openstack/kuryr-kubernetes
Code Issues Proposed changes
0176b4a98c
kuryr-kubernetes/kuryr_kubernetes/k8s_client.py

516 lines
21 KiB
Python
Raw Normal View History

K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
# Copyright (c) 2016 Mirantis, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import contextlib
Added method for creating k8s events object. Kubernetes provides a convenient way for examining resource life cycle. Ephemeral Event objects are created for some of the steps during resource object change of the state. Those event can be accessed using `kubectl get events` or for particular object `kubectl describe <type> <resource name>`, so that operator can examine the state and the reason for potential failure of given resource object. In this patch there is a method added for creating Event objects, so that anything wrong regarding Kubernetes object life cycle can be "annotated" with such object. Change-Id: I291613adf9282ec5399fbe5de75e82472c2bc9c0
2021-09-14 15:08:58 +02:00
import datetime
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
import functools
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
import itertools
Add support for HTTPS client Add support to use cert and key files for watching a HTTPS enabled K8S api server. Change-Id: I0978531caa2c35031041450f86db9e90ce5efbb0 Closes-bug: #1670346
2017-03-03 13:54:38 +05:30
import os
Timeout connections when watching K8s API Turns out that without `timeout` parameter, requests library is unable to see connection interruption if those were "silent" (i.e. firewall blocked the connection for a period long enough for K8s API to drop the connection). This can be fixed by adding the `timeout` parameter to the `requests.get()` invocation in `watch()` and retrying on receiving `requests.ReadTimeout` exception. This commit does so by setting the connection and read timeouts to 30 and 60 respectively and implementing the retry logic using last seen resourceVersion to restart the watching connection. Change-Id: I19df95aaae404b5a936c469085b1f80f9eb99e2e Closes-Bug: 1842689
2019-09-04 18:41:32 +02:00
import ssl
Civilize logging Our logs are awful and this commit attempts to fix some issues with them: * Make sure we always indicate why some readiness or liveness probe fail. * Suppress INFO logs from werkzeug (so that we don't see every probe call on INFO level). * Remove logging of successful probe checks. * Make watcher restart logs less scary and include more cases. * Add backoff to watcher restarts so that we don't spam logs when K8s API is briefly unavailable. * Add warnings for low quotas. * Suppress some long logs on K8s healthz failures - we don't need full message from K8s printed twice. I also refactored CNI and controller health probes servers to make sure they're not duplicating code. Change-Id: Ia3db4863af8f28cfbaf2317042c8631cc63d9745
2020-05-22 16:17:02 +02:00
import time
Bump pool_maxsize for K8sClient to 1000 We're running kuryr-controller in highly multithreading way. Turns out in that cases requests' default for pool_maxsize=10 is not enough and we start to see warnings like: WARNING:requests.packages.urllib3.connectionpool:HttpConnectionPool is full, discarding connection: This patch attempts to get rid of them by bumping pool_maxsize to 1000. Change-Id: I7f4e150ed9f9e26db5222014b6ccff013882ecfa
2019-11-22 15:19:14 +01:00
from urllib import parse
Add urllib3's SSLError to expected Watcher exc Seems like new requests lib is somehow raising urllib3.exceptions.SSLError more often. This commit adds it to the exceptions expected by the Watcher and silenced with a retry. Closes-Bug: 1906498 Change-Id: I214c08c197483c00a5caecc47ef117cdd07a7652
2020-12-01 13:16:26 +01:00
import urllib3
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
from oslo_log import log as logging
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
from oslo_serialization import jsonutils
Added method for creating k8s events object. Kubernetes provides a convenient way for examining resource life cycle. Ephemeral Event objects are created for some of the steps during resource object change of the state. Those event can be accessed using `kubectl get events` or for particular object `kubectl describe <type> <resource name>`, so that operator can examine the state and the reason for potential failure of given resource object. In this patch there is a method added for creating Event objects, so that anything wrong regarding Kubernetes object life cycle can be "annotated" with such object. Change-Id: I291613adf9282ec5399fbe5de75e82472c2bc9c0
2021-09-14 15:08:58 +02:00
import pytz
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
import requests
Bump pool_maxsize for K8sClient to 1000 We're running kuryr-controller in highly multithreading way. Turns out in that cases requests' default for pool_maxsize=10 is not enough and we start to see warnings like: WARNING:requests.packages.urllib3.connectionpool:HttpConnectionPool is full, discarding connection: This patch attempts to get rid of them by bumping pool_maxsize to 1000. Change-Id: I7f4e150ed9f9e26db5222014b6ccff013882ecfa
2019-11-22 15:19:14 +01:00
from requests import adapters
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
Add support for HTTPS client Add support to use cert and key files for watching a HTTPS enabled K8S api server. Change-Id: I0978531caa2c35031041450f86db9e90ce5efbb0 Closes-bug: #1670346
2017-03-03 13:54:38 +05:30
from kuryr.lib._i18n import _
from kuryr_kubernetes import config
Annotate nodes with pci info for direct ports This commit allows to add pci information for direct neutron ports attached to PODs into nodes annotations. It happens on binding stage when pci information can be requested. Also this commit allows to delete annotations for such ports when apropriate POD is deleted and VFs are returned into host's network namespace. For future commits: it is necessary to update neutron ports with pci info when POD is in Running state. Change-Id: I5ea8da6bb3143fd689e701f5e503488d4a6c9b33 Closes-Bug: 1818606 Signed-off-by: Danil Golov <d.golov@samsung.com>
2019-03-11 15:15:26 +03:00
from kuryr_kubernetes import constants
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
from kuryr_kubernetes import exceptions as exc
Civilize logging Our logs are awful and this commit attempts to fix some issues with them: * Make sure we always indicate why some readiness or liveness probe fail. * Suppress INFO logs from werkzeug (so that we don't see every probe call on INFO level). * Remove logging of successful probe checks. * Make watcher restart logs less scary and include more cases. * Add backoff to watcher restarts so that we don't spam logs when K8s API is briefly unavailable. * Add warnings for low quotas. * Suppress some long logs on K8s healthz failures - we don't need full message from K8s printed twice. I also refactored CNI and controller health probes servers to make sure they're not duplicating code. Change-Id: Ia3db4863af8f28cfbaf2317042c8631cc63d9745
2020-05-22 16:17:02 +02:00
from kuryr_kubernetes import utils
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
Timeout connections when watching K8s API Turns out that without `timeout` parameter, requests library is unable to see connection interruption if those were "silent" (i.e. firewall blocked the connection for a period long enough for K8s API to drop the connection). This can be fixed by adding the `timeout` parameter to the `requests.get()` invocation in `watch()` and retrying on receiving `requests.ReadTimeout` exception. This commit does so by setting the connection and read timeouts to 30 and 60 respectively and implementing the retry logic using last seen resourceVersion to restart the watching connection. Change-Id: I19df95aaae404b5a936c469085b1f80f9eb99e2e Closes-Bug: 1842689
2019-09-04 18:41:32 +02:00
CONF = config.CONF
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
LOG = logging.getLogger(__name__)
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
class K8sClient(object):
# REVISIT(ivc): replace with python-k8sclient if it could be extended
# with 'WATCH' support
def __init__(self, base_url):
self._base_url = base_url
Add support for HTTPS client Add support to use cert and key files for watching a HTTPS enabled K8S api server. Change-Id: I0978531caa2c35031041450f86db9e90ce5efbb0 Closes-bug: #1670346
2017-03-03 13:54:38 +05:30
cert_file = config.CONF.kubernetes.ssl_client_crt_file
key_file = config.CONF.kubernetes.ssl_client_key_file
ca_crt_file = config.CONF.kubernetes.ssl_ca_crt_file
self.verify_server = config.CONF.kubernetes.ssl_verify_server_crt
k8s bearer token support Co-Authored-By: Vikas Choudhary <vichoudh@redhat.com> Change-Id: I9c8becf15c9fd5141a5f4468a04665fd09f8eaa6 Implements: blueprint token-auth-support
2017-05-10 11:55:57 -04:00
token_file = config.CONF.kubernetes.token_file
self.token = None
self.cert = (None, None)
Add config option to enable Kubernetes Event creation. Kuryr can (or rather: soon will be able to) leverage events for certain actions where Kuryr is involved, like creating pod networking, services, network policies and so on. This is a nice addition to the logging, where operator can just use typical kubectl commands to get the idea in what state are his resources. This feature can be turned on by using configuration: [kubernetes] use_events = true in kuryr.conf, although it might have an performance impact on kubernetes cluster. Change-Id: Ia25e1309157e49992119709fb546fd5baa2462a4
2021-12-01 11:25:39 +01:00
self.are_events_enabled = config.CONF.kubernetes.use_events
Bump pool_maxsize for K8sClient to 1000 We're running kuryr-controller in highly multithreading way. Turns out in that cases requests' default for pool_maxsize=10 is not enough and we start to see warnings like: WARNING:requests.packages.urllib3.connectionpool:HttpConnectionPool is full, discarding connection: This patch attempts to get rid of them by bumping pool_maxsize to 1000. Change-Id: I7f4e150ed9f9e26db5222014b6ccff013882ecfa
