dind: add support for ovn-kubernetes network plugin #15756
Conversation
openshift-merge-robot
added
the
size/L
dcbw
force-pushed
the
dind-ovn
branch
2 times, most recently
from
99dccf3 to
2b87ad4
Compare
dcbw
force-pushed
the
dind-ovn
branch
2 times, most recently
from
08b0549 to
d19ce7f
Compare
|
@rajatchopra updated; we actually get pod IPs now even |
|
@stevekuznetsov @danwinship review from you guys would be useful too, thanks! |
dcbw
changed the title
hack/dind-cluster.sh
Outdated
| @@ -607,6 +642,17 @@ case "${1:-""}" in | |||
| esac | |||
| done | |||
|
|
|||
| # OVN requires CNI network plugin and OVN_ROOT to be set | |||
| if [[ -n "${USE_OVN}" ]]; then | |||
There was a problem hiding this comment.
With set -o nounset these will fail, use "${USE_OVN:-}" etc for them
hack/dind-cluster.sh
Outdated
| @@ -94,6 +95,15 @@ function start() { | |||
| echo "OPENSHIFT_ADDITIONAL_ARGS='${additional_args}'" > "${config_root}/additional-args" | |||
| copy-runtime "${origin_root}" "${config_root}/" | |||
|
|
|||
| ovn_kubernetes= | |||
| if [ -d "${ovn_root}" ]; then | |||
hack/dind-cluster.sh
Outdated
| exit 1 | ||
| fi | ||
| elif [[ -n "${OVN_ROOT}" ]]; then | ||
| OVN_ROOT= |
There was a problem hiding this comment.
Do you want this empty or unset?
| function is-api-running() { | ||
| local config=$1 | ||
|
|
||
| /usr/local/bin/oc --config="${kube_config}" get nodes &> /dev/null |
There was a problem hiding this comment.
/usr/local/bin/oc --config="${kube_config}" get --raw /healthz/ready?
| /usr/local/bin/oadm --config="${kube_config}" policy add-scc-to-user anyuid -z ovn | ||
| fi | ||
|
|
||
| ovnsecret=$(/usr/local/bin/oc --config="${kube_config}" get secrets | grep ovn | tail -1 | awk '{ print $1 }') |
There was a problem hiding this comment.
oc sa get-token instead of these two lines
| local config_dir=$1 | ||
| local kube_config="${config_dir}/admin.kubeconfig" | ||
|
|
||
| ovnsecret=$(/usr/local/bin/oc --config="${kube_config}" get secrets | grep ovn | tail -1 | awk '{ print $1 }') |
| token=$(/usr/local/bin/oc --config="${kube_config}" describe secret $ovnsecret | grep "token:" | awk '{ print $2 }') | ||
|
|
||
| local master_config="${config_dir}/master-config.yaml" | ||
| cluster_cidr=$(grep clusterNetworkCIDR ${master_config} | cut -f 4 -d' ') |
There was a problem hiding this comment.
do you have python? might be better to use yaml.load() here -- no guarantee that the value is on the same line
There was a problem hiding this comment.
done, does that look any better?
OVN.md
Outdated
| @@ -0,0 +1,16 @@ | |||
| ovn-kubernetes DIND | |||
| ==================== | |||
There was a problem hiding this comment.
if this is intended to stick around it should probably go in docs/
hack/dind-cluster.sh
Outdated
| @@ -765,6 +811,7 @@ start accepts the following options: | |||
| -i build container images before starting the cluster | |||
| -r remove an existing cluster | |||
| -s skip waiting for nodes to become ready | |||
| -o enable the OVN network plugin; implies "-n cni" and valid OVN_ROOT | |||
There was a problem hiding this comment.
Can you just make this be -n ovn? And while you're there, make -n subnet/multitenant/networkpolicy work too? There's no reason we have to make the user write out the full name of the plugin since we restrict it to a limited set of supported plugins anyway.
There was a problem hiding this comment.
done, new commit for the plugin arg renames too
| --ovn-south-db "tcp://${ovn_master_ip}:6642" \ | ||
| --init-master `hostname` \ | ||
| --net-controller | ||
| # --ovn-north-db "ssl://${ovn_nb_ip}:6641" \ |
There was a problem hiding this comment.
what's all the commented-out stuff?
images/dind/node/Dockerfile
Outdated
| @@ -25,8 +25,12 @@ RUN dnf -y update && dnf -y install\ | |||
|
|
|||
| # Upgrade to a newer OVS. (This can go away when the base image is upgraded to F26.) | |||
| RUN dnf -y install dnf-plugins-core &&\ | |||
| dnf -y copr enable danw/origin-dind-ovs &&\ | |||
| dnf -y update openvswitch | |||
| dnf -y copr enable leifmadsen/ovs-master &&\ | |||
There was a problem hiding this comment.
