InternalSubnet is
@bpickard22 so in order to test CNO against the API changes that are still to be merged, you can modify the Basically in the "replace" part of the go.mod file, you type: Then you run Of course you'll undo this once the API PR merges, but at least we can move forward with this CNO in the meantime :) |
e4f831f
to
083aa79
Compare
91357ac
to
23b89e1
Compare
@bpickard22 Is this PR ready to merge? |
23b89e1
to
ba1ef9f
Compare
ba1ef9f
to
381fe25
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the first commit needs to be dropped as it should be merged already.
{{- if (index . "V4InternalMasqueradeSubnet")}} | ||
v4-internal-masquerade-subnet="{{.V4InternalMasqueradeSubnet}}" | ||
{{- end }} | ||
{{- if (index . "V6InternalMasqueradeSubnet")}} | ||
v6-internal-masquerade-subnet="{{.V6InternalMasqueradeSubnet}}" | ||
{{- end }} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that this will cause a rollout/restart of ovn-k, making it a day-1 only configuration parameter. Is that ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes that is the current intended behavior
pkg/network/ovn_kubernetes.go
Outdated
_, v4Net, err = net.ParseCIDR(oc.GatewayConfig.IPv4.InternalMasqueradeSubnet) | ||
if err != nil { | ||
out = append(out, errors.Errorf("v4InternalMasqueradeSubnet is invalid: %s", err)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see in other places that the error returned from net.ParseCIDR
is ignored, I suspect because it is assumed to be properly validated by the API server. But here you don't. If there is an error here, are you sure you can derenference safely *v4Net
later on?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct the api would catch any invalid subnet configuration (or at least it should), just being cautious here to catch anything that i missed with my api validations. I am unsure if a value that could cause a panic would occur here because we already check for nil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where do you check for nil?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we check that the gatewayConfig is not nil, so if no value is passed into the internalMasqueradeSubnet it should just be an empty string im pretty sure
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you have
_, v4MasqNet, err = net.ParseCIDR(oc.GatewayConfig.IPv4.InternalMasqueradeSubnet)
if that returns non-nil err
and potentially nil v4MasqNet
then you just append the error but continue on
out = append(out, errors.Errorf("v4InternalMasqueradeSubnet is invalid: %s", err)
and then a few lines below you dereference v4MasqNet which will panic if it is nil
if iputil.NetsOverlap(*v4MasqNet, *v4ClusterNet)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jcaamano added a check to make sure that the v4/v6 masqNet return isnt nil
pkg/network/ovn_kubernetes.go
Outdated
for _, sn := range conf.ServiceNetwork { | ||
if utilnet.IsIPv4CIDRString(sn) { | ||
_, v4ServiceNet, _ := net.ParseCIDR(sn) | ||
if iputil.NetsOverlap(*v4Net, *v4ServiceNet) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we check that there is no overlap with the join subnet as well? Perhaps it would be useful to have an utility method to pass a map of network names to networks, that just checks that there are no overlaps among any of them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I would like to get this in before code freeze and then add some utility that allows us to check for overlap when we add the transit switch config this coming release, I can add a todo here if thats alright.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regardless of the utility, don't you think we need to check for overlaps with the join subnet in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes will add that now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jcaamano added a check for just the join and masq subnets here, will add a utility when the transit swtich config is introduced here
99d8652
to
ea17000
Compare
0a0a0d4
to
f8b2469
Compare
/retest-required |
3358439
to
c6ef9f9
Compare
/retest-required |
pkg/network/ovn_kubernetes.go
Outdated
if v4JoinNet == nil { | ||
out = append(out, errors.Errorf("Unable to parse cidr for v4InternalSubnet %s", oc.V4InternalSubnet)) | ||
return out | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If v4JoinNet == nil
then err != nil
so it doesn't make sense to check and append an error for both things.
Also this method is trying to validate all without breaking out early, I think we can keep doing that.
I would do this
_, v4JoinNet, err = net.ParseCIDR(oc.V4InternalSubnet)
if err != nil {
out = append(out, errors.Errorf("v4InternalSubnet is invalid: %s", err))
} else if !isV4InternalSubnetLargeEnough(conf) {
out = append(out, errors.Errorf("v4InternalSubnet %s is not large enough for the maximum number of nodes which can be supported by ClusterNetwork", oc.V4InternalSubnet))
}
...
...
if v4JoinNet != nil {
_, v4ClusterNet, _ := net.ParseCIDR(cn.CIDR)
if iputil.NetsOverlap(*v4JoinNet, *v4ClusterNet) {
out = append(out, errors.Errorf("v4InternalSubnet %s overlaps with ClusterNetwork %s", oc.V4InternalSubnet, cn.CIDR))
}
}
Similar approach on the other instances.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
latest change implements this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You missed the second part, I added a comment for it
c6ef9f9
to
b89cf6e
Compare
/retest-required |
pkg/network/ovn_kubernetes.go
Outdated
if v4JoinNet != nil { | ||
for _, cn := range conf.ClusterNetwork { | ||
if utilnet.IsIPv4CIDRString(cn.CIDR) { | ||
if oc.V4InternalSubnet != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should replace oc.V4InternalSubnet != ""
with v4JoinNet != nil
Similar in other instances
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually think that is a redundant if check that can just be removed
/retest-required |
Adds the necessary knobs in the cno to consume the api change exposing the internal masquerade subnet in ovn-k where we reserve addresses for ip masquerading Had to rebase on top of small conflict with addition of logging for libovsdb in the config yamls Also adds unit tests and verification in cno for configured masquerade subnets and corrects some tests/verification of the join subnet Signed-off-by: Ben Pickard <bpickard@redhat.com>
b89cf6e
to
1b4d11d
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bpickard22, jcaamano, ricky-rav The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@bpickard22: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@bpickard22: This pull request references SDN-3708 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
dc94dc0
into
openshift:master
Adds the necessary knobs in the cno to consume the api change (openshift/api#1410) exposing the internal masquerade subnet in ovn-k where we reserve addresses for ip masquerading