2019-11-22 15:19:14 +01:00
# Setting higher numbers regarding connection pools as we're running
# with max of 1000 green threads.
self.session = requests.Session()
prefix = '%s://' % parse.urlparse(base_url).scheme
self.session.mount(prefix, adapters.HTTPAdapter(pool_maxsize=1000))
k8s bearer token support Co-Authored-By: Vikas Choudhary <vichoudh@redhat.com> Change-Id: I9c8becf15c9fd5141a5f4468a04665fd09f8eaa6 Implements: blueprint token-auth-support
2017-05-10 11:55:57 -04:00
if token_file:
if os.path.exists(token_file):
with open(token_file, 'r') as f:
self.token = f.readline().rstrip('\n')
else:
raise RuntimeError(
_("Unable to find token_file : %s") % token_file)
else:
if cert_file and not os.path.exists(cert_file):
raise RuntimeError(
_("Unable to find ssl cert_file : %s") % cert_file)
if key_file and not os.path.exists(key_file):
raise RuntimeError(
_("Unable to find ssl key_file : %s") % key_file)
self.cert = (cert_file, key_file)
Add support for HTTPS client Add support to use cert and key files for watching a HTTPS enabled K8S api server. Change-Id: I0978531caa2c35031041450f86db9e90ce5efbb0 Closes-bug: #1670346
2017-03-03 13:54:38 +05:30
if self.verify_server:
if not ca_crt_file:
raise RuntimeError(
_("ssl_ca_crt_file cannot be None"))
elif not os.path.exists(ca_crt_file):
raise RuntimeError(
_("Unable to find ca cert_file : %s") % ca_crt_file)
else:
self.verify_server = ca_crt_file
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
# Let's setup defaults for our Session.
self.session.cert = self.cert
self.session.verify = self.verify_server
if self.token:
self.session.headers['Authorization'] = f'Bearer {self.token}'
# NOTE(dulek): Seems like this is the only way to set is globally.
self.session.request = functools.partial(
self.session.request, timeout=(
CONF.kubernetes.watch_connection_timeout,
CONF.kubernetes.watch_read_timeout))
Set read timeout for any request in K8sClient We're often contacting the K8s API through a loadbalancer (e.g. Octavia LB in DevStack deployments, HAProxy in OpenShift) and we've often seen they're able to drop connections silently, effectively leaving our requests hanging forever. This got fixed in `K8sClient.watch` which helped a lot, but we now seem to see it happening with other requests. In order to make sure we won't block processing events for a resource forever due to that, this commit adds read timeout to all the methods in K8sClient. Closes-Bug: 1897893 Change-Id: If1846ec78abc0840e7aba04565b220a1d20e5dc9
2020-09-30 12:56:57 +02:00
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
def _raise_from_response(self, response):
if response.status_code == requests.codes.not_found:
raise exc.K8sResourceNotFound(response.text)
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
if response.status_code == requests.codes.conflict:
raise exc.K8sConflict(response.text)
Add finalizer for the pod as soon as possible. We were observed the situation, where pod has been created, triggered KuryrPort CRD creation and removed just before Kuryrport on_present event was handled, resulting in errors from KuryrPort side. Idea is to set the finalizer to the pod as quickly as possible, so that it wont disappear before we correctly set up the CRD. Change-Id: Iac82bb05a465e94e47356c3c873e11f00e5d0cd9
2020-07-31 10:46:00 +02:00
if response.status_code == requests.codes.forbidden:
if 'because it is being terminated' in response.json()['message']:
raise exc.K8sNamespaceTerminating(response.text)
raise exc.K8sForbidden(response.text)
Clean lb crd status upon Load Balancer removal When a lb transitions to ERROR or the IP on the Service spec differs from the lb VIP, the lb is released and the CRD doesn't get updated, causing Not Found expections when handling the creation of others load balancer resources. This commit fixes the issue by ensuring the clean up of the status field happens upon lb release. Also, it adds protection in case we still get nonexistent lb on the CRD. Closes-Bug: 1894758 Change-Id: I484ece6a7b52b51d878f724bd4fad0494eb759d6
2020-09-07 20:50:53 +00:00
if response.status_code == requests.codes.unprocessable_entity:
Added new K8sFieldValueForbidden exception. During tests it turns out, that we didn't catch Forbidden exceptions, since there was no forbidden http code sent from kubernetes API. In this Patch we introduce new exception K8sFieldValueForbidden, which will be raised on 422 Unprocessable Entity, k8s API returns. Also, taken care of objects in state terminating in remove_finalizer method. Closes-Bug: 1895124 Change-Id: If4ac93190db3a56ee6b94ca122bfd2e95c29ffb9
2020-09-10 12:47:43 +02:00
# NOTE(gryf): on k8s API code 422 is also Forbidden, but specified
# to FieldValueForbidden. Perhaps there are other usages for
# throwing unprocessable entity errors in different cases.
if ('FieldValueForbidden' in response.text and
'Forbidden' in response.json()['message']):
raise exc.K8sFieldValueForbidden(response.text)
Clean lb crd status upon Load Balancer removal When a lb transitions to ERROR or the IP on the Service spec differs from the lb VIP, the lb is released and the CRD doesn't get updated, causing Not Found expections when handling the creation of others load balancer resources. This commit fixes the issue by ensuring the clean up of the status field happens upon lb release. Also, it adds protection in case we still get nonexistent lb on the CRD. Closes-Bug: 1894758 Change-Id: I484ece6a7b52b51d878f724bd4fad0494eb759d6
2020-09-07 20:50:53 +00:00
raise exc.K8sUnprocessableEntity(response.text)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
if not response.ok:
raise exc.K8sClientException(response.text)
Add HTTPS support to K8s API healthchecks Our Controller and CNI healthchecks are checking the connection to the K8s API. This is done using the requests library directly and not through K8sClient wrapper. Because of that we've forgot to add HTTPS support there (DevStack runs K8s with HTTP). This commit fix that by making /healthz requests to go through K8sClient wrapper. Change-Id: I7d2657dfb123a7641eb838d7ddecde769bbb4318 Closes-Bug: 1759293
2018-03-27 17:16:20 +02:00
def get(self, path, json=True, headers=None):
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
LOG.debug("Get %(path)s", {'path': path})
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
url = self._base_url + path
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
response = self.session.get(url, headers=headers)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
Added function for figure out link for the resource. Because Kubernetes will stop propagating metadata.selLink field in release 1.20 and it will be removed in release 1.21, we need to adapt and calculate selfLink equivalent by ourselves. In this patch new function is introduced, which will return the path for provided resource. Also, we need to deal with list of resources, since for some reason CRs do have information regarding apiVersion and the kind, while as for core resources the apiVersion is only on top of the list object, kind is something like *List, and object within 'items' are without either apiVersion nor kind. Implements: blueprint selflink Change-Id: I721a46ea0379382f7eb2e13c59bd193314f37e7f
2020-12-23 10:32:39 +01:00
if json:
result = response.json()
kind = result['kind']
api_version = result.get('apiVersion')
if not api_version:
api_version = utils.get_api_ver(path)
