f5 vxlan integration with sdn

[rajatchopra]

This PR implements the VxLAN integration of F5 with a vxlan based overlay. Three pieces of work primarily:

1. Router plugin now watches for Nodes in the cluster (to program the F5's vxlan FDB; in the case of template router its a noop)
2. F5 router programs the VxLAN devices/routing on the F5 BIG IP on initialization
3. Command line changes to accept the special parameters needed (including a boolean that disables the setup)

[rajatchopra]

[test]

[knobunc]

[test]

[chen23]

FYI in the policy section of the code the use of the Legacy flag will only work in TMOS version 12.1 or newer. Ideally have a version check to only add the flag if TMOS >= 12.1

policyPayload := f5Policy{
        Name:     policyName,
        Controls: []string{"forwarding"},
        Requires: []string{"http"},
        Strategy: "best-match",
        Legacy:   true,
}

Python example of version check here: https://github.com/f5devcentral/f5-icontrol-codeshare-python/blob/master/kubernetes-example/k8s2f5.py#L328

[chen23]

The auth code looks to only support basicauth. This will limit authentication to local accounts and not any remote (radius/tacacs), etc... https://github.com/rajatchopra/origin/blob/3ad39a5c60f344d8fa6cb673f021effe9e139c4b/pkg/router/f5/f5.go#L413

    req.Header.Set("Content-Type", "application/json")
    req.Header.Set("Accept", "application/json")
    req.SetBasicAuth(f5.username, f5.password)

client := &http.Client{Transport: tr}

Python example: https://github.com/F5Networks/f5-icontrol-rest-python/blob/5c43b0f6424a5f495c50fd2a318e172d5c3d7e37/icontrol/authtoken.py
DevCentral article: https://devcentral.f5.com/articles/demystifying-icontrol-rest-part-6-token-based-authentication

[chen23]

Doing a quick scan of the code I'm not seeing an explicit save of the running config after it is generated. F5Networks/f5-common-python#342

iControl REST sits in front of tmsh

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-essentials-11-6-0/2.html

"When you use the Traffic Management Shell (tmsh) to configure the system, you must explicitly issue a save command to store the configuration data that you have generated. Otherwise, the newly-generated configuration data is not actually stored on the system. For more information about tmsh, see the Traffic Management Shell (tmsh) Reference Guide."

[kmunson1973]

You can save the running config by issuing a POST /mgmt/tm/sys/config with the following json payload.
{
"command":"save"
}

[knobunc]

This implies that the vtep has other restrictions. Perhaps:
'vtep IP '%s' is not a valid IP address'

[knobunc]

The code structure LGTM... I have no idea if what it is doing with the F5 is right though :-)

Are there any tests we can add? Perhaps at least to exercise the vtep MAC generation function?

[knobunc]

Should this have vtep in it? Or is the package scope enough to indicate that.

[rajatchopra]

Its just a util function. The package scope is enough I guess.

[marun]

Consider changing this function name to be more descriptive (e.g. convertIpToVtepMac).

[marun]

Also, consider adding a unit test.

[knobunc]

Repo problems re-[test]

[knobunc]

@smarterclayton PTAL. The tests are still being worked on, but can you please look over the code to see if it is good?

[marun]

I don't see much in the way of test changes that would target the new functionality. Is that an oversight or is qa intended to validate this feature post-merge?

[marun]

openshif -> openshift

[marun]

Does it makes sense to apply the same filtering to nodes as is being applied to routes?

[ramr]

Dunno - would it work if you only have a subset of nodes added to the F5 config and the endpoints for a service are on nodes that are not part of the set?

[rajatchopra]

I see no harm in keeping the fields/filtering. Possible use case with FDB being populated for only a portion of the cluster (say a datacenter).

[marun]

I have no issue with supporting filtering on the nodes. I was asking whether it made sense for the same filtering parameters to be applied to both nodes and routes. The current approach of reusing the same fields and labels to filter both would preclude filtering one but not the other.

[smarterclayton]

It does not make sense to just apply field labeling to nodes - we should never apply the same field selector to two types.

[smarterclayton]

We should not be watching nodes unless the underlying router is using it. This loop should be optional and the factory must explicitly choose to use it.

[marun]

routes -> nodes

[marun]

Consider defining 409 as a constant whose name is self-documenting (e.g. STATUS_ALREADY_EXISTS) and avoid having to comment as to why 409 is special.

[marun]

ditto re: named constant

[marun]

Consider changing this function name to be more descriptive (e.g. convertIpToVtepMac).

[marun]

Should this call be returning the error that is potentially returned by AddVtep()?

[marun]

Should this call be returning the error that is potentially returned by RemoveVtep?

[marun]

What's the implication of not supporting node address changes? Is it just going to be documented? Should there be logging to diagnose issues if/when address changes occur?

[ramr]

I had the same question re: changes and asked Rajat on this. He said on the openshift-sdn side we don't support IP address changes for a node.

[marun]

Also, consider adding a unit test.

[ramr]

a question on the SetupOSDNVxLAN parameter if we can define it implicitly based on the internal ip and cidr, some comments re: constants and todos.
And a note on HandleNode for the host_admitter code in PR #11201

[ramr]

so this needs to be set with a command line arg option? It maybe better to implicitly set it if f5-internal-address and f5-vxlan-gateway-cidr is set - basically one without the other(s) doesn't make sense does it?

[ramr]

See above comment re: o.SetupOSDNVxLAN.

[ramr]

Is this needed? The one from the goroutine ahead should be called soon anyway.

[ramr]

Yeah, if its same as kc - we should cleanup to just use 1 ?Client. Maybe cleanup in follow on work. I know changing it would touch a lot more code in this PR.

