The listeners timeout are constantly updated with
Octavia default values, even if no annotation was
updated on the respective Service. The constant
execution of this task makes the Load Balancer
to be stuck with PENDING_UPDATE status. This commit
fixes the issue by ensuring the listener values
are only added to the CR once there was annotation
changes, also it enforces the default values of not
existence of the field to be the same.
Change-Id: Id93ac76550761398c853ebfd03ac2e59667e0e06
Closes-Bug: 1923605
This patch is fixing the bug in which was problem after the status
field is deleted, kuryr-controller is crashing because of it.
So we need to check if status field is missing and add it to the
crd.
Also I add there fixes of another parts of code where probably
in the future could be similar problem is some parts of the CRD
would be missing.
Closes-Bug: #1921109
Change-Id: Ib195aa4389e310354f163d3ba474eddea18c4f51
For OVN Ocatvia provider we need to include service subnet as well,
otherwise we will end up in no connectivity to services from pods where
network policy which define egress to all namespaces was applied.
Change-Id: Ic1d1803c178a9b8375f2a08e021f0a046fd7ff02
Related-Bug: 1915008
The code this patch removes was added in order to fix a problem of
additional KuryrPorts on upgrades. We shouldn't worry about it in
Wallaby as Victoria is free of the problem already.
Change-Id: If0fe68deb7ef6262f4331f0c262e3c2678cd508f
With the new docker download rate limitation, we should update Kuryr-kubernetes documentation to move from celebdor/kuryr-demo container image to quay.io/kuryr/demo.
closes-bug: 1920022
Change-Id: I93bbe01c156bb3d77f9155d5db34be4bc2faa9fe
We should allow Pods Network MTU to be smaller than the
MTU of the Host VM to address scenarios like Nodes Network
being a provider network, while Pods Network is a Tenant
Network. This commit fixes the issue by allowing binding
of VIFs with MTU smaller than the Nodes.
Change-Id: Ibadcd07824702ff1160a4a1d6d10313c15910dea
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: I09330e8b98e14599ee39c6e49e78682ef90710ca
To fight the problem of VLAN ID conflicts in nested VLAN driver mostly
caused by CRIs not cleaning up network namespaces we've introduced a
nuclear option - i.e. when problem happens we iterate over all
network namespaces and delete any interface with a conflicting VLAN ID.
There are several issues with this code:
1. It's only compatible with cri-o in a mode in which it manages network
namespaces on it's own. Moreover it's required that namespaces are
placed in a standard location (/var/run/netns). It won't work if
network namespaces are bound to processes and placed in
/proc/<pid>/ns/net.
2. It only compares VLAN ID of the subinterface and not the primary
interface that this subinterface belongs to. On setups with
complicated networking it may mean removing unrelated interfaces.
3. If the operation was retried successfully it will still raise the
NetlinkError adding an unnecessary traceback to the logs and forcing
an unnecessary CNI request retry.
This commit attempts to fix all those problems by supporting iterating
over /proc/<pid>/ns/net netns paths, making sure to only delete
interfaces when it's parent matches [binding]link_iface and making sure
we return success if retrying binding after removing interface
succeeded.
Depends-On: I9a45a5379d1c47cdf67b9c6d3d0409a88501e61e
Change-Id: I9fe017a287fb4a0dca4ffe5b5154bdd068abc04c
Related-Bug: 1892388
This forces the golang modules that we don't support to be off. It's
important to allow building kuryr-cni to be built with go 1.16 where
modules are on by default.
Change-Id: I058ab8d9e5e7df37efeee278ff4652de5f6861f3
This patch is fixing the bug in which was problem to
delete pools without members. Instead deleting pools
kuryr-controller was restarting because of this.
More informations about this bug on:
Change-Id: If7e6066a75ddce9439649e7bf8b749efecfde1c6
Closes-Bug: #1920178
The timeout-client-data and timeout-member-data configurations
for Octavia listeners default to 50 seconds for load balancers
created by Kuryr. This patch allows the creation and modification
of load balancers handled by Kuryr with different timeouts values.
Implements: blueprint configure-lb-listeners-timeout
Change-Id: I99016001c2263023d1fa2637d7b5aeb23b3b2d9d
The OVN jobs tempest-containerized-ovn-provider-ovn
and tempest-containerized-ovn-ipv6 have been green for
a while so we should move them to voting.