# Strip List from e.g. PodList. For some reason `.items` of a list
# returned from API doesn't have `kind` set.
# NOTE(gryf): Also, for the sake of calculating selfLink
# equivalent, we need to have both: kind and apiVersion, while the
# latter is not present on items list for core resources, while
# for custom resources there are both kind and apiVersion..
if kind.endswith('List'):
kind = kind[:-4]
Fix k8s client for handling empty list in response. Implements: blueprint selflink Change-Id: I0db851889017cfe19cc84acab36bdc67b04a9145
2021-01-08 17:25:03 +01:00
# NOTE(gryf): In case we get null/None for items from the API,
# we need to convert it to the empty list, otherwise it might
# be propagated to the consumers of this method and sent back
# to the Kubernetes as is, and fail as a result.
if result['items'] is None:
result['items'] = []
Added function for figure out link for the resource. Because Kubernetes will stop propagating metadata.selLink field in release 1.20 and it will be removed in release 1.21, we need to adapt and calculate selfLink equivalent by ourselves. In this patch new function is introduced, which will return the path for provided resource. Also, we need to deal with list of resources, since for some reason CRs do have information regarding apiVersion and the kind, while as for core resources the apiVersion is only on top of the list object, kind is something like *List, and object within 'items' are without either apiVersion nor kind. Implements: blueprint selflink Change-Id: I721a46ea0379382f7eb2e13c59bd193314f37e7f
2020-12-23 10:32:39 +01:00
for item in result['items']:
if not item.get('kind'):
item['kind'] = kind
if not item.get('apiVersion'):
item['apiVersion'] = api_version
Fix k8s client for handling empty list in response. Implements: blueprint selflink Change-Id: I0db851889017cfe19cc84acab36bdc67b04a9145
2021-01-08 17:25:03 +01:00
Added function for figure out link for the resource. Because Kubernetes will stop propagating metadata.selLink field in release 1.20 and it will be removed in release 1.21, we need to adapt and calculate selfLink equivalent by ourselves. In this patch new function is introduced, which will return the path for provided resource. Also, we need to deal with list of resources, since for some reason CRs do have information regarding apiVersion and the kind, while as for core resources the apiVersion is only on top of the list object, kind is something like *List, and object within 'items' are without either apiVersion nor kind. Implements: blueprint selflink Change-Id: I721a46ea0379382f7eb2e13c59bd193314f37e7f
2020-12-23 10:32:39 +01:00
if not result.get('apiVersion'):
result['apiVersion'] = api_version
else:
result = response.text
Add HTTPS support to K8s API healthchecks Our Controller and CNI healthchecks are checking the connection to the K8s API. This is done using the requests library directly and not through K8sClient wrapper. Because of that we've forgot to add HTTPS support there (DevStack runs K8s with HTTP). This commit fix that by making /healthz requests to go through K8sClient wrapper. Change-Id: I7d2657dfb123a7641eb838d7ddecde769bbb4318 Closes-Bug: 1759293
2018-03-27 17:16:20 +02:00
return result
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
Fix CRD podSelector update When the podSelector of a NP is updated, the podSelector on the respective CRD must also be updated with the same value. However, this do not happen in case the field of a label is updated, for example: Label {'app: demo'} is updated to {'context:demo'} the result given is {'app: demo', 'context:demo'} when should be {'context:demo'}. And after that, if the updated label {'context:demo'} is removed from the NP, it will not be removed from the CRD. These cases happen because the podSelector field is a dict and not a list. This commit fixes the issue by changing the merge strategy to JSON Patch, instead of JSON Merge Patch. Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3 Closes-Bug: 1810394
2019-02-13 10:45:37 +00:00
def _get_url_and_header(self, path, content_type):
Add support for service type=LoadBalancer Service loadbalancerIP could be one of the following : 1. loadbalancerIP allocated from pre-defined pool k8s service.spec.type = 'LoadBalancer' 2. loadbalancerIP specified by user k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t' This commit extend service capability to support '1' and '2' Implements: blueprint k8s-service-type-loadbalancer Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
2017-08-27 12:27:18 +03:00
url = self._base_url + path
Fix CRD podSelector update When the podSelector of a NP is updated, the podSelector on the respective CRD must also be updated with the same value. However, this do not happen in case the field of a label is updated, for example: Label {'app: demo'} is updated to {'context:demo'} the result given is {'app: demo', 'context:demo'} when should be {'context:demo'}. And after that, if the updated label {'context:demo'} is removed from the NP, it will not be removed from the CRD. These cases happen because the podSelector field is a dict and not a list. This commit fixes the issue by changing the merge strategy to JSON Patch, instead of JSON Merge Patch. Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3 Closes-Bug: 1810394
2019-02-13 10:45:37 +00:00
header = {'Content-Type': content_type,
Add support for service type=LoadBalancer Service loadbalancerIP could be one of the following : 1. loadbalancerIP allocated from pre-defined pool k8s service.spec.type = 'LoadBalancer' 2. loadbalancerIP specified by user k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t' This commit extend service capability to support '1' and '2' Implements: blueprint k8s-service-type-loadbalancer Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
2017-08-27 12:27:18 +03:00
'Accept': 'application/json'}
return url, header
Support network policy update This commit adds support for updating network policies. It handles the patch to KuryrNetPolicy CRD and handles security group rules update. Partially Implements: blueprint k8s-network-policies Change-Id: I02f69616b8cf9cddd23fd415bbb7517b178907e8
2018-09-25 08:57:27 -04:00
def patch(self, field, path, data):
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
LOG.debug("Patch %(path)s: %(data)s", {'path': path, 'data': data})
Fix CRD podSelector update When the podSelector of a NP is updated, the podSelector on the respective CRD must also be updated with the same value. However, this do not happen in case the field of a label is updated, for example: Label {'app: demo'} is updated to {'context:demo'} the result given is {'app: demo', 'context:demo'} when should be {'context:demo'}. And after that, if the updated label {'context:demo'} is removed from the NP, it will not be removed from the CRD. These cases happen because the podSelector field is a dict and not a list. This commit fixes the issue by changing the merge strategy to JSON Patch, instead of JSON Merge Patch. Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3 Closes-Bug: 1810394
2019-02-13 10:45:37 +00:00
content_type = 'application/merge-patch+json'
url, header = self._get_url_and_header(path, content_type)
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
response = self.session.patch(url, json={field: data}, headers=header)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
return response.json().get('status')
Add support for service type=LoadBalancer Service loadbalancerIP could be one of the following : 1. loadbalancerIP allocated from pre-defined pool k8s service.spec.type = 'LoadBalancer' 2. loadbalancerIP specified by user k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t' This commit extend service capability to support '1' and '2' Implements: blueprint k8s-service-type-loadbalancer Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
2017-08-27 12:27:18 +03:00
Namespace event handling through KuryrNet CRD This patch moves the namespace handling to be more aligned with the k8s style. Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250 Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-02-10 08:46:03 +01:00
def patch_crd(self, field, path, data, action='replace'):
Fix CRD podSelector update When the podSelector of a NP is updated, the podSelector on the respective CRD must also be updated with the same value. However, this do not happen in case the field of a label is updated, for example: Label {'app: demo'} is updated to {'context:demo'} the result given is {'app: demo', 'context:demo'} when should be {'context:demo'}. And after that, if the updated label {'context:demo'} is removed from the NP, it will not be removed from the CRD. These cases happen because the podSelector field is a dict and not a list. This commit fixes the issue by changing the merge strategy to JSON Patch, instead of JSON Merge Patch. Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3 Closes-Bug: 1810394
2019-02-13 10:45:37 +00:00
content_type = 'application/json-patch+json'
url, header = self._get_url_and_header(path, content_type)
Namespace event handling through KuryrNet CRD This patch moves the namespace handling to be more aligned with the k8s style. Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250 Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-02-10 08:46:03 +01:00
if action == 'remove':
data = [{'op': action,
'path': f'/{field}/{data}'}]
else:
Clean lb crd status upon Load Balancer removal When a lb transitions to ERROR or the IP on the Service spec differs from the lb VIP, the lb is released and the CRD doesn't get updated, causing Not Found expections when handling the creation of others load balancer resources. This commit fixes the issue by ensuring the clean up of the status field happens upon lb release. Also, it adds protection in case we still get nonexistent lb on the CRD. Closes-Bug: 1894758 Change-Id: I484ece6a7b52b51d878f724bd4fad0494eb759d6
