diff --git a/ovn/templates/bin/_ovn-controller-init.sh.tpl b/ovn/templates/bin/_ovn-controller-init.sh.tpl index 585e2fcae..357c069da 100644 --- a/ovn/templates/bin/_ovn-controller-init.sh.tpl +++ b/ovn/templates/bin/_ovn-controller-init.sh.tpl @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +ANNOTATION_KEY="openstack-helm-infra/ovn-system-id" + function get_ip_address_from_interface { local interface=$1 local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' 'NR==1 {print $1}') @@ -75,6 +77,19 @@ function migrate_ip_from_nic { set -e } +function get_current_system_id { + ovs-vsctl --if-exists get Open_vSwitch . external_ids:system-id | tr -d '"' +} + +function get_stored_system_id { + kubectl get node "$NODE_NAME" -o "jsonpath={.metadata.annotations.openstack-helm-infra/ovn-system-id}" +} + +function store_system_id() { + local system_id=$1 + kubectl annotate node "$NODE_NAME" "$ANNOTATION_KEY=$system_id" +} + # Detect tunnel interface tunnel_interface="{{- .Values.network.interface.tunnel -}}" if [ -z "${tunnel_interface}" ] ; then @@ -89,13 +104,25 @@ if [ -z "${tunnel_interface}" ] ; then fi ovs-vsctl set open . external_ids:ovn-encap-ip="$(get_ip_address_from_interface ${tunnel_interface})" -# Configure system ID -set +e -ovs-vsctl get open . external-ids:system-id -if [ $? -eq 1 ]; then - ovs-vsctl set open . external-ids:system-id="$(uuidgen)" +# Get the stored system-id from the Kubernetes node annotation +stored_system_id=$(get_stored_system_id) + +# Get the current system-id set in OVS +current_system_id=$(get_current_system_id) + +if [ -n "$stored_system_id" ] && [ "$stored_system_id" != "$current_system_id" ]; then + # If the annotation exists and does not match the current system-id, set the system-id to the stored one + ovs-vsctl set Open_vSwitch . external_ids:system-id="$stored_system_id" +elif [ -z "$current_system_id" ]; then + # If no current system-id is set, generate a new one + current_system_id=$(uuidgen) + ovs-vsctl set Open_vSwitch . external_ids:system-id="$current_system_id" + # Store the new system-id in the Kubernetes node annotation + store_system_id "$current_system_id" +elif [ -z "$stored_system_id" ]; then + # If there is no stored system-id, store the current one + store_system_id "$current_system_id" fi -set -e # Configure OVN remote {{- if empty .Values.conf.ovn_remote -}} @@ -125,6 +152,10 @@ else ovs-vsctl set open . external-ids:ovn-cms-options={{ .Values.conf.ovn_cms_options }} fi +{{ if .Values.conf.ovn_bridge_datapath_type -}} +ovs-vsctl set open . external-ids:ovn-bridge-datapath-type="{{ .Values.conf.ovn_bridge_datapath_type }}" +{{- end }} + # Configure hostname {{- if .Values.pod.use_fqdn.compute }} ovs-vsctl set open . external-ids:hostname="$(hostname -f)" diff --git a/ovn/templates/bin/_ovn-controller.sh.tpl b/ovn/templates/bin/_ovn-controller.sh.tpl deleted file mode 100644 index ecb659d26..000000000 --- a/ovn/templates/bin/_ovn-controller.sh.tpl +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -xe - -# Copyright 2023 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -COMMAND="${@:-start}" - -function start () { - /usr/share/ovn/scripts/ovn-ctl start_controller \ - --ovn-manage-ovsdb=no - - tail --follow=name /var/log/ovn/ovn-controller.log -} - -function stop () { - /usr/share/ovn/scripts/ovn-ctl stop_controller - pkill tail -} - -function liveness () { - ovs-appctl -t /var/run/ovn/ovn-controller.$(cat /var/run/ovn/ovn-controller.pid).ctl status -} - -function readiness () { - ovs-appctl -t /var/run/ovn/ovn-controller.