octavia: Make Octavia ready devstack
This patch changes the main sample devstack local.conf to use Octavia. In order for that to work, it does some security group changes to ensure that the communication from the LB to the members will work in both L2 and L3 modes. In L2 mode, which is the default behavior after this patch, but not the default behavior we'll chose going forward, Octavia creates a pod_subnet port per each Load Balancer with the 'default' security group of the 'admin' project. This means that it would not be allowed by the members since they use the 'default' security group from the 'k8s' project. In L3 mode, Octavia does not create a port in the members subnet and relies on the service and the pod subnet to be connected to the same router. Some changes are necessary on the lbaas handler for that and they'll come in a follow-up patch. In case the developers want to try, I added a security group for the service subnet to be allowed into the pod subnet. Partially-Implements: blueprint octavia-support Change-Id: I993ebb0d7b82ad1140d752982013bbadf35dfef7 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This commit is contained in:
parent
3cba3eb009
commit
653cde084b
@ -35,11 +35,47 @@ enable_service q-dhcp
|
|||||||
enable_service q-l3
|
enable_service q-l3
|
||||||
enable_service q-svc
|
enable_service q-svc
|
||||||
|
|
||||||
# LBaaSv2 service and Haproxy agent
|
KURYR_K8S_LBAAS_USE_OCTAVIA=True
|
||||||
enable_plugin neutron-lbaas \
|
|
||||||
git://git.openstack.org/openstack/neutron-lbaas
|
# Currently only L2 connection from LB to members is supported
|
||||||
enable_service q-lbaasv2
|
KURYR_K8S_OCTAVIA_MEMBER_MOD=L2
|
||||||
NEUTRON_LBAAS_SERVICE_PROVIDERV2="LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default"
|
|
||||||
|
if [[ "$KURYR_K8S_LBAAS_USE_OCTAVIA" == "True" ]]; then
|
||||||
|
# Octavia LBaaSv2
|
||||||
|
LIBS_FROM_GIT+=python-octaviaclient
|
||||||
|
enable_plugin octavia https://git.openstack.org/openstack/octavia
|
||||||
|
enable_service octavia
|
||||||
|
enable_service o-api
|
||||||
|
enable_service o-cw
|
||||||
|
enable_service o-hm
|
||||||
|
enable_service o-hk
|
||||||
|
## Octavia Deps
|
||||||
|
### Image
|
||||||
|
### Barbican
|
||||||
|
enable_plugin barbican https://git.openstack.org/openstack/barbican
|
||||||
|
### Nova
|
||||||
|
enable_service n-api
|
||||||
|
enable_service n-api-meta
|
||||||
|
enable_service n-cpu
|
||||||
|
enable_service n-cond
|
||||||
|
enable_service n-sch
|
||||||
|
enable_service placement-api
|
||||||
|
enable_service placement-client
|
||||||
|
### Glance
|
||||||
|
enable_service g-api
|
||||||
|
enable_service g-reg
|
||||||
|
### Neutron-lbaas
|
||||||
|
#### In case Octavia is older than Pike, neutron-lbaas is needed
|
||||||
|
enable_plugin neutron-lbaas \
|
||||||
|
git://git.openstack.org/openstack/neutron-lbaas
|
||||||
|
enable_service q-lbaasv2
|
||||||
|
else
|
||||||
|
# LBaaSv2 service and Haproxy agent
|
||||||
|
enable_plugin neutron-lbaas \
|
||||||
|
git://git.openstack.org/openstack/neutron-lbaas
|
||||||
|
enable_service q-lbaasv2
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Keystone
|
# Keystone
|
||||||
enable_service key
|
enable_service key
|
||||||
@ -139,3 +175,15 @@ enable_service kubelet
|
|||||||
# part of the codebase that connects to the Kubernetes API server to read the
|