2020-09-07 20:50:53 +00:00
if data:
data = [{'op': action,
'path': f'/{field}/{crd_field}',
'value': value}
for crd_field, value in data.items()]
else:
data = [{'op': action,
'path': f'/{field}',
'value': data}]
Fix CRD podSelector update When the podSelector of a NP is updated, the podSelector on the respective CRD must also be updated with the same value. However, this do not happen in case the field of a label is updated, for example: Label {'app: demo'} is updated to {'context:demo'} the result given is {'app: demo', 'context:demo'} when should be {'context:demo'}. And after that, if the updated label {'context:demo'} is removed from the NP, it will not be removed from the CRD. These cases happen because the podSelector field is a dict and not a list. This commit fixes the issue by changing the merge strategy to JSON Patch, instead of JSON Merge Patch. Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3 Closes-Bug: 1810394
2019-02-13 10:45:37 +00:00
LOG.debug("Patch %(path)s: %(data)s", {
'path': path, 'data': data})
Bump pool_maxsize for K8sClient to 1000 We're running kuryr-controller in highly multithreading way. Turns out in that cases requests' default for pool_maxsize=10 is not enough and we start to see warnings like: WARNING:requests.packages.urllib3.connectionpool:HttpConnectionPool is full, discarding connection: This patch attempts to get rid of them by bumping pool_maxsize to 1000. Change-Id: I7f4e150ed9f9e26db5222014b6ccff013882ecfa
2019-11-22 15:19:14 +01:00
response = self.session.patch(url, data=jsonutils.dumps(data),
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
headers=header)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
return response.json().get('status')
Fix CRD podSelector update When the podSelector of a NP is updated, the podSelector on the respective CRD must also be updated with the same value. However, this do not happen in case the field of a label is updated, for example: Label {'app: demo'} is updated to {'context:demo'} the result given is {'app: demo', 'context:demo'} when should be {'context:demo'}. And after that, if the updated label {'context:demo'} is removed from the NP, it will not be removed from the CRD. These cases happen because the podSelector field is a dict and not a list. This commit fixes the issue by changing the merge strategy to JSON Patch, instead of JSON Merge Patch. Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3 Closes-Bug: 1810394
2019-02-13 10:45:37 +00:00
Annotate nodes with pci info for direct ports This commit allows to add pci information for direct neutron ports attached to PODs into nodes annotations. It happens on binding stage when pci information can be requested. Also this commit allows to delete annotations for such ports when apropriate POD is deleted and VFs are returned into host's network namespace. For future commits: it is necessary to update neutron ports with pci info when POD is in Running state. Change-Id: I5ea8da6bb3143fd689e701f5e503488d4a6c9b33 Closes-Bug: 1818606 Signed-off-by: Danil Golov <d.golov@samsung.com>
2019-03-11 15:15:26 +03:00
def patch_node_annotations(self, node, annotation_name, value):
content_type = 'application/json-patch+json'
path = '{}/nodes/{}/'.format(constants.K8S_API_BASE, node)
value = jsonutils.dumps(value)
url, header = self._get_url_and_header(path, content_type)
data = [{'op': 'add',
'path': '/metadata/annotations/{}'.format(annotation_name),
'value': value}]
Bump pool_maxsize for K8sClient to 1000 We're running kuryr-controller in highly multithreading way. Turns out in that cases requests' default for pool_maxsize=10 is not enough and we start to see warnings like: WARNING:requests.packages.urllib3.connectionpool:HttpConnectionPool is full, discarding connection: This patch attempts to get rid of them by bumping pool_maxsize to 1000. Change-Id: I7f4e150ed9f9e26db5222014b6ccff013882ecfa
2019-11-22 15:19:14 +01:00
response = self.session.patch(url, data=jsonutils.dumps(data),
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
headers=header)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
return response.json().get('status')
Annotate nodes with pci info for direct ports This commit allows to add pci information for direct neutron ports attached to PODs into nodes annotations. It happens on binding stage when pci information can be requested. Also this commit allows to delete annotations for such ports when apropriate POD is deleted and VFs are returned into host's network namespace. For future commits: it is necessary to update neutron ports with pci info when POD is in Running state. Change-Id: I5ea8da6bb3143fd689e701f5e503488d4a6c9b33 Closes-Bug: 1818606 Signed-off-by: Danil Golov <d.golov@samsung.com>
2019-03-11 15:15:26 +03:00
def remove_node_annotations(self, node, annotation_name):
content_type = 'application/json-patch+json'
path = '{}/nodes/{}/'.format(constants.K8S_API_BASE, node)
url, header = self._get_url_and_header(path, content_type)
data = [{'op': 'remove',
'path': '/metadata/annotations/{}'.format(annotation_name)}]
Bump pool_maxsize for K8sClient to 1000 We're running kuryr-controller in highly multithreading way. Turns out in that cases requests' default for pool_maxsize=10 is not enough and we start to see warnings like: WARNING:requests.packages.urllib3.connectionpool:HttpConnectionPool is full, discarding connection: This patch attempts to get rid of them by bumping pool_maxsize to 1000. Change-Id: I7f4e150ed9f9e26db5222014b6ccff013882ecfa
2019-11-22 15:19:14 +01:00
response = self.session.patch(url, data=jsonutils.dumps(data),
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
headers=header)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
return response.json().get('status')
Annotate nodes with pci info for direct ports This commit allows to add pci information for direct neutron ports attached to PODs into nodes annotations. It happens on binding stage when pci information can be requested. Also this commit allows to delete annotations for such ports when apropriate POD is deleted and VFs are returned into host's network namespace. For future commits: it is necessary to update neutron ports with pci info when POD is in Running state. Change-Id: I5ea8da6bb3143fd689e701f5e503488d4a6c9b33 Closes-Bug: 1818606 Signed-off-by: Danil Golov <d.golov@samsung.com>
2019-03-11 15:15:26 +03:00
Support upgrading LBaaSState annotation to KLB CRD On upgrade from version using annotations on Endpoints and Services objects to save information about created Octavia resources, to a version where that information lives in KuryrLoadBalancer CRD we need to make sure that data is converted. Otherwise we can end up with doubled loadbalancers. This commit makes sure data is converted before we try processing any Service or Endpoints resource that has annotations. Change-Id: I01ee5cedc7af8bd02283d065cd9b6f4a94f79888
2020-07-29 17:58:20 +02:00
def _jsonpatch_escape(self, value):
value = value.replace('~', '~0')
value = value.replace('/', '~1')
return value
Namespace event handling through KuryrNet CRD This patch moves the namespace handling to be more aligned with the k8s style. Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250 Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-02-10 08:46:03 +01:00
def remove_annotations(self, path, annotation_name):
Support upgrading LBaaSState annotation to KLB CRD On upgrade from version using annotations on Endpoints and Services objects to save information about created Octavia resources, to a version where that information lives in KuryrLoadBalancer CRD we need to make sure that data is converted. Otherwise we can end up with doubled loadbalancers. This commit makes sure data is converted before we try processing any Service or Endpoints resource that has annotations. Change-Id: I01ee5cedc7af8bd02283d065cd9b6f4a94f79888
2020-07-29 17:58:20 +02:00
LOG.debug("Remove annotations %(path)s: %(name)s",
{'path': path, 'name': annotation_name})
Namespace event handling through KuryrNet CRD This patch moves the namespace handling to be more aligned with the k8s style. Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250 Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-02-10 08:46:03 +01:00
content_type = 'application/json-patch+json'
url, header = self._get_url_and_header(path, content_type)
Support upgrading LBaaSState annotation to KLB CRD On upgrade from version using annotations on Endpoints and Services objects to save information about created Octavia resources, to a version where that information lives in KuryrLoadBalancer CRD we need to make sure that data is converted. Otherwise we can end up with doubled loadbalancers. This commit makes sure data is converted before we try processing any Service or Endpoints resource that has annotations. Change-Id: I01ee5cedc7af8bd02283d065cd9b6f4a94f79888
2020-07-29 17:58:20 +02:00
annotation_name = self._jsonpatch_escape(annotation_name)
Namespace event handling through KuryrNet CRD This patch moves the namespace handling to be more aligned with the k8s style. Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250 Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-02-10 08:46:03 +01:00
data = [{'op': 'remove',
Support upgrading LBaaSState annotation to KLB CRD On upgrade from version using annotations on Endpoints and Services objects to save information about created Octavia resources, to a version where that information lives in KuryrLoadBalancer CRD we need to make sure that data is converted. Otherwise we can end up with doubled loadbalancers. This commit makes sure data is converted before we try processing any Service or Endpoints resource that has annotations. Change-Id: I01ee5cedc7af8bd02283d065cd9b6f4a94f79888
2020-07-29 17:58:20 +02:00
'path': f'/metadata/annotations/{annotation_name}'}]
Namespace event handling through KuryrNet CRD This patch moves the namespace handling to be more aligned with the k8s style. Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250 Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-02-10 08:46:03 +01:00
