Merge "Basic IPv6 support in DevStack"
This commit is contained in:
commit
3848e3332a
@ -60,6 +60,17 @@
|
|||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
KURYR_K8S_CONTAINERIZED_DEPLOYMENT: true
|
KURYR_K8S_CONTAINERIZED_DEPLOYMENT: true
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: kuryr-kubernetes-tempest-containerized-ipv6
|
||||||
|
parent: kuryr-kubernetes-tempest-containerized
|
||||||
|
description: |
|
||||||
|
Kuryr-Kubernetes tempest job running kuryr containerized with IPv6 pod
|
||||||
|
and service networks
|
||||||
|
vars:
|
||||||
|
devstack_localrc:
|
||||||
|
KURYR_IPV6: true
|
||||||
|
voting: false
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: kuryr-kubernetes-tempest-containerized-lower-constraints
|
name: kuryr-kubernetes-tempest-containerized-lower-constraints
|
||||||
parent: kuryr-kubernetes-tempest-containerized
|
parent: kuryr-kubernetes-tempest-containerized
|
||||||
|
@ -23,6 +23,8 @@
|
|||||||
- kuryr-kubernetes-tempest-containerized-ovn
|
- kuryr-kubernetes-tempest-containerized-ovn
|
||||||
- kuryr-kubernetes-tempest-containerized-network-policy
|
- kuryr-kubernetes-tempest-containerized-network-policy
|
||||||
- kuryr-kubernetes-tempest-multinode-containerized
|
- kuryr-kubernetes-tempest-multinode-containerized
|
||||||
|
- kuryr-kubernetes-tempest-containerized-ipv6
|
||||||
|
- kuryr-kubernetes-tempest-containerized-ovn-ipv6
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- kuryr-kubernetes-tempest
|
- kuryr-kubernetes-tempest
|
||||||
|
@ -52,6 +52,17 @@
|
|||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
KURYR_K8S_CONTAINERIZED_DEPLOYMENT: true
|
KURYR_K8S_CONTAINERIZED_DEPLOYMENT: true
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: kuryr-kubernetes-tempest-containerized-ovn-ipv6
|
||||||
|
parent: kuryr-kubernetes-tempest-containerized-ovn
|
||||||
|
description: |
|
||||||
|
Kuryr-Kubernetes tempest job running kuryr containerized with OVN and
|
||||||
|
IPv6 pod and service networks
|
||||||
|
vars:
|
||||||
|
devstack_localrc:
|
||||||
|
KURYR_IPV6: true
|
||||||
|
voting: false
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: kuryr-kubernetes-tempest-dragonflow
|
name: kuryr-kubernetes-tempest-dragonflow
|
||||||
parent: kuryr-kubernetes-tempest
|
parent: kuryr-kubernetes-tempest
|
||||||
|
@ -84,12 +84,21 @@ function ovs_bind_for_kubelet() {
|
|||||||
if [ -n "$port_number" ]; then
|
if [ -n "$port_number" ]; then
|
||||||
# if openstack-INPUT chain doesn't exist we create it in INPUT (for
|
# if openstack-INPUT chain doesn't exist we create it in INPUT (for
|
||||||
# local development envs since openstack-INPUT is usually only in gates)
|
# local development envs since openstack-INPUT is usually only in gates)
|
||||||
sudo iptables -I openstack-INPUT 1 \
|
if [ "$KURYR_IPV6" == "False" ]; then
|
||||||
-p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || \
|
sudo iptables -I openstack-INPUT 1 \
|
||||||
sudo iptables -I INPUT 1 \
|
-p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || \
|
||||||
-p tcp -m conntrack --ctstate NEW \
|
sudo iptables -I INPUT 1 \
|
||||||
-m tcp --dport "$port_number" \