# part of the codebase that connects to the Kubernetes API server to read the
|
||||||
# resource events and convert them to Neutron actions
|
# resource events and convert them to Neutron actions
|
||||||
enable_service kuryr-kubernetes
|
enable_service kuryr-kubernetes
|
||||||
|
|
||||||
|
# Increase Octavia amphorae timeout so that the first LB amphora has time to
|
||||||
|
# build and boot
|
||||||
|
if [[ "$KURYR_K8S_LBAAS_USE_OCTAVIA" == "True" ]]; then
|
||||||
|
IMAGE_URLS+=",http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img"
|
||||||
|
else
|
||||||
|
NEUTRON_LBAAS_SERVICE_PROVIDERV2="LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default"
|
||||||
|
fi
|
||||||
|
|
||||||
|
[[post-config|$OCTAVIA_CONF_DIR/octavia.conf]]
|
||||||
|
[controller_worker]
|
||||||
|
amp_active_retries=9999
|
||||||
|
@ -206,9 +206,6 @@ function configure_neutron_defaults {
|
|||||||
pod_subnet_id="$(neutron subnet-show -c id -f value \
|
pod_subnet_id="$(neutron subnet-show -c id -f value \
|
||||||
"${KURYR_NEUTRON_DEFAULT_POD_SUBNET}")"
|
"${KURYR_NEUTRON_DEFAULT_POD_SUBNET}")"
|
||||||
|
|
||||||
sg_ids=$(echo $(neutron security-group-list \
|
|
||||||
--project-id "$project_id" -c id -f value) | tr ' ' ',')
|
|
||||||
|
|
||||||
create_k8s_subnet "$project_id" \
|
create_k8s_subnet "$project_id" \
|
||||||
"$KURYR_NEUTRON_DEFAULT_SERVICE_NET" \
|
"$KURYR_NEUTRON_DEFAULT_SERVICE_NET" \
|
||||||
"$KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET" \
|
"$KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET" \
|
||||||
@ -217,6 +214,52 @@ function configure_neutron_defaults {
|
|||||||
service_subnet_id="$(neutron subnet-show -c id -f value \
|
service_subnet_id="$(neutron subnet-show -c id -f value \
|
||||||
"${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}")"
|
"${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}")"
|
||||||
|
|
||||||
|
sg_ids=$(echo $(neutron security-group-list \
|
||||||
|
--project-id "$project_id" -c id -f value) | tr ' ' ',')
|
||||||
|
|
||||||
|
local use_octavia
|
||||||
|
use_octavia=$(trueorfalse True KURYR_K8S_LBAAS_USE_OCTAVIA)
|
||||||
|
if [[ "$use_octavia" == "True" && \
|
||||||
|
"$KURYR_K8S_OCTAVIA_MEMBER_MODE" == "L3" ]]; then
|
||||||
|
# In order for the pods to allow service traffic under Octavia, it is
|
||||||
|
# necessary for the service subnet to be allowe d into the $sg_ids
|
||||||
|
local service_cidr
|
||||||
|
local service_pod_access_sg_id
|
||||||
|
service_cidr=$(openstack --os-cloud devstack-admin \
|
||||||
|
--os-region "$REGION_NAME" subnet show \
|
||||||
|
"${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}" -f value -c cidr)
|
||||||
|
service_pod_access_sg_id=$(openstack --os-cloud devstack-admin \
|
||||||
|
--os-region "$REGION_NAME" \
|
||||||
|
security group create --project "$project_id" \
|
||||||
|
service_pod_access -f value -c id)
|
||||||
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
|
security group rule create --project "$project_id" \
|
||||||
|
--description "k8s service subnet allowed" \
|
||||||
|
--remote-ip "$service_cidr" --ethertype IPv4 --protocol tcp \
|
||||||
|
"$service_pod_access_sg_id"
|
||||||
|
sg_ids+=",${service_pod_access_sg_id}"
|
||||||
|
elif [[ "$use_octavia" == "True" && \
|
||||||
|
"$KURYR_K8S_OCTAVIA_MEMBER_MODE" == "L2" ]]; then
|
||||||
|
# In case the member connectivity is L2, we'll create a security group
|
||||||
|