response = self.session.patch(url, data=jsonutils.dumps(data),
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
headers=header)
Namespace event handling through KuryrNet CRD This patch moves the namespace handling to be more aligned with the k8s style. Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250 Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-02-10 08:46:03 +01:00
if response.ok:
return response.json().get('status')
raise exc.K8sClientException(response.text)
Add namespace subnet driver for namespace creation This patch adds a new subnet driver that creates a new network for each created k8s namespace. It makes use of K8s CRDs to store the information about the network resources created for each namespace Partially Implements: blueprint network-namespace Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
2018-04-18 11:03:27 +00:00
def post(self, path, body):
LOG.debug("Post %(path)s: %(body)s", {'path': path, 'body': body})
url = self._base_url + path
header = {'Content-Type': 'application/json'}
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
response = self.session.post(url, json=body, headers=header)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
return response.json()
Add namespace subnet driver for namespace creation This patch adds a new subnet driver that creates a new network for each created k8s namespace. It makes use of K8s CRDs to store the information about the network resources created for each namespace Partially Implements: blueprint network-namespace Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
2018-04-18 11:03:27 +00:00
Namespace deletion functionality for namespace_subnet driver This patch extends the namespace_subnet driver to handle namespace deletion. It ensures the created resources during namespace creation are removed upon namespace deletion. Note it does not currently support deleting the extra ports created by the ports pool feature, so it should not be used if ports pool feature is enabled. A follow up patch will address this issue Partially Implements: blueprint network-namespace Change-Id: I2eed278dafacd5090a902bacfd366f7cdf9edca4
2018-04-18 11:31:48 +00:00
def delete(self, path):
LOG.debug("Delete %(path)s", {'path': path})
url = self._base_url + path
header = {'Content-Type': 'application/json'}
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
response = self.session.delete(url, headers=header)
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
return response.json()
Namespace deletion functionality for namespace_subnet driver This patch extends the namespace_subnet driver to handle namespace deletion. It ensures the created resources during namespace creation are removed upon namespace deletion. Note it does not currently support deleting the extra ports created by the ports pool feature, so it should not be used if ports pool feature is enabled. A follow up patch will address this issue Partially Implements: blueprint network-namespace Change-Id: I2eed278dafacd5090a902bacfd366f7cdf9edca4
2018-04-18 11:31:48 +00:00
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
# TODO(dulek): add_finalizer() and remove_finalizer() have some code
# duplication, but I don't see a nice way to avoid it.
def add_finalizer(self, obj, finalizer):
if finalizer in obj['metadata'].get('finalizers', []):
Catch exceptions for deleted pod. It might happen, that during adding and instantly removing pod, vif handler will not be able to set the finalizer for such object, resulting in error. In this patch we prevent for such case. Closes-Bug: 1894212 Change-Id: I5b3b4b36ae0c2fca7c16153f75c62607efbc3ce4
2020-09-04 12:40:19 +02:00
return True
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
Adapt selfLink calculation for any k8s objects. Also, selfLink occurrences in unit tests has been removed (besides those, which actually make sense), and documentation. Implements: blueprint selflink Change-Id: Ib0bcc9f5cb6c4cdc27c3393dcb3f665b21cb64ac
2021-01-12 15:59:22 +01:00
path = utils.get_res_link(obj)
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
LOG.debug(f"Add finalizer {finalizer} to {path}")
url, headers = self._get_url_and_header(
path, 'application/merge-patch+json')
for i in range(3): # Let's make sure it's not infinite loop
finalizers = obj['metadata'].get('finalizers', []).copy()
finalizers.append(finalizer)
data = {
'metadata': {
'finalizers': finalizers,
'resourceVersion': obj['metadata']['resourceVersion'],
},
}
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
response = self.session.patch(url, json=data, headers=headers)
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
if response.ok:
Catch exceptions for deleted pod. It might happen, that during adding and instantly removing pod, vif handler will not be able to set the finalizer for such object, resulting in error. In this patch we prevent for such case. Closes-Bug: 1894212 Change-Id: I5b3b4b36ae0c2fca7c16153f75c62607efbc3ce4
2020-09-04 12:40:19 +02:00
return True
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
try:
self._raise_from_response(response)
Added new K8sFieldValueForbidden exception. During tests it turns out, that we didn't catch Forbidden exceptions, since there was no forbidden http code sent from kubernetes API. In this Patch we introduce new exception K8sFieldValueForbidden, which will be raised on 422 Unprocessable Entity, k8s API returns. Also, taken care of objects in state terminating in remove_finalizer method. Closes-Bug: 1895124 Change-Id: If4ac93190db3a56ee6b94ca122bfd2e95c29ffb9
2020-09-10 12:47:43 +02:00
except (exc.K8sFieldValueForbidden, exc.K8sResourceNotFound):
Catch exceptions for deleted pod. It might happen, that during adding and instantly removing pod, vif handler will not be able to set the finalizer for such object, resulting in error. In this patch we prevent for such case. Closes-Bug: 1894212 Change-Id: I5b3b4b36ae0c2fca7c16153f75c62607efbc3ce4
2020-09-04 12:40:19 +02:00
# Object is being deleting or gone. Return.
return False
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
except exc.K8sConflict:
Avoid race when pod is deleted before finalizer is added It may be possible that add_finalizer function first fails due to a Conflict updating the object as it got updated (in this case triggered the deletion) from the Kubernetes side, and then when trying to get the new object this is actually gone as the deletion was completed in between both actions. If that is the case we just need to return false as there is no need to add a finalizer for it Change-Id: I118a7c01d98722af30435f4d091820c81e4e95e4
2020-09-25 17:15:42 +02:00
try:
obj = self.get(path)
except exc.K8sResourceNotFound:
# Object got removed before finalizer was set
return False
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
if finalizer in obj['metadata'].get('finalizers', []):
# Finalizer is there, return.
Catch exceptions for deleted pod. It might happen, that during adding and instantly removing pod, vif handler will not be able to set the finalizer for such object, resulting in error. In this patch we prevent for such case. Closes-Bug: 1894212 Change-Id: I5b3b4b36ae0c2fca7c16153f75c62607efbc3ce4
2020-09-04 12:40:19 +02:00
return True
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
# If after 3 iterations there's still conflict, just raise.
self._raise_from_response(response)
def remove_finalizer(self, obj, finalizer):
Adapt selfLink calculation for any k8s objects. Also, selfLink occurrences in unit tests has been removed (besides those, which actually make sense), and documentation. Implements: blueprint selflink Change-Id: Ib0bcc9f5cb6c4cdc27c3393dcb3f665b21cb64ac
2021-01-12 15:59:22 +01:00
path = utils.get_res_link(obj)
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
LOG.debug(f"Remove finalizer {finalizer} from {path}")
url, headers = self._get_url_and_header(
path, 'application/merge-patch+json')
for i in range(3): # Let's make sure it's not infinite loop
finalizers = obj['metadata'].get('finalizers', []).copy()
try:
finalizers.remove(finalizer)
except ValueError:
# Finalizer is not there, return.
Catch exceptions for deleted pod. It might happen, that during adding and instantly removing pod, vif handler will not be able to set the finalizer for such object, resulting in error. In this patch we prevent for such case. Closes-Bug: 1894212 Change-Id: I5b3b4b36ae0c2fca7c16153f75c62607efbc3ce4
2020-09-04 12:40:19 +02:00
return True
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
data = {
'metadata': {
'finalizers': finalizers,
'resourceVersion': obj['metadata']['resourceVersion'],
},
}
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
response = self.session.patch(url, json=data, headers=headers)
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
if response.ok:
Catch exceptions for deleted pod. It might happen, that during adding and instantly removing pod, vif handler will not be able to set the finalizer for such object, resulting in error. In this patch we prevent for such case. Closes-Bug: 1894212 Change-Id: I5b3b4b36ae0c2fca7c16153f75c62607efbc3ce4
2020-09-04 12:40:19 +02:00
return True
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
try:
try:
self._raise_from_response(response)
except exc.K8sConflict:
obj = self.get(path)
Added new K8sFieldValueForbidden exception. During tests it turns out, that we didn't catch Forbidden exceptions, since there was no forbidden http code sent from kubernetes API. In this Patch we introduce new exception K8sFieldValueForbidden, which will be raised on 422 Unprocessable Entity, k8s API returns. Also, taken care of objects in state terminating in remove_finalizer method. Closes-Bug: 1895124 Change-Id: If4ac93190db3a56ee6b94ca122bfd2e95c29ffb9
2020-09-10 12:47:43 +02:00
except (exc.K8sFieldValueForbidden, exc.K8sResourceNotFound):