$(cat /var/run/ovn/ovn-controller.pid).ctl status -} - -$COMMAND diff --git a/ovn/templates/bin/_ovn-northd.sh.tpl b/ovn/templates/bin/_ovn-northd.sh.tpl deleted file mode 100644 index fefd793cc..000000000 --- a/ovn/templates/bin/_ovn-northd.sh.tpl +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash -xe - -# Copyright 2023 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -COMMAND="${@:-start}" - -{{- $nb_svc_name := "ovn-ovsdb-nb" -}} -{{- $nb_svc := (tuple $nb_svc_name "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup") -}} -{{- $nb_port := (tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup") -}} -{{- $nb_service_list := list -}} -{{- range $i := until (.Values.pod.replicas.ovn_ovsdb_nb | int) -}} - {{- $nb_service_list = printf "tcp:%s-%d.%s:%s" $nb_svc_name $i $nb_svc $nb_port | append $nb_service_list -}} -{{- end -}} - -{{- $sb_svc_name := "ovn-ovsdb-sb" -}} -{{- $sb_svc := (tuple $sb_svc_name "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup") -}} -{{- $sb_port := (tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup") -}} -{{- $sb_service_list := list -}} -{{- range $i := until (.Values.pod.replicas.ovn_ovsdb_sb | int) -}} - {{- $sb_service_list = printf "tcp:%s-%d.%s:%s" $sb_svc_name $i $sb_svc $sb_port | append $sb_service_list -}} -{{- end }} - -function start () { - /usr/share/ovn/scripts/ovn-ctl start_northd \ - --ovn-manage-ovsdb=no \ - --ovn-northd-nb-db={{ include "helm-toolkit.utils.joinListWithComma" $nb_service_list }} \ - --ovn-northd-sb-db={{ include "helm-toolkit.utils.joinListWithComma" $sb_service_list }} - - tail --follow=name /var/log/ovn/ovn-northd.log -} - -function stop () { - /usr/share/ovn/scripts/ovn-ctl stop_northd - pkill tail -} - -function liveness () { - ovs-appctl -t /var/run/ovn/ovn-northd.$(cat /var/run/ovn/ovn-northd.pid).ctl status -} - -function readiness () { - ovs-appctl -t /var/run/ovn/ovn-northd.$(cat /var/run/ovn/ovn-northd.pid).ctl status -} - -$COMMAND diff --git a/ovn/templates/bin/_ovsdb-server.sh.tpl b/ovn/templates/bin/_ovsdb-server.sh.tpl deleted file mode 100644 index e023505be..000000000 --- a/ovn/templates/bin/_ovsdb-server.sh.tpl +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash -xe - -# Copyright 2023 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -COMMAND="${@:-start}" - -OVSDB_HOST=$(hostname -f) -ARGS=( - --db-${OVS_DATABASE}-create-insecure-remote=yes - --db-${OVS_DATABASE}-cluster-local-proto=tcp - --db-${OVS_DATABASE}-cluster-local-addr=$(hostname -f) -) - -if [[ ! $HOSTNAME == *-0 && $OVSDB_HOST =~ (.+)-([0-9]+)\. ]]; then - OVSDB_BOOTSTRAP_HOST="${BASH_REMATCH[1]}-0.${OVSDB_HOST#*.}" - - ARGS+=( - --db-${OVS_DATABASE}-cluster-remote-proto=tcp - --db-${OVS_DATABASE}-cluster-remote-addr=${OVSDB_BOOTSTRAP_HOST} - ) -fi - -function start () { - /usr/share/ovn/scripts/ovn-ctl start_${OVS_DATABASE}_ovsdb ${ARGS[@]} - - tail --follow=name /var/log/ovn/ovsdb-server-${OVS_DATABASE}.log -} - -function stop () { - /usr/share/ovn/scripts/ovn-ctl stop_${OVS_DATABASE}_ovsdb - pkill tail -} - -function liveness () { - if [[ $OVS_DATABASE == "nb" ]]; then - OVN_DATABASE="Northbound" - elif [[ $OVS_DATABASE == "sb" ]]; then - OVN_DATABASE="Southbound" - else - echo "OVS_DATABASE must be nb or sb" - exit 1 - fi - - ovs-appctl -t /var/run/ovn/ovn${OVS_DATABASE}_db.ctl cluster/status OVN_${OVN_DATABASE} -} - -function readiness () { - if [[ $OVS_DATABASE == "nb" ]]; then - OVN_DATABASE="Northbound" - elif [[ $OVS_DATABASE == "sb" ]]; then - OVN_DATABASE="Southbound" - else - echo "OVS_DATABASE must be nb or sb" - exit 1 - fi - - ovs-appctl -t /var/run/ovn/ovn${OVS_DATABASE}_db.ctl cluster/status OVN_${OVN_DATABASE} -} - -$COMMAND diff --git a/ovn/templates/clusterrole-controller.yaml b/ovn/templates/clusterrole-controller.yaml new file mode 100644 index 000000000..bf2cc23fb --- /dev/null +++ b/ovn/templates/clusterrole-controller.yaml @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovn-controller +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - patch + - list diff --git a/ovn/templates/clusterrolebinding-controller.yaml b/ovn/templates/clusterrolebinding-controller.yaml new file mode 100644 index 000000000..152d20fe1 --- /dev/null +++ b/ovn/templates/clusterrolebinding-controller.yaml @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ovn-controller +subjects: +- kind: ServiceAccount + name: ovn-controller + namespace: {{ .Release.Namespace }} diff --git a/ovn/templates/configmap-bin.yaml b/ovn/templates/configmap-bin.yaml index a849dd8ae..82001f990 100644 --- a/ovn/templates/configmap-bin.yaml +++ b/ovn/templates/configmap-bin.yaml @@ -24,12 +24,6 @@ data: image-repo-sync.sh: | {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} {{- end }} - ovsdb-server.sh: | -{{ tuple "bin/_ovsdb-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - ovn-northd.sh: | -{{ tuple "bin/_ovn-northd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} ovn-controller-init.sh: | {{ tuple "bin/_ovn-controller-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - ovn-controller.sh: | -{{ tuple "bin/_ovn-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} diff --git a/ovn/templates/daemonset-controller.yaml b/ovn/templates/daemonset-controller.yaml index 2bee1fe7a..7612ee924 100644 --- a/ovn/templates/daemonset-controller.yaml +++ b/ovn/templates/daemonset-controller.yaml @@ -12,38 +12,22 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- define "controllerReadinessProbeTemplate" }} +exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t + - ovn-controller +{{- end }} + {{- if .Values.manifests.daemonset_ovn_controller }} {{- $envAll := . }} {{- $configMapName := "ovn-etc" }} {{- $serviceAccountName := "ovn-controller" }} -{{- $serviceAccountNamespace := $envAll.Release.Namespace }} {{ tuple $envAll "ovn_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ovn-controller-list-nodes-role-{{ $serviceAccountNamespace }} -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["list", "get"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-controller-list-nodes-rolebinding-{{ $serviceAccountNamespace }} -subjects: -- kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ $serviceAccountNamespace }} -roleRef: - kind: ClusterRole - name: ovn-controller-list-nodes-role-{{ $serviceAccountNamespace }} - apiGroup: rbac.authorization.k8s.io - --- kind: DaemonSet apiVersion: apps/v1 @@ -97,6 +81,11 @@ spec: {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }} command: - /tmp/ovn-controller-init.sh + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName volumeMounts: - name: ovn-bin mountPath: /tmp/ovn-controller-init.sh @@ -117,24 +106,30 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.ovn_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - - /tmp/ovn-controller.sh - - start - lifecycle: - preStop: - exec: - command: - - /tmp/ovn-controller.sh - - stop + - /root/ovnkube.sh + - ovn-controller +{{ dict "envAll" . "component" "ovn_controller" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + env: + - name: OVN_DAEMONSET_VERSION + value: "3" + - name: OVN_LOGLEVEL_CONTROLLER + value: "-vconsole:info -vfile:info" + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OVN_KUBERNETES_NB_STATEFULSET + value: ovn-ovsdb-nb + - name: OVN_KUBERNETES_SB_STATEFULSET + value: ovn-ovsdb-sb + - name: OVN_SSL_ENABLE + value: "no" volumeMounts: - - name: ovn-bin - mountPath: /tmp/ovn-controller.sh - subPath: ovn-controller.sh - readOnly: true - name: run-openvswitch mountPath: /run/openvswitch - name: logs mountPath: /var/log/ovn - - name: run-ovn + - name: run-openvswitch mountPath: /run/ovn volumes: - name: ovn-bin diff --git a/ovn/templates/deployment-northd.yaml b/ovn/templates/deployment-northd.yaml index 46e413b54..2dbbb6890 100644 --- a/ovn/templates/deployment-northd.yaml +++ b/ovn/templates/deployment-northd.yaml @@ -12,18 +12,13 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- define "livenessProbeTemplate" }} +{{- define "northdReadinessProbeTemplate" }} exec: command: - - /tmp/ovn-northd.sh - - liveness -{{- end }} - -{{- define "readinessProbeTemplate" }} -exec: - command: - - /tmp/ovn-northd.sh - - readiness + - /usr/bin/ovn-kube-util + - readiness-probe + - -t + - ovn-northd {{- end }} {{- if .Values.manifests.deployment_northd }} @@ -60,28 +55,27 @@ spec: {{- tuple $envAll "ovn_northd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: northd + command: + - /root/ovnkube.sh + - run-ovn-northd {{ tuple $envAll "ovn_northd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ovn_northd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "ovn_northd" "container" "northd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "liveness" "probeTemplate" (include "livenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} -{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "readiness" "probeTemplate" (include "readinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} - command: - - /tmp/ovn-northd.sh - - start - lifecycle: - preStop: - exec: - command: - - /tmp/ovn-northd.sh - - stop - volumeMounts: - - name: ovn-bin - mountPath: /tmp/ovn-northd.sh - subPath: ovn-northd.sh - readOnly: true - volumes: - - name: ovn-bin - configMap: - name: ovn-bin - defaultMode: 0555 +{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "readiness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} +{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "liveness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + env: + - name: OVN_DAEMONSET_VERSION + value: "3" + - name: OVN_LOGLEVEL_NORTHD + value: "-vconsole:info -vfile:info" + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OVN_KUBERNETES_NB_STATEFULSET + value: ovn-ovsdb-nb + - name: OVN_KUBERNETES_SB_STATEFULSET + value: ovn-ovsdb-sb + - name: OVN_SSL_ENABLE + value: "no" {{- end }} diff --git a/ovn/templates/role-controller.yaml b/ovn/templates/role-controller.yaml new file mode 100644 index 000000000..4ab9e8863 --- /dev/null +++ b/ovn/templates/role-controller.yaml @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ovn-controller + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list diff --git a/ovn/templates/role-northd.yaml b/ovn/templates/role-northd.yaml new file mode 100644 index 000000000..58d66e92c --- /dev/null +++ b/ovn/templates/role-northd.yaml @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ovn-northd + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list diff --git a/ovn/templates/role-ovsdb.yaml b/ovn/templates/role-ovsdb.yaml new file mode 100644 index 000000000..f435ac867 --- /dev/null +++ b/ovn/templates/role-ovsdb.yaml @@ -0,0 +1,35 