|
-p tcp -m conntrack --ctstate NEW \
|
||||||
-m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
|
-m tcp --dport "$port_number" \
|
||||||
|
-m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
|
||||||
|
else
|
||||||
|
sudo ip6tables -I openstack-INPUT 1 \
|
||||||
|
-p tcp -s ::/0 -d ::/0 --dport $port_number -j ACCEPT || \
|
||||||
|
sudo ip6tables -I INPUT 1 \
|
||||||
|
-p tcp -m conntrack --ctstate NEW \
|
||||||
|
-m tcp --dport "$port_number" \
|
||||||
|
-m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -196,6 +205,7 @@ function create_k8s_icmp_sg_rules {
|
|||||||
security group rule create \
|
security group rule create \
|
||||||
--project "$project_id" \
|
--project "$project_id" \
|
||||||
--protocol icmp \
|
--protocol icmp \
|
||||||
|
--ethertype "$KURYR_ETHERTYPE" \
|
||||||
--"$direction" "$sg_id")
|
--"$direction" "$sg_id")
|
||||||
die_if_not_set $LINENO icmp_sg_rules \
|
die_if_not_set $LINENO icmp_sg_rules \
|
||||||
"Failure creating icmp sg ${direction} rule for ${sg_id}"
|
"Failure creating icmp sg ${direction} rule for ${sg_id}"
|
||||||
@ -212,7 +222,6 @@ function create_k8s_icmp_sg_rules {
|
|||||||
# split_allocation - Whether to allocate on all the subnet or only the
|
# split_allocation - Whether to allocate on all the subnet or only the
|
||||||
# latter half
|
# latter half
|
||||||
function create_k8s_subnet {
|
function create_k8s_subnet {
|
||||||
# REVISIT(apuimedo): add support for IPv6
|
|
||||||
local project_id=$1
|
local project_id=$1
|
||||||
local net_name="$2"
|
local net_name="$2"
|
||||||
local subnet_name="$3"
|
local subnet_name="$3"
|
||||||
@ -224,7 +233,13 @@ function create_k8s_subnet {
|
|||||||
|
|
||||||
split_allocation="${6:-False}"
|
split_allocation="${6:-False}"
|
||||||
|
|
||||||
subnet_params+="--ip-version 4 "
|
if [ "$KURYR_IPV6" == "False" ]; then
|
||||||
|
subnet_params+="--ip-version 4 "
|
||||||
|
else
|
||||||
|
# NOTE(dulek): K8s API won't accept subnets bigger than 20 bits.
|
||||||
|
# And 20 will totally be fine for us.
|
||||||
|
subnet_params+="--ip-version 6 --prefix-length 108 "
|
||||||
|
fi
|
||||||
subnet_params+="--no-dhcp --gateway none "
|
subnet_params+="--no-dhcp --gateway none "
|
||||||
subnet_params+="--subnet-pool $subnetpool_id "
|
subnet_params+="--subnet-pool $subnetpool_id "
|
||||||
|
|
||||||
|
@ -280,7 +280,15 @@ function configure_neutron_defaults {
|
|||||||
|
|
||||||
# If a subnetpool is not passed, we get the one created in devstack's
|
# If a subnetpool is not passed, we get the one created in devstack's
|
||||||
# Neutron module
|
# Neutron module
|
||||||
subnetpool_id=${KURYR_NEUTRON_DEFAULT_SUBNETPOOL_ID:-${SUBNETPOOL_V4_ID}}
|
KURYR_IPV6=$(trueorfalse False KURYR_IPV6)
|
||||||
|
if [ "$KURYR_IPV6" == "False" ]; then
|
||||||
|
export KURYR_ETHERTYPE=IPv4
|
||||||
|
subnetpool_id=${KURYR_NEUTRON_DEFAULT_SUBNETPOOL_ID:-${SUBNETPOOL_V4_ID}}
|
||||||
|
else
|
||||||
|
export KURYR_ETHERTYPE=IPv6
|
||||||
|
subnetpool_id=${KURYR_NEUTRON_DEFAULT_SUBNETPOOL_ID:-${SUBNETPOOL_V6_ID}}
|
||||||
|
fi
|
||||||
|
|
||||||
router=${KURYR_NEUTRON_DEFAULT_ROUTER:-$Q_ROUTER_NAME}
