Move n-ovs-agent to Kubernetes

Change-Id: I8e6d62341b327137c69585a26a3d37cf5554ea08
2020-08-19 08:38:25 -04:00 · 2020-08-19 08:38:25 -04:00 · 7bb267c7f9
commit 7bb267c7f9
parent 0b8ebbe7ae
12 changed files with 229 additions and 4 deletions
--- a/devstack/lib/neutron-legacy
+++ b/devstack/lib/neutron-legacy
@ -87,6 +87,26 @@ function start_neutron_service_and_check {
 }
 export -f start_neutron_service_and_check

+function start_mutnauq_l2_agent {
+	kubernetes_rollout_restart daemonset/neutron-openvswitch-agent
+	kubernetes_rollout_status daemonset/neutron-openvswitch-agent
+
+	if is_provider_network && [[ $Q_AGENT == "openvswitch" ]]; then
+		sudo ovs-vsctl --no-wait -- --may-exist add-port $OVS_PHYSICAL_BRIDGE $PUBLIC_INTERFACE
+		sudo ip link set $OVS_PHYSICAL_BRIDGE up
+		sudo ip link set br-int up
+		sudo ip link set $PUBLIC_INTERFACE up
+		if is_ironic_hardware; then
+			for IP in $(ip addr show dev $PUBLIC_INTERFACE | grep ' inet ' | awk '{print $2}'); do
+				sudo ip addr del $IP dev $PUBLIC_INTERFACE
+				sudo ip addr add $IP dev $OVS_PHYSICAL_BRIDGE
+			done
+			sudo ip route replace $FIXED_RANGE via $NETWORK_GATEWAY dev $OVS_PHYSICAL_BRIDGE
+		fi
+	fi
+}
+export -f start_neutron_agents
+
 function _configure_neutron_common {
 	_create_neutron_conf_dir