# Object is being deleted or gone already, stop.
Catch exceptions for deleted pod. It might happen, that during adding and instantly removing pod, vif handler will not be able to set the finalizer for such object, resulting in error. In this patch we prevent for such case. Closes-Bug: 1894212 Change-Id: I5b3b4b36ae0c2fca7c16153f75c62607efbc3ce4
2020-09-04 12:40:19 +02:00
return False
Implement add_finalizer and remove_finalizer This commit adds helper client methods that will aid in working with finalizers of the CRDs and other stuff. Also one place where we remove the finalizer already is updated to use the methods. Change-Id: I665e03f80102a08b2c3ec412a4417c3a32f9384b
2020-07-24 15:44:29 +02:00
# If after 3 iterations there's still conflict, just raise.
self._raise_from_response(response)
Update loadbalancer CRD with service spec and rely on CRD This commit adds support for creation of loadbalancer, listeners, members, pools with using the CRD, it is also filling the status field in the CRD. Depends-On: https://review.opendev.org/#/c/743214/ Change-Id: I42f90c836397b0d71969642d6ba31bfb49786a43
2020-02-24 20:46:54 +00:00
def get_loadbalancer_crd(self, obj):
name = obj['metadata']['name']
namespace = obj['metadata']['namespace']
try:
crd = self.get('{}/{}/kuryrloadbalancers/{}'.format(
constants.K8S_API_CRD_NAMESPACES, namespace,
name))
except exc.K8sResourceNotFound:
return None
except exc.K8sClientException:
LOG.exception("Kubernetes Client Exception.")
raise
return crd
Controller side of pods' port/VIF binding This patch introduces VIFHandler that is used by Kuryr-Kubernetes controller to manage VIF annotation and related Neutron resources which are used by CNI driver to enable pod networking. Change-Id: I1acfa052a530f06def4f7179945fac1687e1951a Partially-Implements: blueprint kuryr-k8s-integration
2016-11-09 17:15:49 +03:00
def annotate(self, path, annotations, resource_version=None):
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
"""Pushes a resource annotation to the K8s API resource
The annotate operation is made with a PATCH HTTP request of kind:
application/merge-patch+json as described in:
Fix incorrect link to k8s api-conventions Also fix misprint in sriov binding driver Change-Id: I08eb68405a86d13619069f9d578de8277a48dfe2 Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
2019-10-03 15:41:17 +03:00
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#patch-operations # noqa
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
"""
LOG.debug("Annotate %(path)s: %(names)s", {
'path': path, 'names': list(annotations)})
Add support for service type=LoadBalancer Service loadbalancerIP could be one of the following : 1. loadbalancerIP allocated from pre-defined pool k8s service.spec.type = 'LoadBalancer' 2. loadbalancerIP specified by user k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t' This commit extend service capability to support '1' and '2' Implements: blueprint k8s-service-type-loadbalancer Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
2017-08-27 12:27:18 +03:00
Fix CRD podSelector update When the podSelector of a NP is updated, the podSelector on the respective CRD must also be updated with the same value. However, this do not happen in case the field of a label is updated, for example: Label {'app: demo'} is updated to {'context:demo'} the result given is {'app: demo', 'context:demo'} when should be {'context:demo'}. And after that, if the updated label {'context:demo'} is removed from the NP, it will not be removed from the CRD. These cases happen because the podSelector field is a dict and not a list. This commit fixes the issue by changing the merge strategy to JSON Patch, instead of JSON Merge Patch. Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3 Closes-Bug: 1810394
2019-02-13 10:45:37 +00:00
content_type = 'application/merge-patch+json'
url, header = self._get_url_and_header(path, content_type)
Add support for service type=LoadBalancer Service loadbalancerIP could be one of the following : 1. loadbalancerIP allocated from pre-defined pool k8s service.spec.type = 'LoadBalancer' 2. loadbalancerIP specified by user k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t' This commit extend service capability to support '1' and '2' Implements: blueprint k8s-service-type-loadbalancer Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
2017-08-27 12:27:18 +03:00
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
while itertools.count(1):
metadata.resourceVersion: Invalid value Fixed error: metadata.resourceVersion: Invalid value: \"\": must be specified for an update when annotating Change-Id: I0e9ad64eae5a8ee42778c0fa50a3a3345ff25115 Closes-Bug: 1722142
2017-09-27 15:41:39 +08:00
metadata = {"annotations": annotations}
if resource_version:
metadata['resourceVersion'] = resource_version
data = jsonutils.dumps({"metadata": metadata}, sort_keys=True)
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
response = self.session.patch(url, data=data, headers=header)
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
if response.ok:
Pod annotations to KuryrPort CRD. Till now, we were using pod annotations to store information regarding state of the associated VIFs to pod. This alone have its own issues and it's prone to the inconsistency in case of controller failures. In this patch we propose new CRD called KuryrPort for storage the information about VIFs. Depends-On: If639b63dcf660ed709623c8d5f788026619c895c Change-Id: I1e76ea949120f819dcab6d07714522a576e426f2
2020-05-26 13:03:07 +00:00
return response.json()['metadata'].get('annotations', {})
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
if response.status_code == requests.codes.conflict:
resource = self.get(path)
new_version = resource['metadata']['resourceVersion']
retrieved_annotations = resource['metadata'].get(
'annotations', {})
for k, v in annotations.items():
Fix for k8s client annotation This commit changes the behaviour of k8s client while annotating. K8s client should not throw exceptions if there are conflicts in data and resourceVersion is different. It should resolve conflicts properly and try to patch annotations once again changing resourceVersion. If data is the same in process of annotating, then k8s client should not annotate many times. Change-Id: I7d981b59ecdae7fe434fe580f2f342cc4621198e Signed-off-by: Danil Golov <d.golov@samsung.com>
2019-07-12 19:04:32 +03:00
if v != retrieved_annotations.get(k):
Resolve 'resourceVersion' conflicts It is possible for K8s resource to be updated while it is being processed by Kuryr handler. As a result K8sClient will fail to update annotations after the handler finishes its work due to the 'resourceVersion' conflict. This patch updates K8sClient to allow annotation updates with conflicting 'resourceVersion' if the updated annotations do not conflict with the current state (i.e. annotations are either new or have the same value as in the current state of the object). Change-Id: I6db14169bf8d6a8114a991bca9c220e15fccdce4 Co-Authored-By: Antoni Segura Puimedon <antonisp@celebdor.com> Closes-Bug: #1662448
2017-01-20 03:49:24 +03:00
break
else:
Fix for k8s client annotation This commit changes the behaviour of k8s client while annotating. K8s client should not throw exceptions if there are conflicts in data and resourceVersion is different. It should resolve conflicts properly and try to patch annotations once again changing resourceVersion. If data is the same in process of annotating, then k8s client should not annotate many times. Change-Id: I7d981b59ecdae7fe434fe580f2f342cc4621198e Signed-off-by: Danil Golov <d.golov@samsung.com>
2019-07-12 19:04:32 +03:00
LOG.debug("Annotations for %(path)s already present: "
"%(names)s", {'path': path,
'names': retrieved_annotations})
return retrieved_annotations
# Retry patching with updated resourceVersion
resource_version = new_version
continue