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ovn-ovsdb + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "apps" + resources: + - statefulsets + verbs: + - get +- apiGroups: + - "" + resources: + - pods + - endpoints + verbs: + - list + - get diff --git a/ovn/templates/rolebinding-controller.yaml b/ovn/templates/rolebinding-controller.yaml new file mode 100644 index 000000000..6ed508f37 --- /dev/null +++ b/ovn/templates/rolebinding-controller.yaml @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovn-controller + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ovn-controller +subjects: +- kind: ServiceAccount + name: ovn-controller + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/ovn/templates/rolebinding-northd.yaml b/ovn/templates/rolebinding-northd.yaml new file mode 100644 index 000000000..537babe92 --- /dev/null +++ b/ovn/templates/rolebinding-northd.yaml @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovn-northd + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ovn-northd +subjects: +- kind: ServiceAccount + name: ovn-northd + namespace: {{ .Release.Namespace }} diff --git a/ovn/templates/rolebinding-ovsdb.yaml b/ovn/templates/rolebinding-ovsdb.yaml new file mode 100644 index 000000000..6211114a1 --- /dev/null +++ b/ovn/templates/rolebinding-ovsdb.yaml @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovn-ovsdb + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ovn-ovsdb +subjects: +- kind: ServiceAccount + name: ovn-ovsdb-nb + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: ovn-ovsdb-sb + namespace: {{ .Release.Namespace }} diff --git a/ovn/templates/service-ovsdb-nb.yaml b/ovn/templates/service-ovsdb-nb.yaml index b93da9b8b..56f7cd096 100644 --- a/ovn/templates/service-ovsdb-nb.yaml +++ b/ovn/templates/service-ovsdb-nb.yaml @@ -20,6 +20,7 @@ kind: Service metadata: name: {{ tuple "ovn-ovsdb-nb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} spec: + publishNotReadyAddresses: true ports: - name: ovsdb port: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/ovn/templates/service-ovsdb-sb.yaml b/ovn/templates/service-ovsdb-sb.yaml index 70f62c6e4..4a6b5864d 100644 --- a/ovn/templates/service-ovsdb-sb.yaml +++ b/ovn/templates/service-ovsdb-sb.yaml @@ -20,6 +20,7 @@ kind: Service metadata: name: {{ tuple "ovn-ovsdb-sb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} spec: + publishNotReadyAddresses: true ports: - name: ovsdb port: {{ tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/ovn/templates/statefulset-ovsdb-nb.yaml b/ovn/templates/statefulset-ovsdb-nb.yaml index 6fe3dddd5..d19d5105d 100644 --- a/ovn/templates/statefulset-ovsdb-nb.yaml +++ b/ovn/templates/statefulset-ovsdb-nb.yaml @@ -12,6 +12,19 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- define "ovnnbReadinessProbeTemplate" }} +exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t +{{- if gt (int .Values.pod.replicas.ovn_ovsdb_nb) 1 }} + - ovnnb-db-raft +{{- else }} + - ovnnb-db +{{- end }} +{{- end }} + {{- if .Values.manifests.statefulset_ovn_ovsdb_nb }} {{- $envAll := . }} @@ -28,6 +41,7 @@ metadata: {{ tuple $envAll "ovn" "ovn-ovsdb-nb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: serviceName: {{ tuple "ovn-ovsdb-nb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + podManagementPolicy: Parallel replicas: {{ .Values.pod.replicas.ovn_ovsdb_nb }} selector: matchLabels: @@ -49,43 +63,56 @@ spec: {{- tuple $envAll "ovn_ovsdb_nb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ovsdb + command: + - /root/ovnkube.sh +{{- if gt (int .Values.pod.replicas.ovn_ovsdb_nb) 1 }} + - nb-ovsdb-raft +{{- else }} + - nb-ovsdb +{{- end }} {{ tuple $envAll "ovn_ovsdb_nb" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ovn_ovsdb_nb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" . "component" "ovn_ovsdb_nb" "container" "ovsdb" "type" "readiness" "probeTemplate" (include "ovnnbReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} ports: - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} env: - - name: OVS_DATABASE - value: nb - - name: OVS_PORT + - name: OVN_DAEMONSET_VERSION + value: "3" + - name: OVN_LOGLEVEL_NB + value: "-vconsole:info -vfile:info" + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OVN_KUBERNETES_STATEFULSET + value: ovn-ovsdb-nb + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OVN_SSL_ENABLE + value: "no" + - name: ENABLE_IPSEC + value: "false" + - name: OVN_NB_RAFT_ELECTION_TIMER + value: "1000" + - name: OVN_NB_PORT value: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - command: - - /tmp/ovsdb-server.sh - - start - lifecycle: - preStop: - exec: - command: - - /tmp/ovsdb-server.sh - - stop + - name: OVN_NB_RAFT_PORT + value: {{ tuple "ovn-ovsdb-nb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} volumeMounts: - - name: ovn-bin - mountPath: /tmp/ovsdb-server.sh - subPath: ovsdb-server.sh - readOnly: true - name: run-openvswitch - mountPath: /run/openvswitch + mountPath: /var/run/openvswitch + - name: run-openvswitch + mountPath: /var/run/ovn - name: data - mountPath: {{ $envAll.Values.volume.ovn_ovsdb_nb.path }} + mountPath: /etc/ovn volumes: - name: run-openvswitch hostPath: path: /run/openvswitch type: DirectoryOrCreate - - name: ovn-bin - configMap: - name: ovn-bin - defaultMode: 0555 {{- if not .Values.volume.ovn_ovsdb_nb.enabled }} - name: data emptyDir: {} diff --git a/ovn/templates/statefulset-ovsdb-sb.yaml b/ovn/templates/statefulset-ovsdb-sb.yaml index 106997587..a6180aaac 100644 --- a/ovn/templates/statefulset-ovsdb-sb.yaml +++ b/ovn/templates/statefulset-ovsdb-sb.yaml @@ -12,6 +12,19 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- define "ovnsbReadinessProbeTemplate" }} +exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t +{{- if gt (int .Values.pod.replicas.ovn_ovsdb_sb) 1 }} + - ovnsb-db-raft +{{- else }} + - ovnsb-db +{{- end }} +{{- end }} + {{- if .Values.manifests.statefulset_ovn_ovsdb_sb }} {{- $envAll := . }} @@ -28,6 +41,7 @@ metadata: {{ tuple $envAll "ovn" "ovn-ovsdb-sb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: serviceName: {{ tuple "ovn-ovsdb-sb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + podManagementPolicy: Parallel replicas: {{ .Values.pod.replicas.ovn_ovsdb_sb }} selector: matchLabels: @@ -49,43 +63,56 @@ spec: {{- tuple $envAll "ovn_ovsdb_sb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ovsdb + command: + - /root/ovnkube.sh +{{- if gt (int .Values.pod.replicas.ovn_ovsdb_sb) 1 }} + - sb-ovsdb-raft +{{- else }} + - sb-ovsdb +{{- end }} {{ tuple $envAll "ovn_ovsdb_sb" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ovn_ovsdb_sb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" . "component" "ovn_ovsdb_sb" "container" "ovsdb" "type" "readiness" "probeTemplate" (include "ovnsbReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} ports: - containerPort: {{ tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - containerPort: {{ tuple "ovn-ovsdb-sb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} env: - - name: OVS_DATABASE - value: sb - - name: OVS_PORT + - name: OVN_DAEMONSET_VERSION + value: "3" + - name: OVN_LOGLEVEL_SB + value: "-vconsole:info -vfile:info" + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OVN_KUBERNETES_STATEFULSET + value: ovn-ovsdb-sb + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OVN_SSL_ENABLE + value: "no" + - name: ENABLE_IPSEC + value: "false" + - name: OVN_SB_RAFT_ELECTION_TIMER + value: "1000" + - name: OVN_SB_PORT value: {{ tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - command: - - /tmp/ovsdb-server.sh - - start - lifecycle: - preStop: - exec: - command: - - /tmp/ovsdb-server.sh - - stop + - name: OVN_SB_RAFT_PORT + value: {{ tuple "ovn-ovsdb-sb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} volumeMounts: - - name: ovn-bin - mountPath: /tmp/ovsdb-server.sh - subPath: ovsdb-server.sh - readOnly: true - name: run-openvswitch - mountPath: /run/openvswitch + mountPath: /var/run/openvswitch + - name: run-openvswitch + mountPath: /var/run/ovn - name: data - mountPath: {{ $envAll.Values.volume.ovn_ovsdb_sb.path }} + mountPath: /etc/ovn volumes: - name: run-openvswitch hostPath: path: /run/openvswitch type: DirectoryOrCreate - - name: ovn-bin - configMap: - name: ovn-bin - defaultMode: 0555 {{- if not .Values.volume.ovn_ovsdb_sb.enabled }} - name: data emptyDir: {} @@ -95,10 +122,10 @@ spec: name: data spec: accessModes: ["ReadWriteOnce"] + storageClassName: {{ $envAll.Values.volume.ovn_ovsdb_sb.class_name }} resources: requests: storage: {{ $envAll.Values.volume.ovn_ovsdb_sb.size }} - storageClassName: {{ $envAll.Values.volume.ovn_ovsdb_sb.class_name }} {{- end }} {{- end }} diff --git a/ovn/values.yaml b/ovn/values.yaml index 95ea5c4aa..ca60650fb 100644 --- a/ovn/values.yaml +++ b/ovn/values.yaml @@ -53,12 +53,10 @@ labels: volume: ovn_ovsdb_nb: - path: /var/lib/ovn enabled: true class_name: general size: 5Gi ovn_ovsdb_sb: - path: /var/lib/ovn enabled: true class_name: general size: 5Gi @@ -77,6 +75,8 @@ conf: ovn_encap_type: geneve ovn_bridge: br-int ovn_bridge_mappings: external:br-ex + # For DPDK enabled environments, enable netdev datapath type for br-int + # ovn_bridge_datapath_type: netdev # auto_bridge_add: # br-private: eth0 @@ -126,13 +126,41 @@ pod: readiness: enabled: true params: - initialDelaySeconds: 5 - timeoutSeconds: 10 - liveness: + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 60 + ovn_ovsdb_nb: + ovsdb: + readiness: enabled: true params: - initialDelaySeconds: 5 - timeoutSeconds: 10 + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 60 + ovn_ovsdb_sb: + ovsdb: + readiness: + enabled: true + params: + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 60 + ovn_controller: + controller: + readiness: + enabled: true + params: + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 60 + ovn_controller_gw: + controller: + readiness: + enabled: true + params: + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 60 dns_policy: "ClusterFirstWithHostNet" replicas: ovn_ovsdb_nb: 1 @@ -162,18 +190,18 @@ pod: enabled: false ovn_ovsdb_nb: requests: - memory: "128Mi" + memory: "384Mi" cpu: "100m" limits: memory: "1024Mi" - cpu: "2000m" + cpu: "1000m" ovn_ovsdb_sb: requests: - memory: "128Mi" + memory: "384Mi" cpu: "100m" limits: memory: "1024Mi" - cpu: "2000m" + cpu: "1000m" ovn_northd: requests: memory: "128Mi" diff --git a/releasenotes/notes/ovn-50ba6d3611decff9.yaml b/releasenotes/notes/ovn-50ba6d3611decff9.yaml new file mode 100644 index 000000000..f71d1ec9f --- /dev/null +++ b/releasenotes/notes/ovn-50ba6d3611decff9.yaml @@ -0,0 +1,4 @@ +--- +ovn: + - Add OVN Kubernetes support +...