Even though this is developer-only I feel like it would be better to use a COPR we maintain. I can update the packages in my COPR...
There was a problem hiding this comment.
@danwinship if you could update the packages, that would be awesome.
There was a problem hiding this comment.
OK, try danw/origin-dind-ovs-master.
images/dind/node/Dockerfile
Outdated
| @@ -25,8 +25,12 @@ RUN dnf -y update && dnf -y install\ | |||
|
|
|||
| # Upgrade to a newer OVS. (This can go away when the base image is upgraded to F26.) | |||
There was a problem hiding this comment.
"F26" there probably has to be "F27" now?
Actually, the original idea was that the previous RUN installs everything (including an out-of-date version of openvswitch), and then this RUN is just to handle the fact that Fedora's OVS is too old. But the patch below changes things so this RUN would still be necessary even if Fedora had the latest OVN (because we're not even installing OVN in the previous RUN). So either the installs should be rearranged to keep the old behavior, or else the comment should be rewritten to not imply that this section will eventually go away.
Needs a '-o' or OVN will not run. |
dcbw
force-pushed
the
dind-ovn
branch
2 times, most recently
from
8111eba to
fa767e5
Compare
|
@stevekuznetsov @danwinship I believe I've addressed all your comments, PTAL thanks! |
| fi | ||
|
|
||
| token=$(/usr/local/bin/oc --config="${kube_config}" sa get-token ovn) | ||
| echo "${token}" > ${config_dir}/ovn.token |
There was a problem hiding this comment.
Could collapse this
/usr/local/bin/oc --config="${kube_config}" sa get-token ovn > ${config_dir}/ovn.token| # OVN requires CNI network plugin and OVN_ROOT to be set | ||
| if [[ "${NETWORK_PLUGIN}" = "ovn" ]]; then | ||
| NETWORK_PLUGIN="cni" | ||
| if [[ -z "${OVN_ROOT}" ]]; then |
There was a problem hiding this comment.
If it can be unset use :- defaulting
There was a problem hiding this comment.
@stevekuznetsov I defaulted it above:
ADDITIONAL_ARGS=""
OVN_ROOT="${OVN_ROOT:-}"
case "${1:-""}" in
start)
BUILD=
is that sufficent?
There was a problem hiding this comment.
Yes, sorry -- didn't catch that
hack/dind-cluster.sh
Outdated
| copy-ovn-runtime "${ovn_root}" "${config_root}/" | ||
| ovn_kubernetes=1 | ||
| else | ||
| ovn_kubernetes= |
There was a problem hiding this comment.
redundant, you already set it before the if
hack/dind-cluster.sh
Outdated
| @@ -576,7 +609,7 @@ case "${1:-""}" in | |||
| NETWORK_PLUGIN= | |||
| REMOVE_EXISTING_CLUSTER= | |||
| OPTIND=2 | |||
| while getopts ":bin:rsN:" opt; do | |||
| while getopts ":boin:rsN:" opt; do | |||
hack/dind-cluster.sh
Outdated
| @@ -765,6 +810,7 @@ start accepts the following options: | |||
| -i build container images before starting the cluster | |||
| -r remove an existing cluster | |||
| -s skip waiting for nodes to become ready | |||
| -o enable the OVN network plugin; implies "-n cni" and valid OVN_ROOT | |||
See OVN.md for more details.
-n now takes one of [ subnet | multitenant | networkpolicy | ovn | cni ]
|
@danwinship @stevekuznetsov one more PTAL, thanks! |
|
/test end_to_end |
|
@liggitt could we get an approve on this one? thanks! |
|
@stevekuznetsov can you /approve? |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dcbw, rajatchopra, stevekuznetsov The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 14825, 15756, 16178, 16188, 16189) |
@rajatchopra here's the Origin part...
Operation:
hack/dind-cluster.sh build-imagesOVN_ROOT=/path/to/ovn-kubernetes hack/dind-cluster.sh start -o