Merge pull request #314 from dulek/crds

Rebase with upstream code regarding CRD-based resource management
openshift · Jul 31, 2020 · 94a5af0 · 94a5af0
2 parents 4b68a15 + 03e1763
commit 94a5af0
Show file tree

Hide file tree

Showing 58 changed files with 5,399 additions and 4,011 deletions.
diff --git a/.zuul.d/octavia.yaml b/.zuul.d/octavia.yaml
@@ -99,7 +99,7 @@
     vars:
       devstack_localrc:
         DOCKER_CGROUP_DRIVER: "systemd"
-        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy,kuryrnetwork
+        KURYR_ENABLED_HANDLERS: vif,endpoints,service,namespace,pod_label,policy,kuryrnetworkpolicy,kuryrnetwork,kuryrport,kuryrloadbalancer
         KURYR_SG_DRIVER: policy
         KURYR_SUBNET_DRIVER: namespace
       devstack_services:
@@ -120,7 +120,7 @@
     vars:
       devstack_localrc:
         KURYR_SUBNET_DRIVER: namespace
-        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy,kuryrnetwork
+        KURYR_ENABLED_HANDLERS: vif,endpoints,service,namespace,pod_label,policy,kuryrnetworkpolicy,kuryrnetwork,kuryrport,kuryrloadbalancer
         KURYR_SG_DRIVER: policy
         KURYR_USE_PORT_POOLS: true
         KURYR_POD_VIF_DRIVER: neutron-vif
@@ -134,7 +134,7 @@
     parent: kuryr-kubernetes-tempest-containerized
     vars:
       devstack_localrc:
-        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy,kuryrnetwork
+        KURYR_ENABLED_HANDLERS: vif,endpoints,service,namespace,pod_label,policy,kuryrnetworkpolicy,kuryrnetwork,kuryrport,kuryrloadbalancer
         KURYR_SG_DRIVER: policy
         KURYR_SUBNET_DRIVER: namespace
 

diff --git a/.zuul.d/sdn.yaml b/.zuul.d/sdn.yaml
@@ -98,7 +98,7 @@
         KURYR_LB_ALGORITHM: SOURCE_IP_PORT
         KURYR_SUBNET_DRIVER: namespace
         KURYR_SG_DRIVER: policy
-        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy,kuryrnetwork
+        KURYR_ENABLED_HANDLERS: vif,endpoints,service,namespace,pod_label,policy,kuryrnetworkpolicy,kuryrnetwork,kuryrport,kuryrloadbalancer
     voting: false
 
 - job:
@@ -144,7 +144,7 @@
         KURYR_ENFORCE_SG_RULES: false
         KURYR_LB_ALGORITHM: SOURCE_IP_PORT
         KURYR_HYPERKUBE_VERSION: v1.16.0
-        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy,kuryrnetwork
+        KURYR_ENABLED_HANDLERS: vif,endpoints,service,namespace,pod_label,policy,kuryrnetworkpolicy,kuryrnetwork,kuryrport,kuryrloadbalancer
         KURYR_SG_DRIVER: policy
         KURYR_SUBNET_DRIVER: namespace
         KURYR_K8S_CONTAINERIZED_DEPLOYMENT: true

diff --git a/cni.Dockerfile b/cni.Dockerfile
@@ -18,7 +18,8 @@ RUN yum upgrade -y \
 
 COPY . /opt/kuryr-kubernetes
 
-RUN pip3 install -c $UPPER_CONSTRAINTS_FILE /opt/kuryr-kubernetes \
+RUN pip3 install -U pip \
+    && python3 -m pip install -c $UPPER_CONSTRAINTS_FILE /opt/kuryr-kubernetes \
     && cp /opt/kuryr-kubernetes/cni_ds_init /usr/bin/cni_ds_init \
     && mkdir -p /etc/kuryr-cni \
     && cp /opt/kuryr-kubernetes/etc/cni/net.d/* /etc/kuryr-cni \

diff --git a/controller.Dockerfile b/controller.Dockerfile
@@ -10,7 +10,8 @@ RUN yum upgrade -y \
 
 COPY . /opt/kuryr-kubernetes
 
-RUN pip3 install -c $UPPER_CONSTRAINTS_FILE --no-cache-dir /opt/kuryr-kubernetes \
+RUN pip3 install -U pip \
+    && python3 -m pip install -c $UPPER_CONSTRAINTS_FILE --no-cache-dir /opt/kuryr-kubernetes \
     && yum -y history undo last \
     && yum clean all \
     && rm -rf /opt/kuryr-kubernetes \

diff --git a/devstack/lib/kuryr_kubernetes b/devstack/lib/kuryr_kubernetes
@@ -452,7 +452,9 @@ rules:
     - kuryrnets
     - kuryrnetworks
     - kuryrnetpolicies
+    - kuryrnetworkpolicies
     - kuryrloadbalancers
+    - kuryrports
 - apiGroups: ["networking.k8s.io"]
   resources:
   - networkpolicies

diff --git a/devstack/local.conf.odl.sample b/devstack/local.conf.odl.sample
@@ -27,10 +27,11 @@ IDENTITY_API_VERSION=3
 ENABLED_SERVICES=""
 
