For Neutron networks and subnets, add identifier (which origins from
tags) to the description field as a workaround for inability for create
tagged resources in atomic way. This change might be reverted when
Neutron gain such ability.
Depends-On: https://review.opendev.org/c/openstack/kuryr-tempest-plugin/+/841107
Change-Id: I1750a0b6ae569752b44a4fe682288686868450fe
During removal of Neutron resources, sometimes there could be hanging
orphaned ports. Till now, all the removal was done one by one which
slows down removing process. In this change there is introduced removing
port in parallel in five concurrently run workers.
Change-Id: I74842989784601325b6d8977da4bc936ceedbc0e
Currently, creating network and/or subnet depending heavily on tags.
There could be an issue with selecting right network when tag is set in
configuration, while it'll fail on actual tagging network or subnet. In
that case it might happen, that multiple, untagged subnets would be
created, while only one is expected. In this patch we introduce adding
unique UID from Kubernetes namespace into Neutron network description
field, so that it will indicate only one, specific namespace, so that
there shouldn't be collision with other k8s deployments within same
OpenStack cloud, despite of the tag.
Depends-On: https://review.opendev.org/c/openstack/kuryr-tempest-plugin/+/835245
Change-Id: Id68da7932be66d339119ed92b870c8f7538afb15
In OpenStack Neutron and Octavia, name and descriptions of the objects
are limited to the 255 characters, while on Kubernetes names are limited
to the 253 characters. Kuryr often creates names for the networks and
subnets using Kubernetes object name with additional prefix and suffix,
which may exceed allowed character limit. In this patch there is
proposed solution for this issue by simply truncate kubernetes resource
name, while keeping prefix and suffix intact, to fit the Neutron name
limit.
Change-Id: I6e404104034f11593fc313797ad464458bbdf82d
No need to log full traceback when we still have leftover ports on a
network we're attempting to delete. This commit decreases the log level
of that message to warning in order to skip traceback.
Change-Id: I56b9d6b3d1d17b8c999788c26f01b8cb4d976760
This prevents Kuryr Controller from CrashLoopBackoff in unexpected
case where the port is still part of the trunk during _cleanup_leftover_ports
Change-Id: Ie3f75118a58094d6ca4287e1ffc0035d380d0584
We should allow the user to config the mtu
for the namespace networks and for VIFs when
the bridge driver is used.
Change-Id: I1685e31825f15387b6486713ce007b62e915df28
Neutron clears device_owner when port is detached. This means that with
pools we need to consider ports without device_owner set when doing
cleanup on namespace deletion.
Change-Id: Ic38015cba27d8418175027ec4e433df32eae4706
Namespace deletion can be stuck if not all the ports belonging
to the associated namespace networks are deleted.
This patch enforce proper clean up of subports by:
- Ensuring no request/release VIF actions are processed until the pools
are recovered by the controller
- Ensure if there are subports leftover when removing a namespace those
are detached from the pool and deleted regardless of their status
Change-Id: I2cb1586fa1f88bab191af0ead22a2b8afca91a3b
This patch moves the namespace handling to be more aligned
with the k8s style.
Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250
Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
This reverts commit 7691e94ef3327e185d0157f83b9e75f9ef555346. The 0.41.0
version of openstacksdk is free of this issue. Also we still need to
keep the handle_neutron_errors for support of older openstacksdks.
Change-Id: I5bffda72cc8f1e348581ef38cb68cb8336e2af59
OpenStackSDK is raising a SDKException when a subnet does not
exist, causing the controller to continuosly restart.
This commit protects from such scenario by ignoring when
such exception happens with certain message.
Closes-bug: 1861314
Change-Id: I82238280a2924f1979c5b0b99399c4570093b360
When a namespace is created-deleted-created, the last namespace
creation event might notices that a KuryrNet CRD still exists,
as it can take a while for the previous deletion event to complete
and will trigger again another deletion causing NotFound SubPort
on Trunk error. This commit handles the exception by ignoring
the port deletion.
Change-Id: Id0683a00b2c90529e0106296b5f157cf6885388b
Closes-bug: 1854096
When a namespace is deleted, kuryr-controller is in charge of
deleting its associated openstack resources (net, subnet and ports)
as well as the associated KuryrNet CRD.
As removing OpenStack resources may take some time, if the
kuryr-controller is restarted by any different reason during that
process, the resources will be left behind as no new events for the
namespace (already deleted) will happen after the restart. This
patch fixes this problem by ensuring upon reboot that there are no
orphan KuryrNet CRDs for unexisting namespaces, and deleting them
in case there are (including its associated OpenStack resources).
Closes-Bug: 1848761
Change-Id: I0c4852f5bb816756cc1bf536354da20aa3948dc7
This patch set increases the timeout to wait for resources to be
created/deleted. This is needed to better support spikes without
restarting the kuryr-controller. This patch also ensures that
future retry events are not afecting the kuryr controller if
they are retried once the related resources are already deleted,
i.e., the on_delete event was executed before one of the retries.