--- a/images/neutron/Dockerfile
+++ b/images/neutron/Dockerfile
@ -25,3 +25,7 @@ CMD ["/usr/local/bin/uwsgi", "--ini", "/etc/uwsgi/uwsgi.ini"]
 FROM neutron-base AS neutron-rpc-server
 COPY neutron-rpc-server /usr/local/bin/neutron-rpc-server
 CMD ["/usr/local/bin/neutron-rpc-server"]
+
+FROM neutron-base AS neutron-openvswitch-agent
+COPY neutron-openvswitch-agent /usr/local/bin/neutron-openvswitch-agent
+CMD ["/usr/local/bin/neutron-openvswitch-agent", "--config-file", "/etc/neutron/neutron.conf", "--config-file", "/etc/neutron/plugins/ml2/ml2_conf.ini"]
--- a/images/neutron/bindep.txt
+++ b/images/neutron/bindep.txt
@ -1,2 +1,4 @@
 gcc [compile]
 libc-dev [compile]
+sudo
+openvswitch-common
--- a/images/neutron/neutron-openvswitch-agent
+++ b/images/neutron/neutron-openvswitch-agent
@ -0,0 +1,29 @@
+#!/usr/local/bin/python
+# Copyright (c) 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pkg_resources
+import re
+import sys
+
+import sentry_sdk
+
+from neutron.cmd.eventlet.plugins.ovs_neutron_agent import main
+
+VERSION = pkg_resources.get_distribution("neutron").version
+sentry_sdk.init(release="neutron@%s" % VERSION)
+
+sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
+sys.exit(main())
--- a/images/neutron/setup-repos.sh
+++ b/images/neutron/setup-repos.sh
@ -0,0 +1,55 @@
+#!/bin/bash
+# Copyright (c) 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -xe
+
+apt-get install -y gnupg2
+
+cat <<EOF | apt-key add -
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBF3u81cBEACbfsspk7WNkcXCn3N5T9VKYt/dmvSsEW8nIIf/iwV7dSISmruz
+1b7bviqfekEvf37yiFwHVFxxS70ry/ofXp51X7RUVytrJY/hNMvr7C7zyNqM928+
+c8TP3FjGsPvFiWw/L2JgGl9/4+OYW5yF3HabMOa63xbFPAU891o9HIN5YfFDZZWD
+VNsMyXCUjVB9wy7anF77moqXuews1OmvMSArE7erLjAnC5HHGdTeZO7KfDCylqPB
+oBWF3pzNU1Vu6wEq9vL5NDYglsbN7jmDA+8mS0SyAnFxvTsqjisR8gpNtPaatQqM
+wTdOydscSoXS9MfpCrxPne0dBmpAlcVdI4hq1T4l9Osf2x5s+Kb9JxF+Q4V87n4q
+8fjusePRIMxO7aZjFUEvL8uIzg7VvF3b1X9UXkS6LH2YPLOqOf3lhvyk5RwwMfHp
+p99KOVrTWbaBYVKuxR17oWkYBPOPp+4ld8F6zSk36GK+lzPP8814X28kS357lg1y
+4kla/CfNav3AXdnsZkCvJhrwwR8HCXwTYaF2TzrZPqv5TZB1k9iBuL2X52BSxobR
+PvTTM00iZhipC/EsA7vQu4FOla/ySb/R6cfFIiDyOrDiOJ3+zlWDQ0uBikCP4lIY
+uUB+uVIWd8F7Us1voqsqUrVL1CSu1cYn+NOhf12eZsA740wgUZfCU2qmGwARAQAB
+tBhyZXBvIDxyZXBvQHZleHhob3N0Lm5ldD6JAjkEEwEIACMFAl3u81cCGy8HCwkI
+BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDETupUFYbjJ7WxD/9HcMd9HMwg7WC3
+eKSFeHGJXtN/0IuCJ6r3q10/dhb8QqqZ+Rnlr5CH4DAHdkhnL5+OvnHVYu/LVejX
+17dZUS0uB+JXZpMdfsv8i2g/c8uxi2KPsRa3pxXudb+WhjbxhRxeMpsQNbMc5M5+
+cYseUYj1nzTioDn9MQH43GcYBuhydiWsp7zRs2CNWrWJgwTOwnd/g4YV+9VWqshM
+x+/N0bdD+LIT0MmYYGBaK6vBnM2kG6gcwc0ZMwMYHJk+MotuFNM7KDu06XWkp/Uq
+8uzi7tZKHTa/kc+LrJrIOwLIkFH1uMvRZXma+JwASbcEW97YCUw/vhLa3AbZvCum
+9QLHv28zyUXfo9QLEhkOGC/ykkYOSt0u/lznokpf840tmYHBCLavFzOPJ0Nc2T7Y
+tCyEA5sV2UVI4hdBtwG1Vz8rAggDu0NWDW3BGyP0X2x1jddzzNRhevqQqcAe83Ei
+XOOP1aunhtUKUe+sXLFOY0d3OK0RysKAn9kdxcZ9qqZdrKhj+dwuvMBeZPau0ZGT
+t81b/zv6hiwA1b1b4X6EKz/aZwQyQ3/UUovM0KC9rMSzm5kKYWwcfkSDY6aLZtgc
+GBc+auY+9Mwcp4V5kEH6zMXF4baJzMj2m7LFYlLRVofY5kxlrr86TAK0jMmiDOx8
+AcjcZTiXBPNU8sK+VbsXvtB0Mel7Vw==
+=hpXM
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+
+cat <<EOF | tee /etc/apt/sources.list.d/vexxhost.list
+deb http://repo.vexxhost.net/ buster main
+EOF
--- a/openstack_operator/neutron.py
+++ b/openstack_operator/neutron.py
@ -40,7 +40,9 @@ def create_or_resume(spec, **_):
    database.ensure_mysql_cluster("neutron")

    utils.create_or_update('neutron/rabbitmq.yml.j2')
-    utils.create_or_update('neutron/daemonset.yml.j2', spec=spec)
+    utils.create_or_update('neutron/daemonset-server.yml.j2', spec=spec)
+    utils.create_or_update('neutron/daemonset-openvswitch-agent.yml.j2',
+                           spec=spec)
    utils.create_or_update('neutron/service.yml.j2')

    identity.ensure_application_credential(name="neutron")
--- a/openstack_operator/openstack/identity/applicationcredential.py
+++ b/openstack_operator/openstack/identity/applicationcredential.py
@ -54,6 +54,18 @@ def create_or_resume(name, **_):
            'identity/secret-applicationcredential.yml.j2',
            name=name, secret=credential.secret,
            id=credential.id, adopt=True)
+        return
+
+    # NOTE(Alex): Sometimes, double POST application_credential requests
+    # are made to keystone API at the "same time".
+    # The credential secret is not created in this case.
+    # The following codes should fix this case.
+    if utils.get_secret(name=name+"-application-credential",
+                        namespace="openstack") is None:
+        utils.create_or_update(
+            'identity/secret-applicationcredential.yml.j2',
+            name=name, secret=credential.secret,
+            id=credential.id, adopt=True)


