Merge ovs-db and ovs-vswitchd in one Daemonset

There is no usecase in which ovs-db and ovs-vswitchd run on different nodes. In terms of version upgrade, ovs-db and ovs-vswitchd should be upgraded together in every node. This commit deploys ovs-db and ovs-vswitchd in one daemonset. Change-Id: I791b9f7abfd3ca838dc2adfaa6c606bb1c88d19d
openstack · Jan 4, 2023 · 73e2b33 · 73e2b33
1 parent aa3efe9
commit 73e2b33
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 162 deletions.
diff --git a/openvswitch/Chart.yaml b/openvswitch/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm OpenVSwitch
 name: openvswitch
-version: 0.1.9
+version: 0.1.10
 home: http://openvswitch.org
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
 sources:

diff --git a/openvswitch/templates/daemonset-ovs-db.yaml b/openvswitch/templates/daemonset-ovs-db.yaml
diff --git a/...tch/templates/daemonset-ovs-vswitchd.yaml → openvswitch/templates/daemonset.yaml b/...tch/templates/daemonset-ovs-vswitchd.yaml → openvswitch/templates/daemonset.yaml
@@ -12,11 +12,26 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- define "ovsdblivenessProbeTemplate" }}
+exec:
+  command:
+    - /usr/bin/ovs-vsctl
+    - show
+{{- end }}
+
+{{- define "ovsdbreadinessProbeTemplate" }}
+exec:
+  command:
+    - /usr/bin/ovs-vsctl
+    - list
+    - Open_Vswitch
+{{- end }}
+
 {{- define "ovsvswitchlivenessProbeTemplate" }}
 exec:
   command:
-{{- if .Values.pod.probes.ovs_vswitch.ovs_vswitch.liveness.exec }}
-{{ .Values.pod.probes.ovs_vswitch.ovs_vswitch.liveness.exec | toYaml | indent 4 }}
+{{- if .Values.pod.probes.ovs.ovs_vswitch.liveness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.liveness.exec | toYaml | indent 4 }}
 {{- else }}
     - /usr/bin/ovs-appctl
     - bond/list
@@ -26,8 +41,8 @@ exec:
 {{- define "ovsvswitchreadinessProbeTemplate" }}
 exec:
   command:
-{{- if .Values.pod.probes.ovs_vswitch.ovs_vswitch.readiness.exec }}
-{{ .Values.pod.probes.ovs_vswitch.ovs_vswitch.readiness.exec | toYaml | indent 4 }}
+{{- if .Values.pod.probes.ovs.ovs_vswitch.readiness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.readiness.exec | toYaml | indent 4 }}
 {{- else if not .Values.conf.ovs_dpdk.enabled }}
     - /bin/bash
     - -c
@@ -39,37 +54,33 @@ exec:
 {{- end }}
 {{- end }}
 