 # Neutron services
-enable_service neutron
+enable_plugin neutron https://opendev.org/openstack/neutron
 enable_service q-dhcp
-enable_service q-svc
+enable_service q-api
 enable_service q-meta
+enable_service q-svc
 
 # LBaaSv2 service and Haproxy agent
 enable_plugin neutron-lbaas \

diff --git a/devstack/local.conf.openshift.sample b/devstack/local.conf.openshift.sample
@@ -27,12 +27,13 @@ IDENTITY_API_VERSION=3
 ENABLED_SERVICES=""
 
 # Neutron services
-enable_service neutron
+enable_plugin neutron https://opendev.org/openstack/neutron
 enable_service q-agt
 enable_service q-dhcp
 enable_service q-l3
-enable_service q-svc
+enable_service q-api
 enable_service q-meta
+enable_service q-svc
 
 # OCTAVIA
 # Uncomment it to use L2 communication between loadbalancer and member pods

diff --git a/devstack/local.conf.pod-in-vm.undercloud.odl.sample b/devstack/local.conf.pod-in-vm.undercloud.odl.sample
@@ -24,7 +24,7 @@ IDENTITY_API_VERSION=3
 ENABLED_SERVICES=""
 
 # Neutron services
-enable_service neutron
+enable_plugin neutron https://opendev.org/openstack/neutron
 enable_service q-dhcp
 enable_service q-svc
 enable_service q-meta

diff --git a/devstack/local.conf.sample b/devstack/local.conf.sample
@@ -27,12 +27,13 @@ IDENTITY_API_VERSION=3
 ENABLED_SERVICES=""
 
 # Neutron services
-enable_service neutron
+enable_plugin neutron https://opendev.org/openstack/neutron
 enable_service q-agt
 enable_service q-dhcp
 enable_service q-l3
-enable_service q-svc
+enable_service q-api
 enable_service q-meta
+enable_service q-svc
 
 # VAR RUN PATH
 # =============

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
@@ -973,6 +973,9 @@ function update_tempest_conf_file {
     fi
     iniset $TEMPEST_CONFIG kuryr_kubernetes validate_crd True
     iniset $TEMPEST_CONFIG kuryr_kubernetes kuryrnetworks True
+    iniset $TEMPEST_CONFIG kuryr_kubernetes kuryrports True
+    iniset $TEMPEST_CONFIG kuryr_kubernetes kuryrloadbalancers True
+    iniset $TEMPEST_CONFIG kuryr_kubernetes new_kuryrnetworkpolicy_crd True
 }
 
 source $DEST/kuryr-kubernetes/devstack/lib/kuryr_kubernetes

diff --git a/devstack/settings b/devstack/settings
@@ -43,7 +43,7 @@ KURYR_K8S_API_LB_PORT=${KURYR_K8S_API_LB_PORT:-443}
 KURYR_PORT_DEBUG=${KURYR_PORT_DEBUG:-True}
 KURYR_SUBNET_DRIVER=${KURYR_SUBNET_DRIVER:-default}
 KURYR_SG_DRIVER=${KURYR_SG_DRIVER:-default}
-KURYR_ENABLED_HANDLERS=${KURYR_ENABLED_HANDLERS:-vif,lb,lbaasspec}
+KURYR_ENABLED_HANDLERS=${KURYR_ENABLED_HANDLERS:-vif,endpoints,service,kuryrloadbalancer,kuryrport}
 
 # OpenShift
 OPENSHIFT_BINARY_VERSION=${OPENSHIFT_BINARY_VERSION:-v3.11.0}

diff --git a/doc/source/devref/network_policy.rst b/doc/source/devref/network_policy.rst
@@ -47,22 +47,22 @@ The network policy CRD has the following format:
 .. code-block:: yaml
 
    apiVersion: openstack.org/v1
-   kind: KuryrNetPolicy
+   kind: KuryrNetworkPolicy
    metadata:
      ...
    spec:
      egressSgRules:
-     - security_group_rule:
+     - sgRule:
        ...
      ingressSgRules:
-     - security_group_rule:
-       ...
-     networkpolicy_spec:
+     - sgRule:
        ...
      podSelector:
        ...
+   status:
      securityGroupId: ...
-     securityGroupName: ...
+     podSelector: ...
+     securityGroupRules: ...
 