metadata.resourceVersion: Invalid value Fixed error: metadata.resourceVersion: Invalid value: \"\": must be specified for an update when annotating Change-Id: I0e9ad64eae5a8ee42778c0fa50a3a3345ff25115 Closes-Bug: 1722142
2017-09-27 15:41:39 +08:00
LOG.error("Exception response, headers: %(headers)s, "
"content: %(content)s, text: %(text)s"
% {'headers': response.headers,
'content': response.content, 'text': response.text})
Services: Rollback openstack resources in case of annotation failure Upon K8S service creation the LBaaS handler creates all LB resources at neutron (LB,Listener,Pool,etc) and store them at K8S resource using annotation. When K8S service is deleted, the LBaaS handler retrieves LB resources details from annotation and release them at neutron. This patch handles the case in which K8S service resource was deleted before LBaaS handler stored openstack resource details. Closes-Bug: 1748890 Change-Id: Iea806d32c99cd3cf51a832b576ff4054fc522bd3
2018-02-21 23:54:52 +02:00
Raise K8sResourceNotFound for all client methods Seems like K8sClient wasn't raising K8sResourceNotFound exception on 404 from all the methods, e.g. patch. This commit makes sure that is no longer the case and any 404 results in K8sResourceNotFound exception. Change-Id: I23b947ef5f8c56429b5c69b73489fec19c44bd7e Closes-Bug: 1865893
2020-03-03 16:18:56 +01:00
self._raise_from_response(response)
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
def watch(self, path):
url = self._base_url + path
Timeout connections when watching K8s API Turns out that without `timeout` parameter, requests library is unable to see connection interruption if those were "silent" (i.e. firewall blocked the connection for a period long enough for K8s API to drop the connection). This can be fixed by adding the `timeout` parameter to the `requests.get()` invocation in `watch()` and retrying on receiving `requests.ReadTimeout` exception. This commit does so by setting the connection and read timeouts to 30 and 60 respectively and implementing the retry logic using last seen resourceVersion to restart the watching connection. Change-Id: I19df95aaae404b5a936c469085b1f80f9eb99e2e Closes-Bug: 1842689
2019-09-04 18:41:32 +02:00
resource_version = None
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
Civilize logging Our logs are awful and this commit attempts to fix some issues with them: * Make sure we always indicate why some readiness or liveness probe fail. * Suppress INFO logs from werkzeug (so that we don't see every probe call on INFO level). * Remove logging of successful probe checks. * Make watcher restart logs less scary and include more cases. * Add backoff to watcher restarts so that we don't spam logs when K8s API is briefly unavailable. * Add warnings for low quotas. * Suppress some long logs on K8s healthz failures - we don't need full message from K8s printed twice. I also refactored CNI and controller health probes servers to make sure they're not duplicating code. Change-Id: Ia3db4863af8f28cfbaf2317042c8631cc63d9745
2020-05-22 16:17:02 +02:00
attempt = 0
K8s and Neutron clients support Adds basic K8s client implementation and CONF-based singletons for both Neutron and K8s clients. The K8s client added by this patch should be considered a temporary solution that only implements the necessary parts to let us move forward with kuryr-kubernetes. Eventually it will be replaced by either [1] or [2]. The problem with [1] is that it does not yet support the streaming API that we need for WATCH. And [2] is outside of the OSt umbrella, so [1] is preferred over [2] unless [2] makes it into global-requirements.txt. [1] https://github.com/openstack/python-k8sclient [2] https://pypi.python.org/pypi/pykube NOTE: Removed py3-related code from config and top-level __init__. How to properly deal with that code is TBD. Change-Id: Ib4eb410eaf9725c296fcdddd8857eb24b8929915 Partially-Implements: blueprint kuryr-k8s-integration
2016-09-26 00:43:46 +03:00
while True:
Timeout connections when watching K8s API Turns out that without `timeout` parameter, requests library is unable to see connection interruption if those were "silent" (i.e. firewall blocked the connection for a period long enough for K8s API to drop the connection). This can be fixed by adding the `timeout` parameter to the `requests.get()` invocation in `watch()` and retrying on receiving `requests.ReadTimeout` exception. This commit does so by setting the connection and read timeouts to 30 and 60 respectively and implementing the retry logic using last seen resourceVersion to restart the watching connection. Change-Id: I19df95aaae404b5a936c469085b1f80f9eb99e2e Closes-Bug: 1842689
2019-09-04 18:41:32 +02:00
try:
params = {'watch': 'true'}
if resource_version:
params['resourceVersion'] = resource_version
with contextlib.closing(
Bump pool_maxsize for K8sClient to 1000 We're running kuryr-controller in highly multithreading way. Turns out in that cases requests' default for pool_maxsize=10 is not enough and we start to see warnings like: WARNING:requests.packages.urllib3.connectionpool:HttpConnectionPool is full, discarding connection: This patch attempts to get rid of them by bumping pool_maxsize to 1000. Change-Id: I7f4e150ed9f9e26db5222014b6ccff013882ecfa
2019-11-22 15:19:14 +01:00
self.session.get(
Refactor passing params to requests in K8s client Seems like there are options to set default values for several parameters in requests session. This commit attempts to leverage that by globally setting certificates, SSL verification, token header and timeout. Change-Id: Ieecc14cef94f1678a935f23affa6ca37e3de4a91
2020-09-30 12:56:57 +02:00
url, params=params, stream=True)) as response:
Timeout connections when watching K8s API Turns out that without `timeout` parameter, requests library is unable to see connection interruption if those were "silent" (i.e. firewall blocked the connection for a period long enough for K8s API to drop the connection). This can be fixed by adding the `timeout` parameter to the `requests.get()` invocation in `watch()` and retrying on receiving `requests.ReadTimeout` exception. This commit does so by setting the connection and read timeouts to 30 and 60 respectively and implementing the retry logic using last seen resourceVersion to restart the watching connection. Change-Id: I19df95aaae404b5a936c469085b1f80f9eb99e2e Closes-Bug: 1842689
2019-09-04 18:41:32 +02:00
if not response.ok:
raise exc.K8sClientException(response.text)
Civilize logging Our logs are awful and this commit attempts to fix some issues with them: * Make sure we always indicate why some readiness or liveness probe fail. * Suppress INFO logs from werkzeug (so that we don't see every probe call on INFO level). * Remove logging of successful probe checks. * Make watcher restart logs less scary and include more cases. * Add backoff to watcher restarts so that we don't spam logs when K8s API is briefly unavailable. * Add warnings for low quotas. * Suppress some long logs on K8s healthz failures - we don't need full message from K8s printed twice. I also refactored CNI and controller health probes servers to make sure they're not duplicating code. Change-Id: Ia3db4863af8f28cfbaf2317042c8631cc63d9745
2020-05-22 16:17:02 +02:00
attempt = 0
Timeout connections when watching K8s API Turns out that without `timeout` parameter, requests library is unable to see connection interruption if those were "silent" (i.e. firewall blocked the connection for a period long enough for K8s API to drop the connection). This can be fixed by adding the `timeout` parameter to the `requests.get()` invocation in `watch()` and retrying on receiving `requests.ReadTimeout` exception. This commit does so by setting the connection and read timeouts to 30 and 60 respectively and implementing the retry logic using last seen resourceVersion to restart the watching connection. Change-Id: I19df95aaae404b5a936c469085b1f80f9eb99e2e Closes-Bug: 1842689
2019-09-04 18:41:32 +02:00
for line in response.iter_lines():
line = line.decode('utf-8').strip()
if line:
line_dict = jsonutils.loads(line)
