Fix endpoint selection for externalTrafficPolicy=local

[ricky-rav]

In #4072 the following edge case was not handled correctly in ovnkube-controller code.

Fix the case for all endpoints terminating on a node when traffic policy is local:

"When the traffic policy is "Local" and all endpoints are terminating within a single node, then traffic should be routed to any terminating endpoint that is ready on that node."

https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/1669-proxy-terminating-endpoints/README.md#example-all-endpoints-terminating-on-a-node-when-traffic-policy-is-local

The endpoint selection logic in the services controller is now entirely implemented in getEndpointsForService, which computes for a given service and each service port all its cluster-wide endpoints and per-node local endpoints. We first apply a cluster-wide vs local endpoint selection and only then we apply readiness-based filtering with getEligibleEndpointAddresses.

Added unit tests for the new logic.

[coveralls]

coverage: 52.411% (+0.07%) from 52.346%
when pulling cba7633 on ricky-rav:kep-1669-bis_upstream
into ebdc80f on ovn-org:master.

[ricky-rav]

I'll have to add a unit test for this particular case to Test_buildPerNodeLBs. I'll do that tomorrow morning.
Done!

[ricky-rav]

I've added some unit tests to go-controller/pkg/ovn/controller/services/lb_config_test.go that would have caught the issue I'm fixing here (ETP=local and terminating endpoints). @tssurya since you've done the work on ETP=local, would you be able to review those tests? Thanks!

[ricky-rav]

/retest

[ovn-robot]

Oops, something went wrong:

Must have admin rights to Repository.

[ricky-rav]

I've pushed a new getEndpointsForService as suggested in slack by Jaime. It reduces by more than half the 200 lines of code of my original implementation. Thanks, Jaime!
To reduce memory consumption, the per-node endpoints map is limited to the nodes in the local OVN zone.

[jcaamano]

I was a bit afraid of taking this route. Can it wait?

Yup

[jcaamano]

Good idea! I made getNodeSwitchTargetIPs handle v4 and v6 at the same time. Does it look ok?
Also, do you prefer a free method because we're not really modifying c *lbConfig?

I preferred the free method because it didn't make sense to pass as arguments data that is already available through lbConfig. I thought about keeping the receiver and removing the extra arguments but something that I don't remember know didn't make sense as well. So I suggested the free method.

[jcaamano]

@jcaamano as discussed, I implemented the new logic in one function, getEndpointsForService, that gets called once for a service and whose output is then parsed by the rest of the services controller to retrieve cluster-wide and per-node endpoint addresses. PTAL :)

Looks good, added some comments to polish. CI looks bad though, hopefuly something else.

[ricky-rav]

CI looks bad though, hopefuly something else.

I broke something... let me try to fix it :)

[jcaamano]

Everything looks good @ricky-rav.

The smal nit, up to you to act on it, and just that failing lane.

Also, woudl you be interested in running this dowsntream to check on the disruption results before merging here?

[jcaamano]

nit: this is a superfluous check, no problem on iterating on an empty map

[ricky-rav]

right, I'll move the check to the log line further below... no need to print the local endpoints if we don't need them in the first place.

[ricky-rav]

Also, would you be interested in running this dowsntream to check on the disruption results before merging here?

Yes! Let's see how it goes here: openshift/ovn-kubernetes#2109

[jcaamano]

nit: double spacing in this log and the one above

[ricky-rav]

Our downstream CI fails on the e2e-metal-ipi-ovn-ipv6 job on tests related to services and endpoints:

• [sig-network] Networking Granular Checks: Services should function for endpoint-Service: http [Suite:openshift/conformance/parallel] [Suite:k8s]
• [sig-network] Networking Granular Checks: Services should function for endpoint-Service: udp [Suite:openshift/conformance/parallel] [Suite:k8s]
• [sig-network] Services should be able to connect to terminating and unready endpoints if PublishNotReadyAddresses is true [Suite:openshift/conformance/parallel] [Suite:k8s]
• [sig-network] Networking Granular Checks: Services should function for multiple endpoint-Services with same selector [Suite:openshift/conformance/parallel] [Suite:k8s]
• [sig-network] Services should be able to update service type to NodePort listening on same port number but different protocols [Suite:openshift/conformance/parallel] [Suite:k8s]
• [sig-network] Services should fallback to terminating endpoints when there are no ready endpoints with externallTrafficPolicy=Cluster [Suite:openshift/conformance/parallel] [Suite:k8s]

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_ovn-kubernetes/2109/pull-ci-openshift-ovn-kubernetes-master-e2e-metal-ipi-ovn-ipv6/1777348680731332608

These tests are either not run in our upstream CI for IPv6 jobs or never run at all :(

I'm trying to reproduce these failures on KIND and figure out how the tests get skipped...

[ricky-rav]

Downstream CI is back, but e2e-metal-ipi-ovn-ipv6 is still failing:
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_ovn-kubernetes/2109/pull-ci-openshift-ovn-kubernetes-master-e2e-metal-ipi-ovn-ipv6/1778683430230298624

I found a bug in makeNodeSwitchTargetIPs: openshift/ovn-kubernetes@a57c6b6
Trying out the fix now and added unit tests for it.
openshift/ovn-kubernetes#2109

[ricky-rav]

With the second fix, e2e-metal-ipi-ovn-ipv6 is finally green.
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_ovn-kubernetes/2109/pull-ci-openshift-ovn-kubernetes-master-e2e-metal-ipi-ovn-ipv6/1779160887962112000

I'll add the code here.

[ricky-rav]

Failure in CI is on [FAIL] Services of type NodePort [It] should listen on each host addresses, which is a known issue #4275