[ramr]

A comment/todo here or in the type definition would be useful.

[ramr]

FYI, depending on which PR merges first - #11201 - will need to add HandleNode to the host_admitter plugin.

[ramr]

I had the same question re: changes and asked Rajat on this. He said on the openshift-sdn side we don't support IP address changes for a node.

[ramr]

I was curious on this one - thanks for explaining it. So if we ever decide to lock down to a specific version of the F5 api, then we would have to remove this - maybe adding a comment here would be helpful. Thx

[smarterclayton]

Godoc

[ramr]

Felt a little weird that this one is called TmPartition but every other F5 api call payload uses Partition. Thanks for explaining that one.

[smarterclayton]

Update the godoc explaining what TmPartition means or be more explicit

[ramr]

constant for vxlan-ose.

[ramr]

Dunno - would it work if you only have a subset of nodes added to the F5 config and the endpoints for a service are on nodes that are not part of the set?

[ramr]

LGTM

[marun]

networking job flaked with #11452 re-[test]

[smarterclayton]

Why is this always on if it's only used in F5?

[smarterclayton]

NamespaceClient, abbreviations were a special case but shouldn't be propogared.

[smarterclayton]

This is a pretty big security expansion - @deads2k

[deads2k]

@smarterclayton didn't you want this role bindable by project-admins? This will prevent that from being possible.

As for our system router, it doesn't worry overly much, but for per-project routers, this makes it impossible to create those.

[eparis]

Its also required. If we expect the F5 to participate in the SDN it needs to know about the nodes its talking. We don't have OpenShift-sdn doing that. If this is a big problem it would mean splitting the f5 into its own role, I guess?

[deads2k]

Its also required. If we expect the F5 to participate in the SDN it needs to know about the nodes its talking. We don't have OpenShift-sdn doing that. If this is a big problem it would mean splitting the f5 into its own role, I guess?

Or adding it as the delta required.

[smarterclayton]

Removing from merge queue until my comments are addressed.

[rajatchopra]

@smarterclayton I have addressed all your feedback. Primarily two:

1. Node watch loop does not run unless its F5 && a vxlan setup is needed
2. All fields/labels are put in for node watch (we have no use case yet where only a portion of the sdn needs to be addressed by F5)

Marking it [merge]. Please feel free to revert the commit if anything is loose.

TODO:
Document on how to use the native VxLAN feature

[eparis]

[merge] you stoopid flake. Merge!

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10513/) (Image: devenv-rhel7_5234)

[eparis]

I'm an idiot, it wasn't a flake!

test/integration/router_stress_test.go:285: not enough arguments in call to factory.Create

[openshift-bot]

Evaluated for origin merge up to 96354f7

[openshift-bot]

Evaluated for origin test up to 96354f7

[eparis]

back in at #5. wait and see!

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10513/) (Base Commit: 35b539d)

[smarterclayton]

As David noted this causes a security vulnerability because it's escalating the privileges granted to system:router. I'm going to push a change that removes the node permission granted here and to fix the issue you can open another one (instead of reverting here).

[smarterclayton]

Opened a PR that removes the permission, we can iterate on the next solution at a lower pace.

[smarterclayton]

It's not a flake. The tests don't compile.

[smarterclayton]

We could also create system:local-router or system:personal-router.

On Mon, Oct 24, 2016 at 9:14 AM, David Eads [email protected]
wrote:

@deads2k commented on this pull request.

In test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
#11181:

@@ -1776,6 +1776,14 @@ items:
- ""
attributeRestrictions: null
resources:

• • nodes

Its also required. If we expect the F5 to participate in the SDN it needs
to know about the nodes its talking. We don't have OpenShift-sdn doing
that. If this is a big problem it would mean splitting the f5 into its own
role, I guess?

Or adding it as the delta required.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#11181, or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p5OJReoyNdhUMz449EXSxXww4BvEks5q3K84gaJpZM4KLn0M
.

[eparis]

You mean why I said I'm an idiot, it wasn't a flake!

[smarterclayton]

Integration tests aren't compiling

On Oct 23, 2016, at 4:45 PM, OpenShift Bot [email protected] wrote:

continuous-integration/openshift-jenkins/merge FAILURE (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10508/) (Base
Commit: 35b539d
35b539d
)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#11181 (comment),
or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABG_p2r1fYHWcAjiUQ-TekgW_5ppbsHqks5q28dfgaJpZM4KLn0M
.

[smarterclayton]

The least disruptive thing is to create a new role with the additional
permission and require admins to set it up. We can't retroactively add it
to old clusters (reconcile) if anyone has used it, and it's a very big and
surprising role.

So create system:router-.... (david i need a name suggestion) that contains
the node role.

On Mon, Oct 24, 2016 at 10:11 AM, Clayton Coleman [email protected]
wrote:

We could also create system:local-router or system:personal-router.

On Mon, Oct 24, 2016 at 9:14 AM, David Eads [email protected]
wrote:

@deads2k commented on this pull request.

In test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
#11181:

@@ -1776,6 +1776,14 @@ items:
- ""
attributeRestrictions: null
resources:

• • nodes

Its also required. If we expect the F5 to participate in the SDN it needs
to know about the nodes its talking. We don't have OpenShift-sdn doing
that. If this is a big problem it would mean splitting the f5 into its own
role, I guess?

Or adding it as the delta required.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#11181, or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p5OJReoyNdhUMz449EXSxXww4BvEks5q3K84gaJpZM4KLn0M
.

[smarterclayton]

GitHub is delivering emails I sent on Friday. Thanks github.

[deads2k]

system:rouer-privileged, system:rouer-extensions?