yield line_dict
# Saving the resourceVersion in case of a restart.
# At this point it's safely passed to handler.
m = line_dict.get('object', {}).get('metadata', {})
resource_version = m.get('resourceVersion', None)
Add requests.ConnectionError to watcher retries Apparently with switch to Python 3, requests library raises a different exception when read time out occurrs and it's quite general requests.ConnectionError. This causes tracebacks like [1] to show up in logs. This is pretty scary for the user, so this commit suppresses those exceptions and adds them to the list of exceptions K8sClient restarts watching. [1] http://paste.openstack.org/show/786574/ Change-Id: I09f3803edffbe2ea5f1913238adc23212a323100
2019-11-22 16:01:25 +01:00
except (requests.ReadTimeout, requests.ConnectionError,
Add urllib3's SSLError to expected Watcher exc Seems like new requests lib is somehow raising urllib3.exceptions.SSLError more often. This commit adds it to the exceptions expected by the Watcher and silenced with a retry. Closes-Bug: 1906498 Change-Id: I214c08c197483c00a5caecc47ef117cdd07a7652
2020-12-01 13:16:26 +01:00
ssl.SSLError, requests.exceptions.ChunkedEncodingError,
urllib3.exceptions.SSLError):
Tweak exponential backoff This commit attempts to tweak and simplify the exponential backoff that we use by making the default interval 1 instead of 3 (so that it won't raise that fast), locking default maximum wait at 60 seconds (so that we won't wait e.g. more than 2 minutes as a backoff waiting for pod to become active) and introducing small jitter instead of fully random choice of time that we had. Change-Id: Iaf7abb1a82d213ba0aeeec5b5b17760b1622c549
2020-07-03 16:26:31 +02:00
t = utils.exponential_backoff(attempt)
Civilize logging Our logs are awful and this commit attempts to fix some issues with them: * Make sure we always indicate why some readiness or liveness probe fail. * Suppress INFO logs from werkzeug (so that we don't see every probe call on INFO level). * Remove logging of successful probe checks. * Make watcher restart logs less scary and include more cases. * Add backoff to watcher restarts so that we don't spam logs when K8s API is briefly unavailable. * Add warnings for low quotas. * Suppress some long logs on K8s healthz failures - we don't need full message from K8s printed twice. I also refactored CNI and controller health probes servers to make sure they're not duplicating code. Change-Id: Ia3db4863af8f28cfbaf2317042c8631cc63d9745
2020-05-22 16:17:02 +02:00
log = LOG.debug
if attempt > 0:
# Only make it a warning if it's happening again, no need
# to inform about all the read timeouts.
log = LOG.warning
log('Connection error when watching %s. Retrying in %ds with '
'resourceVersion=%s', path, t,
params.get('resourceVersion'))
time.sleep(t)
attempt += 1
Added method for creating k8s events object. Kubernetes provides a convenient way for examining resource life cycle. Ephemeral Event objects are created for some of the steps during resource object change of the state. Those event can be accessed using `kubectl get events` or for particular object `kubectl describe <type> <resource name>`, so that operator can examine the state and the reason for potential failure of given resource object. In this patch there is a method added for creating Event objects, so that anything wrong regarding Kubernetes object life cycle can be "annotated" with such object. Change-Id: I291613adf9282ec5399fbe5de75e82472c2bc9c0
2021-09-14 15:08:58 +02:00
Add source to Events It is possible to add info about which component added an Event and this patch makes sure we do it. This should show up in `kubectl describe` directly pointing each event to Kuryr. Change-Id: If954d62010b43e8a92ac2cb3140fc434e5d477a0
2021-12-15 18:52:21 +01:00
def add_event(self, resource, reason, message, type_='Normal',
component='kuryr-controller'):
Added method for creating k8s events object. Kubernetes provides a convenient way for examining resource life cycle. Ephemeral Event objects are created for some of the steps during resource object change of the state. Those event can be accessed using `kubectl get events` or for particular object `kubectl describe <type> <resource name>`, so that operator can examine the state and the reason for potential failure of given resource object. In this patch there is a method added for creating Event objects, so that anything wrong regarding Kubernetes object life cycle can be "annotated" with such object. Change-Id: I291613adf9282ec5399fbe5de75e82472c2bc9c0
2021-09-14 15:08:58 +02:00
"""Create an Event object for the provided resource."""
Add config option to enable Kubernetes Event creation. Kuryr can (or rather: soon will be able to) leverage events for certain actions where Kuryr is involved, like creating pod networking, services, network policies and so on. This is a nice addition to the logging, where operator can just use typical kubectl commands to get the idea in what state are his resources. This feature can be turned on by using configuration: [kubernetes] use_events = true in kuryr.conf, although it might have an performance impact on kubernetes cluster. Change-Id: Ia25e1309157e49992119709fb546fd5baa2462a4
2021-12-01 11:25:39 +01:00
if not self.are_events_enabled:
return {}
Add events for Pod object. Also added function for getting object out of ownerReferences or by query kubernetes API for getting original obj out of CRD. Change-Id: I17e1672a46496bc6a51f3d28fbfbd1adea9ca249
2021-10-15 11:59:18 +02:00
if not resource:
return {}
Added method for creating k8s events object. Kubernetes provides a convenient way for examining resource life cycle. Ephemeral Event objects are created for some of the steps during resource object change of the state. Those event can be accessed using `kubectl get events` or for particular object `kubectl describe <type> <resource name>`, so that operator can examine the state and the reason for potential failure of given resource object. In this patch there is a method added for creating Event objects, so that anything wrong regarding Kubernetes object life cycle can be "annotated" with such object. Change-Id: I291613adf9282ec5399fbe5de75e82472c2bc9c0
2021-09-14 15:08:58 +02:00
involved_object = {'apiVersion': resource['apiVersion'],
'kind': resource['kind'],
'name': resource['metadata']['name'],
'namespace': resource['metadata']['namespace'],
'uid': resource['metadata']['uid']}
# This is needed for Event date, otherwise LAST SEEN/Age will be empty
# and misleading.
now = datetime.datetime.utcnow().replace(tzinfo=pytz.UTC)
date_time = now.strftime("%Y-%m-%dT%H:%M:%SZ")
name = ".".join((resource['metadata']['name'],
self._get_hex_timestamp(now)))
event = {'kind': 'Event',
'apiVersion': 'v1',
'firstTimestamp': date_time,
'metadata': {'name': name},
'reason': reason,
'message': message,
'type': type_,
Add source to Events It is possible to add info about which component added an Event and this patch makes sure we do it. This should show up in `kubectl describe` directly pointing each event to Kuryr. Change-Id: If954d62010b43e8a92ac2cb3140fc434e5d477a0
2021-12-15 18:52:21 +01:00
'involvedObject': involved_object,
'source': {'component': component,
'host': utils.get_nodename()}}
Added method for creating k8s events object. Kubernetes provides a convenient way for examining resource life cycle. Ephemeral Event objects are created for some of the steps during resource object change of the state. Those event can be accessed using `kubectl get events` or for particular object `kubectl describe <type> <resource name>`, so that operator can examine the state and the reason for potential failure of given resource object. In this patch there is a method added for creating Event objects, so that anything wrong regarding Kubernetes object life cycle can be "annotated" with such object. Change-Id: I291613adf9282ec5399fbe5de75e82472c2bc9c0
2021-09-14 15:08:58 +02:00
try:
return self.post(f'{constants.K8S_API_BASE}/namespaces/'
f'{resource["metadata"]["namespace"]}/events',
event)
Follow up to Pods events patch Some minor wording fixes, making sure we're not logging errors happening when we try to create events on Namespace termination and a safeguard if somebody puts garbage into ownerReferences we depend from. Change-Id: Ia2d6f41c0b9f969ea01ae78a16036cd4715de703
2021-12-15 18:10:44 +01:00
except exc.K8sNamespaceTerminating:
# We can't create events in a Namespace that is being terminated,
# there's no workaround, no need to log it, just ignore it.
return {}
Added method for creating k8s events object. Kubernetes provides a convenient way for examining resource life cycle. Ephemeral Event objects are created for some of the steps during resource object change of the state. Those event can be accessed using `kubectl get events` or for particular object `kubectl describe <type> <resource name>`, so that operator can examine the state and the reason for potential failure of given resource object. In this patch there is a method added for creating Event objects, so that anything wrong regarding Kubernetes object life cycle can be "annotated" with such object. Change-Id: I291613adf9282ec5399fbe5de75e82472c2bc9c0
2021-09-14 15:08:58 +02:00
except exc.K8sClientException:
LOG.warning(f'There was non critical error during creating an '
'Event for resource: "{resource}", with reason: '
f'"{reason}", message: "{message}" and type: '
f'"{type_}"')
return {}
def _get_hex_timestamp(self, datetimeobj):
"""Get hex representation for timestamp.
In Kuberenets, Event name is constructed name of the bounded object
and timestamp in hexadecimal representation.
Note, that Python timestamp is represented as floating figure:
1631622163.8534190654754638671875
while those which origin from K8s, after change to int:
1631622163915909162
so, to get similar integer, we need to multiply the float by
100000000 to get the same precision and cast to integer, to get rid
of the fractures, and finally convert it to hex representation.
"""
timestamp = datetime.datetime.timestamp(datetimeobj)
return format(int(timestamp * 100000000), 'x')
Copy Permalink