-{{- if .Values.manifests.daemonset_ovs_vswitchd }}
+{{- if .Values.manifests.daemonset }}
 {{- $envAll := . }}
-
-{{- $serviceAccountName := "openvswitch-vswitchd" }}
-{{ tuple $envAll "vswitchd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: openvswitch-vswitchd
+  name: openvswitch
   annotations:
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
   labels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
   selector:
     matchLabels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-{{ tuple $envAll "ovs_vswitchd" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "ovs" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
   template:
     metadata:
       labels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "openvswitch-vswitchd" "containerNames" (list "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "openvswitch" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       shareProcessNamespace: true
-      serviceAccountName: {{ $serviceAccountName }}
-{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "ovs" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
 {{ if $envAll.Values.pod.tolerations.openvswitch.enabled }}
@@ -78,10 +89,24 @@ spec:
       dnsPolicy: {{ .Values.pod.dns_policy }}
       hostNetwork: true
       initContainers:
-{{ tuple $envAll "vswitchd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll "ovs" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: openvswitch-db-perms
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - {{ $envAll.Values.pod.security_context.ovs.container.server.runAsUser | quote }}
+            - /run/openvswitch
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: run-openvswitch
+              mountPath: /run/openvswitch
         - name: openvswitch-vswitchd-modules
 {{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/openvswitch-vswitchd-init-modules.sh
           volumeMounts:
@@ -96,11 +121,35 @@ spec:
               mountPropagation: HostToContainer
               readOnly: true
       containers:
+        - name: openvswitch-db
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "liveness" "probeTemplate" (include "ovsdblivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "readiness" "probeTemplate" (include "ovsdbreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/openvswitch-db-server.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/openvswitch-db-server.sh
+                  - stop
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: openvswitch-bin
+              mountPath: /tmp/openvswitch-db-server.sh
+              subPath: openvswitch-db-server.sh
+              readOnly: true
+            - name: run
+              mountPath: /run
         - name: openvswitch-vswitchd
 {{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Run the container in priviledged mode due to the need for root
 permissions when using the uio_pci_generic driver. */}}
-{{- $_ := set $envAll.Values.pod.security_context.openvswitch_vswitchd.container.vswitchd "privileged" true -}}
+{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
 {{/* Limiting CPU cores would severely affect packet throughput
 It should be handled through lcore and pmd core masks. */}}
 {{- if .Values.pod.resources.enabled }}
@@ -109,12 +158,12 @@ It should be handled through lcore and pmd core masks. */}}
 {{- end }}
 {{- end }}
 {{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           # ensures this container can speak to the ovs database
           # successfully before its marked as ready
-{{ dict "envAll" $envAll "component" "ovs_vswitch" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-{{ dict "envAll" $envAll "component" "ovs_vswitch" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
           command:
             - /tmp/openvswitch-vswitchd.sh
             - start
@@ -167,6 +216,10 @@ It should be handled through lcore and pmd core masks. */}}
           hostPath:
             path: /run
             type: Directory
+        - name: run-openvswitch
+          hostPath:
+            path: /run/openvswitch
+            type: DirectoryOrCreate
         - name: host-rootfs
           hostPath:
             path: /
@@ -204,4 +257,4 @@ It should be handled through lcore and pmd core masks. */}}
           hostPath:
             path: /sys/fs/cgroup
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
@@ -45,7 +45,7 @@ pod:
         operator: Exists
         effect: NoSchedule
   probes:
-    ovs_db:
+    ovs:
       ovs_db:
         liveness:
           enabled: true
@@ -59,7 +59,6 @@ pod:
             initialDelaySeconds: 90
             periodSeconds: 30
             timeoutSeconds: 5
-    ovs_vswitch:
       ovs_vswitch:
         liveness:
           enabled: true
@@ -74,7 +73,7 @@ pod:
             periodSeconds: 10
             timeoutSeconds: 1
   security_context:
-    openvswitch_db_server:
+    ovs:
       pod:
         runAsUser: 42424
       container:
@@ -86,10 +85,6 @@ pod:
           runAsUser: 42424
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
-    openvswitch_vswitchd:
-      pod:
-        runAsUser: 0
-      container:
         modules:
           runAsUser: 0
           capabilities:
@@ -108,11 +103,7 @@ pod:
     upgrades:
       daemonsets:
         pod_replacement_strategy: RollingUpdate
-        ovs_db:
-          enabled: true
-          min_ready_seconds: 0
-          max_unavailable: 1
-        ovs_vswitchd:
+        ovs:
           enabled: true
           min_ready_seconds: 0
           max_unavailable: 1
@@ -199,21 +190,15 @@ dependencies:
           - endpoint: node
             service: local_image_registry
   static:
-    db: null
-    vswitchd:
-      pod:
-        - requireSameNode: true
-          labels:
-            application: openvswitch
-            component: openvswitch-vswitchd-db
+    ovs: null
     image_repo_sync:
       services:
         - endpoint: internal
           service: local_image_registry
 
 manifests:
   configmap_bin: true
-  daemonset_ovs_db: true
+  daemonset: true
   daemonset_ovs_vswitchd: true
   job_image_repo_sync: true
   network_policy: false

diff --git a/releasenotes/notes/openvswitch.yaml b/releasenotes/notes/openvswitch.yaml
@@ -10,4 +10,5 @@ openvswitch:
   - 0.1.7 Enable taint toleration for Openstack services jobs
   - 0.1.8 Added OCI registry authentication
   - 0.1.9 Enable ovs hardware offload
+  - 0.1.10 Merge ovs-db and ovs-vswitchd in one Daemonset
 ...