|
router=${KURYR_NEUTRON_DEFAULT_ROUTER:-$Q_ROUTER_NAME}
|
||||||
if [ "$router" != "$Q_ROUTER_NAME" ]; then
|
if [ "$router" != "$Q_ROUTER_NAME" ]; then
|
||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
@ -330,14 +338,14 @@ function configure_neutron_defaults {
|
|||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
security group rule create --project "$project_id" \
|
security group rule create --project "$project_id" \
|
||||||
--description "k8s service subnet allowed" \
|
--description "k8s service subnet allowed" \
|
||||||
--remote-ip "$service_cidr" --ethertype IPv4 --protocol tcp \
|
--remote-ip "$service_cidr" --ethertype "$KURYR_ETHERTYPE" --protocol tcp \
|
||||||
"$service_pod_access_sg_id"
|
"$service_pod_access_sg_id"
|
||||||
# Since Octavia supports also UDP load balancing, we need to allow
|
# Since Octavia supports also UDP load balancing, we need to allow
|
||||||
# also udp traffic
|
# also udp traffic
|
||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
security group rule create --project "$project_id" \
|
security group rule create --project "$project_id" \
|
||||||
--description "k8s service subnet UDP allowed" \
|
--description "k8s service subnet UDP allowed" \
|
||||||
--remote-ip "$service_cidr" --ethertype IPv4 --protocol udp \
|
--remote-ip "$service_cidr" --ethertype "$KURYR_ETHERTYPE" --protocol udp \
|
||||||
"$service_pod_access_sg_id"
|
"$service_pod_access_sg_id"
|
||||||
|
|
||||||
if [[ "$KURYR_K8S_OCTAVIA_MEMBER_MODE" == "L3" ]]; then
|
if [[ "$KURYR_K8S_OCTAVIA_MEMBER_MODE" == "L3" ]]; then
|
||||||
@ -365,14 +373,14 @@ function configure_neutron_defaults {
|
|||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
security group rule create --project "$project_id" \
|
security group rule create --project "$project_id" \
|
||||||
--description "k8s pod subnet allowed from k8s-pod-subnet" \
|
--description "k8s pod subnet allowed from k8s-pod-subnet" \
|
||||||
--remote-ip "$pod_cidr" --ethertype IPv4 --protocol tcp \
|
--remote-ip "$pod_cidr" --ethertype "$KURYR_ETHERTYPE" --protocol tcp \
|
||||||
"$octavia_pod_access_sg_id"
|
"$octavia_pod_access_sg_id"
|
||||||
# Since Octavia supports also UDP load balancing, we need to allow
|
# Since Octavia supports also UDP load balancing, we need to allow
|
||||||
# also udp traffic
|
# also udp traffic
|
||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
security group rule create --project "$project_id" \
|
security group rule create --project "$project_id" \
|
||||||
--description "k8s pod subnet allowed from k8s-pod-subnet" \
|
--description "k8s pod subnet allowed from k8s-pod-subnet" \
|
||||||
--remote-ip "$pod_cidr" --ethertype IPv4 --protocol udp \
|
--remote-ip "$pod_cidr" --ethertype "$KURYR_ETHERTYPE" --protocol udp \
|
||||||
"$octavia_pod_access_sg_id"
|
"$octavia_pod_access_sg_id"
|
||||||
if [ -n "$sg_ids" ]; then
|
if [ -n "$sg_ids" ]; then
|
||||||
sg_ids+=",${octavia_pod_access_sg_id}"
|
sg_ids+=",${octavia_pod_access_sg_id}"
|
||||||
@ -399,7 +407,7 @@ function configure_neutron_defaults {
|
|||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
