Support F5 partition path #13391
Support F5 partition path #13391
Conversation
o Use fully qualified names so that there is no defaulting to /Common
and need to have all the referenced objects in the same partition,
otherwise F5 has reference errors across partitions.
o Fix policy partition path + rework and ensure we check the vserver
which is inside the partition we are configured in.
o Comment re: delete errors.
o Bug fixes.
o F5 unit test changes for supporting partition paths.
rajatchopra
force-pushed
the
f5partition
branch
from
24ed354
to
de4ca18
Compare
|
[test] |
|
[test] #12007 |
|
Basic testing is successful |
rajatchopra
force-pushed
the
f5partition
branch
from
f11c4ee
to
324ffd9
Compare
rajatchopra
force-pushed
the
f5partition
branch
from
324ffd9
to
98d640d
Compare
| @@ -532,7 +576,7 @@ func (f5 *f5LTM) ensureVxLANTunnel() error { | |||
| AddressSource: "from-user", | |||
| Floating: "disabled", | |||
| InheritedTrafficGroup: "false", | |||
| TrafficGroup: path.Join(f5.partitionPath, "traffic-group-local-only"), | |||
| TrafficGroup: path.Join("/Common", "traffic-group-local-only"), // Traffic group is global | |||
| Unit: 0, | |||
| Vlan: path.Join(f5.partitionPath, F5VxLANTunnelName), | |||
There was a problem hiding this comment.
Vlan is local per partition or is it global similar to traffic-group?
| @@ -727,8 +781,9 @@ func (f5 *f5LTM) ensureIRuleExists(iRuleName, iRule string) error { | |||
| iRulesUrl := fmt.Sprintf("https://%s/mgmt/tm/ltm/rule", f5.host) | |||
|
|
|||
| iRulePayload := f5IRule{ | |||
| Name: iRuleName, | |||
| Code: iRule, | |||
| Name: iRuleName, | |||
There was a problem hiding this comment.
iRuleName or f5.iControlUriResourceId(iRuleName)?
There was a problem hiding this comment.
will confirm with F5 team, but this seems to work so far because the Partition field is also part of the payload
| Monitor: "min 1 of /Common/http /Common/https", | ||
| Name: poolname, | ||
| Mode: "round-robin", | ||
| Monitor: "min 1 of /Common/http /Common/https", |
There was a problem hiding this comment.
fmt.Sprintf("min 1 of /%s/http /%s/https", f5.partionPath, f5.partionPath)?
There was a problem hiding this comment.
There was a problem hiding this comment.
Cannot be sure of http/https monitors being present in the given partition. It is safe to re-use the common monitor just as we re-use TrafficGroup. Good point though, in ideal case we would want this to exist and probably we can write code to ensure the monitors' presence.
Will add a comment about this.
There was a problem hiding this comment.
Agree with @rajatchopra, though long term it should be (as @Miciah hinted ) a configurable option, given that the default LTM traffic monitors don't work properly for the atomic registry console and the workaround right now is to manually change the traffic monitor used for the pool for the registry console (given that /Common/http and /Common/https are read-only objects in LTM)
| @@ -1187,7 +1243,7 @@ func (f5 *f5LTM) getRoutes(policyname string) (map[string]bool, error) { | |||
| } | |||
|
|
|||
| url := fmt.Sprintf("https://%s/mgmt/tm/ltm/policy/%s/rules", | |||
| f5.host, policyname) | |||
| f5.host, f5.iControlUriResourceId(policyname)) | |||
There was a problem hiding this comment.
https://github.com/openshift/origin/pull/13391/files#diff-997442d3bc5e2bf387c3840016b5c335R1261
If there are two partitions with same policy name, then f5.routes[policyname] will overwrite the former. Do we expect this case? If yes, then f5.routes[f5.iControlUriResourceId(policyname)] = routes
There was a problem hiding this comment.
Each instance of the controller pod will run with only one given partition. All internal data structures need not bother about multiple partitions.
|
@rajatchopra lemme know if you want another set of eyes to take a look. These days I tend to shy away for PRs that have more than a few lines of change!! ;^) |
|
Evaluated for origin test up to 6ee3a7e |
There was a problem hiding this comment.
Thanks for the feedback @pravisankar
I have fixed the tests. Will add the comment and hopefully we can get this in. Thanks.
| @@ -727,8 +781,9 @@ func (f5 *f5LTM) ensureIRuleExists(iRuleName, iRule string) error { | |||
| iRulesUrl := fmt.Sprintf("https://%s/mgmt/tm/ltm/rule", f5.host) | |||
|
|
|||
| iRulePayload := f5IRule{ | |||
| Name: iRuleName, | |||
| Code: iRule, | |||
| Name: iRuleName, | |||
There was a problem hiding this comment.
will confirm with F5 team, but this seems to work so far because the Partition field is also part of the payload
| Monitor: "min 1 of /Common/http /Common/https", | ||
| Name: poolname, | ||
| Mode: "round-robin", | ||
| Monitor: "min 1 of /Common/http /Common/https", |
There was a problem hiding this comment.
Cannot be sure of http/https monitors being present in the given partition. It is safe to re-use the common monitor just as we re-use TrafficGroup. Good point though, in ideal case we would want this to exist and probably we can write code to ensure the monitors' presence.
Will add a comment about this.
| @@ -1187,7 +1243,7 @@ func (f5 *f5LTM) getRoutes(policyname string) (map[string]bool, error) { | |||
| } | |||
|
|
|||
| url := fmt.Sprintf("https://%s/mgmt/tm/ltm/policy/%s/rules", | |||
| f5.host, policyname) | |||
| f5.host, f5.iControlUriResourceId(policyname)) | |||
There was a problem hiding this comment.
Each instance of the controller pod will run with only one given partition. All internal data structures need not bother about multiple partitions.
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/539/) (Base Commit: 3b82ca6) |
|
@knobunc I think this is ready for merge |
@ramr Thanks. I am saving this offer for a real rainy day :) |
|
[merge] |
|
flake #13606 |
|
Evaluated for origin merge up to 6ee3a7e |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/247/) (Base Commit: b39b0ed) (Image: devenv-rhel7_6117) |
F5 router partition path changes:
o Use fully qualified names so that there is no defaulting to /Common
and need to have all the referenced objects in the same partition,
otherwise F5 has reference errors across partitions.
o Fix policy partition path + rework and ensure we check the vserver
which is inside the partition we are configured in.
o Comment re: delete errors.
o Bug fixes.
o F5 unit test changes for supporting partition paths.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1245243