Change-Id: I2bd8ddd81c874005f0eea2059c006f4095276223
This commit makes sure DevStack plugin is able to run with dual stack
and create 2 subnetpools, 2 service subnets and 2 pod subnets. The K8s
is also configured with that.
Implements: blueprint dual-stack
Change-Id: I9c53bc4dd3529a48f5ba1ab77268d6a984a84808
When retrieving a Subnet for creating the LB member with OVN
for a SVC without selector, only the subnet is retrieved
when it should be the subnet and the cidr, as it's needed
to verify whether the member ip is present on the cidr.
This commit fixes the issue by calling the correct method.
Change-Id: I3288d849d1ad427b837cda2e07a8c971237cb303
Closes-bug: 1917557
The SCTP version check was placed above the else block of
Octavia-tags version check, this patch fixes that.
Change-Id: Icef8645baa7cba731b76814abdb63be556172ef7
In case the kuryrnetwork_population handler is enabled
and a Namespace creation was triggered, it's possible that
the kuryrnetwork_population handler attempts to do its job
before the KuryrNetwork handles the CR update with status field.
This commit fixes this race by skipping the event for the
kuryrnetwork_population when no 'status' is present and
modifying the event to be handled on a on_present operation
since the on_added would only be triggered once.
Closes-bug: 1916544
Change-Id: I7221c67990a3dd6974ea362d209390c716540ceb
The Nampespace handler requires that the KuryrNetwork CRD
is created on the cluster instead of the old KuryrNet CRD.
This commit fixes the issue by checking if the KuryrNetwork
is enforced.
Closes-bug: 1916595
Change-Id: I1a5e19021c9dc7e8ddbb1898c23a4ed934497b2c
Seems like we misunderstood the NP API reference and default the
protocol to TCP when creating SGs for NPs that are supposed to open all
traffic. That is incorrect and we should not specify a protocol in such
cases. This commit fixes that.
Change-Id: Ie7936555ac794f10443e48908b7b5b2494525b7c
Closes-Bug: 1914380
When moving from annotation to CRD a compatibility code was added
to allow user to upgrade from ussuri to victoria version. Now we are going
to upgrade to wallaby, so everyone should already use CRD and we
can remove the code.
Change-Id: I2acea7f6b3e1f02edd89f2f08127065a6556d367
Turns out there's an OpenShift mode where it's required to actually
hardcode a worker_nodes_subnet as some nodes does not have the Machine
objects. This commit solves that by making sure that
[pod_vif_nested]worker_nodes_subnets are also added to whatever the
OpenShiftNodesSubnets driver detects.
Change-Id: I7e08062473efeaba67a38ab0b2451626df77def8
For simple case, when operator wants to open connection to all the
namespaces in the cluster, i.e.:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: networkpolicy-example
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
egress:
- to:
- namespaceSelector: {}
there was false assumption, that we need to open it without any
restriction, while the truth is, that all we need to do is to open
egress network to all the namespaces within cluster.
Change-Id: Ibea039fa9c3b46b83e99237ce2ceb03f02d50727
Closes-Bug: 1915008
When populating the pool the Network and Subnet needs
to be retrived for all the active Ports not in use,
this operation is costly and takes a while to finishes
causing the controller to be on CrashLoop. This commit
fixes the issue by gathering the Network and Subnet info
from a CR that might already exist with the needed Network.
Change-Id: If47b38042c354f05894ab04e2bd47139b95c5f31
In order to reduce the load when requesting a number of ports
fpr the pre-population the number of ports to be requested
is divided by 2. However, that division can result in a
float number which does not allow the pre-population to finalize.
This commit fixes the issue by retriving the integer part of the
division.
Closes-bug: 1915214
Change-Id: I72d5f4e606d51b2e24703031c3d7fecaa0153c23
Network policy parse_network_policy_rules is used only within the
NetworkPolicyDriver class. Let's make it private, as it should be.
Also, changed layout of the code a bit, just to easily distinguish
between helper methods from signature of the class.
Change-Id: Ic13393c841f04e6748f3fe716656cb5a8b3dcd71
We mostly assumed that trunk ports are only used by Kuryr in an
OpenStack env but sometimes it's not true. This commit adds some checks
to make sure we list trunk ports in a smarter way (checking if they
match the worker_nodes_subnets) and operate on them in a safer way
(checking if they even have IPs).
Change-Id: I3257e263b53bb9f38946ca9cff6a1be5448dec00
Closes-Bug: 1914631