security group rule create --project "$project_id" \
|
security group rule create --project "$project_id" \
|
||||||
--description "allow all ingress traffic" \
|
--description "allow all ingress traffic" \
|
||||||
--ethertype IPv4 --ingress --protocol any \
|
--ethertype "$KURYR_ETHERTYPE" --ingress --protocol any \
|
||||||
"$allow_all_sg_id"
|
"$allow_all_sg_id"
|
||||||
if [ -n "$sg_ids" ]; then
|
if [ -n "$sg_ids" ]; then
|
||||||
sg_ids+=",${allow_all_sg_id}"
|
sg_ids+=",${allow_all_sg_id}"
|
||||||
@ -885,7 +893,7 @@ function configure_overcloud_vm_k8s_svc_sg {
|
|||||||
awk '{if ($2=="default") print $1}')
|
awk '{if ($2=="default") print $1}')
|
||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
security group rule create --project "$project_id" \
|
security group rule create --project "$project_id" \
|
||||||
--dst-port "$dst_port" "$security_group"
|
--dst-port "$dst_port" --ethertype "$KURYR_ETHERTYPE" "$security_group"
|
||||||
openstack port set "$KURYR_OVERCLOUD_VM_PORT" --security-group service_pod_access
|
openstack port set "$KURYR_OVERCLOUD_VM_PORT" --security-group service_pod_access
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -924,6 +932,9 @@ function update_tempest_conf_file {
|
|||||||
if [[ "$KURYR_CONFIGMAP_MODIFIABLE" == "True" ]]; then
|
if [[ "$KURYR_CONFIGMAP_MODIFIABLE" == "True" ]]; then
|
||||||
iniset $TEMPEST_CONFIG kuryr_kubernetes configmap_modifiable True
|
iniset $TEMPEST_CONFIG kuryr_kubernetes configmap_modifiable True
|
||||||
fi
|
fi
|
||||||
|
if [[ "$KURYR_IPV6" == "True" ]]; then
|
||||||
|
iniset $TEMPEST_CONFIG kuryr_kubernetes ipv6 True
|
||||||
|
fi
|
||||||
iniset $TEMPEST_CONFIG kuryr_kubernetes validate_crd True
|
iniset $TEMPEST_CONFIG kuryr_kubernetes validate_crd True
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -102,3 +102,5 @@ KURYR_CONTAINERS_USE_LOWER_CONSTRAINTS=${KURYR_CONTAINERS_USE_LOWER_CONSTRAINTS:
|
|||||||
|
|
||||||
# Kuryr overcloud VM port's name
|
# Kuryr overcloud VM port's name
|
||||||
KURYR_OVERCLOUD_VM_PORT=${KURYR_OVERCLOUD_VM_PORT:-port0}
|
KURYR_OVERCLOUD_VM_PORT=${KURYR_OVERCLOUD_VM_PORT:-port0}
|
||||||
|
|
||||||
|
KURYR_IPV6=${KURYR_IPV6:-False}
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from functools import partial
|
from functools import partial
|
||||||
|
import ipaddress
|
||||||
import os
|
import os
|
||||||
|
|
||||||
from debtcollector import removals
|
from debtcollector import removals
|
||||||
@ -82,6 +83,9 @@ def setup_kubernetes_client():
|
|||||||
# K8s Pods.
|
# K8s Pods.
|
||||||
host = os.environ['KUBERNETES_SERVICE_HOST']
|
host = os.environ['KUBERNETES_SERVICE_HOST']
|
||||||
port = os.environ['KUBERNETES_SERVICE_PORT_HTTPS']
|
port = os.environ['KUBERNETES_SERVICE_PORT_HTTPS']
|
||||||
|
addr = ipaddress.ip_address(host)
|
||||||
|
if addr.version == 6:
|
||||||
|
host = '[%s]' % host
|
||||||
api_root = "https://%s:%s" % (host, port)
|
api_root = "https://%s:%s" % (host, port)
|
||||||
_clients[_KUBERNETES_CLIENT] = k8s_client.K8sClient(api_root)
|
_clients[_KUBERNETES_CLIENT] = k8s_client.K8sClient(api_root)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user