@kopf.on.delete('identity.openstack.org', 'v1alpha1', 'applicationcredentials')
--- a/openstack_operator/openstack/identity/services.py
+++ b/openstack_operator/openstack/identity/services.py
@ -33,8 +33,8 @@ def _get_service(conn, name, service_type):
    try:
        services = conn.search_services(name_or_id=name,
                                        filters={"type": service_type})
-    except ConnectionRefusedError:
-        raise kopf.TemporaryError("Keystone is not up yet", delay=5)
+    except ConnectionRefusedError as ex:
+        raise kopf.TemporaryError(str(ex), delay=5)

    if len(services) > 1:
        raise RuntimeError("Found multiple services with name and type")
--- a/openstack_operator/templates/neutron/daemonset-openvswitch-agent.yml.j2
+++ b/openstack_operator/templates/neutron/daemonset-openvswitch-agent.yml.j2
@ -0,0 +1,97 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-openvswitch-agent
+  namespace: openstack
+  labels:
+    {{ labels("neutron", component="openvswitch-agent") | indent(4) }}
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{ labels("neutron", component="openvswitch-agent") | indent(6) }}
+  template:
+    metadata:
+      labels:
+        {{ labels("neutron", component="openvswitch-agent") | indent(8) }}
+    spec:
+      automountServiceAccountToken: false
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+      # TODO(mnaser): This should parse the configuration file and then create
+      #               the bridges as needed.
+      - name: create-bridge
+        image: vexxhost/neutron-openvswitch-agent:latest
+        imagePullPolicy: Always
+        command:
+        - ovs-vsctl
+        - --may-exist
+        - add-br
+        - br-ex
+        volumeMounts:
+        - name: config
+          mountPath: /etc/neutron
+        - name: ml2-config
+          mountPath: /etc/neutron/plugins/ml2
+        - name: host-run-ovs
+          mountPath: /run/openvswitch
+      containers:
+      - name: agent
+        image: vexxhost/neutron-openvswitch-agent:latest
+        imagePullPolicy: Always
+        env:
+        {% if 'sentryDSN' in spec %}
+        - name: SENTRY_DSN
+          value: {{ spec.sentryDSN }}
+        {% endif %}
+        - name: OS_OVS__LOCAL_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        securityContext:
+          # NOTE(mnaser): We need to revisit this
+          privileged: true
+        volumeMounts:
+        - name: config
+          mountPath: /etc/neutron
+        - name: ml2-config
+          mountPath: /etc/neutron/plugins/ml2
+        - name: host-run-ovs
+          mountPath: /run/openvswitch
+      volumes:
+      - name: config
+        secret:
+          secretName: neutron-config
+      - name: ml2-config
+        secret:
+          secretName: neutron-ml2-config
+      - name: host-run-ovs
+        hostPath:
+          path: /run/openvswitch
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+{% if 'hostAliases' in spec %}
+      hostAliases:
+        {{ spec.hostAliases | to_yaml | indent(8) }}
+{% endif %}
+
--- a/openstack_operator/templates/neutron/daemonset-server.yml.j2
+++ b/openstack_operator/templates/neutron/daemonset-server.yml.j2
--- a/zuul.d/functional-jobs.yaml
+++ b/zuul.d/functional-jobs.yaml
@ -50,7 +50,8 @@
      - magnum-tempest-plugin
      - tempest-horizon
      devstack_localrc:
-        NEUTRON_DEPLOY_MOD_WSGI: True
+        NEUTRON_DEPLOY_MOD_WSGI: true
+        Q_USE_ROOTWRAP: false
        TEMPEST_PLUGINS: /opt/stack/barbican-tempest-plugin /opt/stack/heat-tempest-plugin
          /opt/stack/magnum-tempest-plugin /opt/stack/tempest-horizon
      docker_use_buildset_registry: true
--- a/zuul.d/neutron-jobs.yaml
+++ b/zuul.d/neutron-jobs.yaml
@ -17,6 +17,9 @@
      - context: images/neutron
        repository: vexxhost/neutron-rpc-server
        target: neutron-rpc-server
+      - context: images/neutron
+        repository: vexxhost/neutron-openvswitch-agent
+        target: neutron-openvswitch-agent
    dependencies:
    - openstack-operator:images:build:openstack-operator
    files: &id003