Closes-Bug: 1847753
Change-Id: I725ba22f0babf496af219a37e42e1c33b247308a
Changing exception logging by debug info. That is the expected
behavior when a pod is created right after creating the namespace
since the namespaces resources may take some time (seconds) to be
created. This ensures the user is not misled due to the
kuryr-controller logs.
Change-Id: Ie8c5e22741015a3417c7ab143d3c6dd0b4b8062d
This patch ensure the on_present event of the vif handler is retried
if all the resources related to the namespace where the pod belongs
are not yet created.
Change-Id: I1345cafffdd98077d23fd8b761c9527ff6316956
Closes-Bug: 1847085
If a lot of subnets are created at once, there is a chance that
Neutron will get the calls concurrently and fail. Internally Neutron
will retry but it may happen that the limit in the number of retries
is also hit. Thus this patch ensures that scenario is catched and
reacted to.
Change-Id: I83d62616835f22e916bfe056e793eb31654be51f
In case of kuryr-controller crash/restart while creating a namespace
it may happen that some network resources are leftover as the kuryr
net crd was not yet created. This may lead to a waste of OpenStack
network resources (networks, subnets). This patch ensures the namespace
is cleaned up before creating the resources in case a previous attempt
was made without completing the kuryr net crd creation.
Change-Id: Iddc03090dc8a847abe4afa2bed0900f0c7cf6936
When namespace subnet driver is used, a new subnet is created for
each new namespace. As pools are created per subnet, this patch
ensures that new ports are created for each pool for the new subnet
in the nested case.
Note this feature depends on using resource tagging to filter out
trunk ports in case of multiple clusters deployed on the same openstack
project or when other trunks are present. Otherwise it will consider
all the existing trunks no matter if they belong or not to the
kubernetes cluster.
NOTE: this is only for nested case, where pooling shows the greatest
improvements as ports are already ACTIVE.
Change-Id: Id014cf49da8d4cbe0c1795e47765fcf2f0684c09
If we consider a K8s cluster running on OpenStack VM's, which is a
perfect use case for Kuryr-Kubernetes, we can easily imagine creating
multiple clusters in a single OpenStack public or private cloud. In such
use case those K8s clusters may come and go. As Kuryr is creating some
OpenStack resources, such as ports, networks, subnets, floating IP's or
SG's, it's useful to have a way of identifying those Kuryr-created
resources to delete them along with the K8s cluster that used them.
This commit makes that possible by adding an option to add tag to all
Neutron resources created by Kuryr.
Change-Id: If75028e17d13ec62fb414fa9797ee7ac02d948d1
Implements: blueprint kuryr-resources-tagging
When reraising the exception with something like:
try:
(...)
except Exception as ex:
LOG.error("Error happened: %s", ex)
raise ex
we lose the initial traceback information. This makes debugging
significantly harder. This commit removes such occurrences and converts
most cases to something like:
try:
(...)
except Exception:
LOG.exception("Error happened")
raise
This way preserves the initial traceback.
Change-Id: I6506ff689697520faa64325c127d7e9d49cff9fa
Closes-Bug: 1813186
Since the function _get_subnet is widely used by different components,
I move it to kuryr_kubernetes.utils as a part of common utilities.
Change-Id: I9a80fb55f5c02274fb50c4c92eb3514ccb42830e
This patch ensures pods from namespace X cannot access services
pointing to pods on namespace Y, and vice versa.
The exceptions are:
- Pods on default namespace can access all the services
- Services on default namespace can be accessed by all the pods
Depends-On: I37025bf65b67fe04f2a6d9b14bbe1b7bc387e370
Implements: blueprint openshift-project-isolation-support
Change-Id: I7b78e12cdf2bce5d0780e582814ef51ef0c459a7
This patch ensures that a different security group is attached to
each newly created namespace. Thus providing extra isolation
between the pods allocated on the different namespaces.
Implements: blueprint openshift-project-isolation-support
Change-Id: Ibf63841b2a6b0c339c4c76980f1489e26af016d7
This patch ensures the resources created for the namespaces (i.e.,
network and subnet) belong to the right project
Closes-Bug: 1780029
Change-Id: I655db76b4d3ab8d2500939e5ffc70e22fc6e1a59
This patch mitigates cascading race by retrying namespace
deletion if the network was not able to be deleted as its
associated ports were not yet deleted.
Partially Implements: blueprint network-namespace
Change-Id: I0518d0e4106665a0e13a8e8b24cfcb0d7744acda
This patch extends the namespace_subnet driver to handle namespace
deletion. It ensures the created resources during namespace creation
are removed upon namespace deletion.
Note it does not currently support deleting the extra ports created
by the ports pool feature, so it should not be used if ports pool
feature is enabled. A follow up patch will address this issue
Partially Implements: blueprint network-namespace
Change-Id: I2eed278dafacd5090a902bacfd366f7cdf9edca4
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