# for that too, which means allowing all access from the pod subnet range
|
||||||
|
# as Octavia by default uses the admin 'default' sg for the member ports
|
||||||
|
local pod_cidr
|
||||||
|
local pod_pod_access_sg_id
|
||||||
|
pod_cidr=$(openstack --os-cloud devstack-admin \
|
||||||
|
--os-region "$REGION_NAME" subnet show \
|
||||||
|
"${KURYR_NEUTRON_DEFAULT_POD_SUBNET}" -f value -c cidr)
|
||||||
|
pod_pod_access_sg_id=$(openstack --os-cloud devstack-admin \
|
||||||
|
--os-region "$REGION_NAME" \
|
||||||
|
security group create --project "$project_id" \
|
||||||
|
pod_pod_access -f value -c id)
|
||||||
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
|
security group rule create --project "$project_id" \
|
||||||
|
--description "k8s pod subnet allowed from other sg" \
|
||||||
|
--remote-ip "$pod_cidr" --ethertype IPv4 --protocol tcp \
|
||||||
|
"$pod_pod_access_sg_id"
|
||||||
|
sg_ids+=",${pod_pod_access_sg_id}"
|
||||||
|
fi
|
||||||
|
|
||||||
iniset "$KURYR_CONFIG" neutron_defaults project "$project_id"
|
iniset "$KURYR_CONFIG" neutron_defaults project "$project_id"
|
||||||
iniset "$KURYR_CONFIG" neutron_defaults pod_subnet "$pod_subnet_id"
|
iniset "$KURYR_CONFIG" neutron_defaults pod_subnet "$pod_subnet_id"
|
||||||
iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids"
|
iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids"
|
||||||
|
@ -41,5 +41,9 @@ KURYR_K8S_API_CERT=${KURYR_K8S_API_CERT:-}
|
|||||||
KURYR_K8S_API_KEY=${KURYR_K8S_API_KEY:-}
|
KURYR_K8S_API_KEY=${KURYR_K8S_API_KEY:-}
|
||||||
KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-}
|
KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-}
|
||||||
|
|
||||||
|
# Octavia
|
||||||
|
KURYR_K8S_LBAAS_USE_OCTAVIA=${KURYR_K8S_LBAAS_USE_OCTAVIA:-True}
|
||||||
|
KURYR_K8S_OCTAVIA_MEMBER_MODE=${KURYR_K8S_OCTAVIA_MEMBER_MODE:-L2}
|
||||||
|
|
||||||
# Kuryr_ovs_baremetal
|
# Kuryr_ovs_baremetal
|
||||||
KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE=${KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE:-True}
|
KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE=${KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE:-True}
|
||||||
|
@ -51,6 +51,19 @@ Edit ``kuryr.conf``::
|
|||||||
project = {id_of_project}
|
project = {id_of_project}
|
||||||
service_subnet = {id_of_subnet_for_k8s_services}
|
service_subnet = {id_of_subnet_for_k8s_services}
|
||||||
|
|
||||||
|
Note that the service_subnet and the pod_subnet *should be routable* and that
|
||||||
|
the pods should allow service subnet access. This means that:
|
||||||
|
|
||||||
|
* There should be a router between the two subnets.
|
||||||
|
* The pod_security_groups setting should include a security group with a rule
|
||||||
|
granting access to all the CIDR or the service subnet.
|
||||||
|
|
||||||
|
If you want to use two non-routed subnets you can:
|
||||||
|
|
||||||
|
* Use Octavia as the neutron LBaaSv2 implementation. Octavia will create a port
|
||||||
|
in the pod subnet for each Load Balancer that it creates. This means that you
|
||||||
|
should take it into account when sizing the pod subnet.
|
||||||
|
|
||||||
Run kuryr-k8s-controller::
|
Run kuryr-k8s-controller::
|
||||||
|
|
||||||
$ kuryr-k8s-controller --config-file /etc/kuryr/kuryr.conf -d
|
$ kuryr-k8s-controller --config-file /etc/kuryr/kuryr.conf -d
|
||||||
|
Loading…
Reference in New Issue
Block a user