 A new handler has been added to react to Network Policy events, and the existing
 ones, for instance service/pod handlers, have been modified to account for the
@@ -201,26 +201,25 @@ are assumed to assumed to affect Ingress.
 .. code-block:: yaml
 
    apiVersion: openstack.org/v1
-   kind: KuryrNetPolicy
+   kind: KuryrNetworkPolicy
    metadata:
-     name: np-default-deny
+     name: default-deny
      namespace: default
      ...
    spec:
      egressSgRules:
-     - security_group_rule:
+     - sgRule:
          description: Kuryr-Kubernetes NetPolicy SG rule
          direction: egress
          ethertype: IPv4
-         id: 60a0d59c-2102-43e0-b025-75c98b7d9315
          security_group_id: 20d9b623-f1e0-449d-95c1-01624cb3e315
      ingressSgRules: []
-     networkpolicy_spec:
-       ...
      podSelector:
        ...
+   status:
      securityGroupId: 20d9b623-f1e0-449d-95c1-01624cb3e315
-     securityGroupName: sg-default-deny
+     securityGroupRules: ...
+     podSelector: ...
 
 
 Allow traffic from pod
@@ -263,37 +262,33 @@ restriction was enforced.
 .. code-block:: yaml
 
    apiVersion: openstack.org/v1
-   kind: KuryrNetPolicy
+   kind: KuryrNetworkPolicy
    metadata:
-     name: np-allow-monitoring-via-pod-selector
+     name: allow-monitoring-via-pod-selector
      namespace: default
      ...
    spec:
      egressSgRules:
-     - security_group_rule:
+     - sgRule:
          description: Kuryr-Kubernetes NetPolicy SG rule
          direction: egress
          ethertype: IPv4
-         id: 203a14fe-1059-4eff-93ed-a42bd957145d
-         security_group_id: 7f0ef8c2-4846-4d8c-952f-94a9098fff17
      ingressSgRules:
      - namespace: default
-       security_group_rule:
+       sgRule:
          description: Kuryr-Kubernetes NetPolicy SG rule
          direction: ingress
          ethertype: IPv4
-         id: 7987c382-f2a9-47f7-b6e8-1a3a1bcb7d95
          port_range_max: 8080
          port_range_min: 8080
          protocol: tcp
          remote_ip_prefix: 10.0.1.143
-         security_group_id: 7f0ef8c2-4846-4d8c-952f-94a9098fff17
-     networkpolicy_spec:
-       ...
      podSelector:
        ...
+   status:
      securityGroupId: 7f0ef8c2-4846-4d8c-952f-94a9098fff17
-     securityGroupName: sg-allow-monitoring-via-pod-selector
+     securityGroupRules: ...
+     podSelector: ...
 
 
 Allow traffic from namespace
@@ -337,36 +332,32 @@ egress rule allowing traffic to everywhere.
 .. code-block:: yaml
 
    apiVersion: openstack.org/v1
-   kind: KuryrNetPolicy
-     name: np-allow-test-via-ns-selector
+   kind: KuryrNetworkPolicy
+     name: allow-test-via-ns-selector
      namespace: default
      ...
    spec:
      egressSgRules:
-     - security_group_rule:
+     - sgRule:
          description: Kuryr-Kubernetes NetPolicy SG rule
          direction: egress
          ethertype: IPv4
-         id: 8c21bf42-c8b9-4628-b0a1-bd0dbb192e6b
-         security_group_id: c480327c-2db4-4eb6-af1e-eeb0ce9b46c9
      ingressSgRules:
      - namespace: dev
-       security_group_rule:
+       sgRule:
          description: Kuryr-Kubernetes NetPolicy SG rule
          direction: ingress
          ethertype: IPv4
-         id: 2a33b802-56ad-430a-801d-690f653198ef
          port_range_max: 8080
          port_range_min: 8080
          protocol: tcp
          remote_ip_prefix: 10.0.1.192/26
-         security_group_id: c480327c-2db4-4eb6-af1e-eeb0ce9b46c9
-     networkpolicy_spec:
-       ...
      podSelector:
        ...
+   status:
      securityGroupId: c480327c-2db4-4eb6-af1e-eeb0ce9b46c9
-     securityGroupName: sg-allow-test-via-ns-selector
+     securityGroupRules: ...
+     podSelector: ...
 
 .. note::
 

diff --git a/doc/source/installation/manual.rst b/doc/source/installation/manual.rst
@@ -95,6 +95,7 @@ Edit ``kuryr.conf``:
           - kuryrnets
           - kuryrnetworks
           - kuryrnetpolicies
+          - kuryrnetworkpolicies
           - kuryrloadbalancers
       - apiGroups: ["networking.k8s.io"]
         resources: