Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test #6

Closed
wants to merge 8 commits into from
Closed

test #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
dcf196a
Sort flags in ovnkube.sh
npinaeva Jul 28, 2023
9ac962f
Add ovnkube-controller-with-node mode.
npinaeva Aug 4, 2023
3ac54dd
Add APBRoute factory to the WatchFactory to share it between
npinaeva Jul 28, 2023
944f2c5
After changing apbroute controller startup sequence, one test started
npinaeva Aug 4, 2023
8e374d7
NetworkControllerManager doesn't use given identity, remove.
npinaeva Aug 7, 2023
b2b50a6
Use the status subresource for setting labels and annotations
kyrtapz Jul 13, 2023
2ecb1eb
Refactor RBAC
kyrtapz Aug 3, 2023
4be888f
Introduce ovnkube-identity with per-node certs and a validating webhook
kyrtapz Aug 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
28 changes: 27 additions & 1 deletion contrib/kind.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ usage() {
echo "-sm | --scale-metrics Enable scale metrics"
echo "-cm | --compact-mode Enable compact mode, ovnkube master and node run in the same process."
echo "-ic | --enable-interconnect Enable interconnect with each node as a zone (only valid if OVN_HA is false)"
echo "--disable-ovnkube-identity Disable per-node cert and ovnkube-identity webhook"
echo "-npz | --nodes-per-zone If interconnect is enabled, number of nodes per zone (Default 1). If this value > 1, then (total k8s nodes (workers + 1) / num of nodes per zone) should be zero."
echo "--isolated Deploy with an isolated environment (no default gateway)"
echo "--delete Delete current cluster"
Expand Down Expand Up @@ -342,6 +343,8 @@ parse_args() {
;;
-ic | --enable-interconnect ) OVN_ENABLE_INTERCONNECT=true
;;
--disable-ovnkube-identity) OVN_ENABLE_OVNKUBE_IDENTITY=false
;;
--delete ) delete
exit
;;
Expand Down Expand Up @@ -416,6 +419,7 @@ print_params() {
if [ "$OVN_ENABLE_INTERCONNECT" == true ]; then
echo "KIND_NUM_NODES_PER_ZONE = $KIND_NUM_NODES_PER_ZONE"
fi
echo "OVN_ENABLE_OVNKUBE_IDENTITY = $OVN_ENABLE_OVNKUBE_IDENTITY"
echo "KIND_NUM_WORKER = $KIND_NUM_WORKER"
echo ""
}
Expand Down Expand Up @@ -562,6 +566,7 @@ set_default_params() {
MASQUERADE_SUBNET_IPV6=${MASQUERADE_SUBNET_IPV6:-fd69::/125}
KIND_NUM_MASTER=1
OVN_ENABLE_INTERCONNECT=${OVN_ENABLE_INTERCONNECT:-false}
OVN_ENABLE_OVNKUBE_IDENTITY=${OVN_ENABLE_OVNKUBE_IDENTITY:-true}

if [ "$OVN_HA" == true ] && [ "$OVN_ENABLE_INTERCONNECT" != false ]; then
echo "HA mode cannot be used together with Interconnect"
Expand Down Expand Up @@ -837,6 +842,11 @@ create_ovn_kube_manifests() {
ovnkube_image=$($OCI_BIN inspect --format='{{index .RepoDigests 0}}' $OVN_IMAGE)
fi
pushd ${DIR}/../dist/images
enable_multi_node_zone_flag=
if [ "$OVN_ENABLE_INTERCONNECT" == true ]; then
KIND_NUM_NODES_PER_ZONE=${KIND_NUM_NODES_PER_ZONE:-1}
enable_multi_node_zone_flag="--enable-multi-node-zone=$( (( KIND_NUM_NODES_PER_ZONE > 1 )) && echo "true" || echo "false" )"
fi
./daemonset.sh \
--output-directory="${MANIFEST_OUTPUT_DIR}"\
--image="${OVN_IMAGE}" \
Expand Down Expand Up @@ -880,7 +890,9 @@ create_ovn_kube_manifests() {
--ovnkube-metrics-scale-enable="${OVN_METRICS_SCALE_ENABLE}" \
--compact-mode="${OVN_COMPACT_MODE}" \
--enable-interconnect="${OVN_ENABLE_INTERCONNECT}" \
--enable-multi-external-gateway=true
--enable-multi-external-gateway=true \
--enable-ovnkube-identity="${OVN_ENABLE_OVNKUBE_IDENTITY}" \
"${enable_multi_node_zone_flag}"
popd
}

Expand All @@ -907,6 +919,9 @@ install_ovn_global_zone() {
run_kubectl apply -f ovnkube-db.yaml
fi

if [ "${OVN_ENABLE_OVNKUBE_IDENTITY}" == true ]; then
run_kubectl apply -f ovnkube-identity.yaml
fi
run_kubectl apply -f ovnkube-master.yaml
run_kubectl apply -f ovnkube-node.yaml
}
Expand All @@ -917,6 +932,9 @@ install_ovn_single_node_zones() {
kubectl label node "${n}" k8s.ovn.org/zone-name=${n} --overwrite
done

if [ "${OVN_ENABLE_OVNKUBE_IDENTITY}" == true ]; then
run_kubectl apply -f ovnkube-identity.yaml
fi
run_kubectl apply -f ovnkube-control-plane.yaml
run_kubectl apply -f ovnkube-single-node-zone.yaml
}
Expand All @@ -942,6 +960,9 @@ install_ovn_multiple_nodes_zones() {
fi
done

if [ "${OVN_ENABLE_OVNKUBE_IDENTITY}" == true ]; then
run_kubectl apply -f ovnkube-identity.yaml
fi
run_kubectl apply -f ovnkube-control-plane.yaml
run_kubectl apply -f ovnkube-zone-controller.yaml
run_kubectl apply -f ovnkube-node.yaml
Expand All @@ -958,6 +979,11 @@ install_ovn() {
run_kubectl apply -f policy.networking.k8s.io_adminnetworkpolicies.yaml
run_kubectl apply -f policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
run_kubectl apply -f ovn-setup.yaml
run_kubectl apply -f rbac-ovnkube-identity.yaml
run_kubectl apply -f rbac-ovnkube-cluster-manager.yaml
run_kubectl apply -f rbac-ovnkube-master.yaml
run_kubectl apply -f rbac-ovnkube-node.yaml
run_kubectl apply -f rbac-ovnkube-db.yaml
MASTER_NODES=$(kind get nodes --name "${KIND_CLUSTER_NAME}" | sort | head -n "${KIND_NUM_MASTER}")
# We want OVN HA not Kubernetes HA
# leverage the kubeadm well-known label node-role.kubernetes.io/control-plane=
Expand Down
1 change: 1 addition & 0 deletions dist/images/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ ovn-k8s-cni-overlay
ovn-kube-util
ovnkube
ovnkube-trace
ovnkube-identity
ovndbchecker
hybrid-overlay-node
git_info
2 changes: 1 addition & 1 deletion dist/images/Dockerfile.fedora
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ RUN rpm -Uhv --nodeps --force *.rpm
# Built in ../../go_controller, then the binaries are copied here.
# put things where they are in the pkg
RUN mkdir -p /usr/libexec/cni/
COPY ovnkube ovn-kube-util ovndbchecker /usr/bin/
COPY ovnkube ovn-kube-util ovndbchecker ovnkube-identity /usr/bin/
COPY ovn-k8s-cni-overlay /usr/libexec/cni/ovn-k8s-cni-overlay

# ovnkube.sh is the entry point. This script examines environment
Expand Down
1 change: 1 addition & 0 deletions dist/images/Dockerfile.fedora.dev
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ RUN mkdir -p /usr/libexec/cni/
COPY ovnkube /usr/bin/
COPY ovn-kube-util /usr/bin/
COPY ovndbchecker /usr/bin/
COPY ovnkube-identity /usr/bin/
COPY ovn-k8s-cni-overlay /usr/libexec/cni/ovn-k8s-cni-overlay

# ovnkube.sh is the entry point. This script examines environment
Expand Down
48 changes: 47 additions & 1 deletion dist/images/daemonset.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,8 @@ OVNKUBE_CONFIG_DURATION_ENABLE=
OVNKUBE_METRICS_SCALE_ENABLE=
OVN_STATELESS_NETPOL_ENABLE="false"
OVN_ENABLE_INTERCONNECT=

OVN_ENABLE_OVNKUBE_IDENTITY="true"
OVN_ENABLE_MULTI_ZONE_NODE="false"
# IN_UPGRADE is true only if called by upgrade-ovn.sh during the upgrade test,
# it will render only the parts in ovn-setup.yaml related to RBAC permissions.
IN_UPGRADE=
Expand Down Expand Up @@ -319,6 +320,12 @@ while [ "$1" != "" ]; do
--enable-multi-external-gateway)
OVN_ENABLE_MULTI_EXTERNAL_GATEWAY=$VALUE
;;
--enable-ovnkube-identity)
OVN_ENABLE_OVNKUBE_IDENTITY=$VALUE
;;
--enable-multi-node-zone)
OVN_ENABLE_MULTI_ZONE_NODE=$VALUE
;;
*)
echo "WARNING: unknown parameter \"$PARAM\""
exit 1
Expand Down Expand Up @@ -485,6 +492,10 @@ ovn_enable_interconnect=${OVN_ENABLE_INTERCONNECT}
echo "ovn_enable_interconnect: ${ovn_enable_interconnect}"
ovn_enable_multi_external_gateway=${OVN_ENABLE_MULTI_EXTERNAL_GATEWAY}
echo "ovn_enable_multi_external_gateway: ${ovn_enable_multi_external_gateway}"
ovn_enable_ovnkube_identity=${OVN_ENABLE_OVNKUBE_IDENTITY}
echo "ovn_enable_ovnkube_identity: ${ovn_enable_ovnkube_identity}"
ovn_enable_multi_node_zone=${OVN_ENABLE_MULTI_ZONE_NODE}
echo "ovn_enable_multi_node_zone: ${ovn_enable_multi_node_zone}"

ovn_image=${ovnkube_image} \
ovnkube_compact_mode_enable=${ovnkube_compact_mode_enable} \
Expand Down Expand Up @@ -531,6 +542,7 @@ ovn_image=${ovnkube_image} \
ovnkube_node_mgmt_port_netdev=${ovnkube_node_mgmt_port_netdev} \
ovn_enable_interconnect=${ovn_enable_interconnect} \
ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \
ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \
ovnkube_app_name=ovnkube-node \
j2 ../templates/ovnkube-node.yaml.j2 -o ${output_dir}/ovnkube-node.yaml

Expand Down Expand Up @@ -613,6 +625,7 @@ ovn_image=${ovnkube_image} \
ovnkube_compact_mode_enable=${ovnkube_compact_mode_enable} \
ovn_unprivileged_mode=${ovn_unprivileged_mode} \
ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \
ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \
j2 ../templates/ovnkube-master.yaml.j2 -o ${output_dir}/ovnkube-master.yaml

ovn_image=${ovnkube_image} \
Expand Down Expand Up @@ -648,6 +661,7 @@ ovn_image=${ovnkube_image} \
ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \
ovn_enable_interconnect=${ovn_enable_interconnect} \
ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \
ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \
j2 ../templates/ovnkube-control-plane.yaml.j2 -o ${output_dir}/ovnkube-control-plane.yaml

ovn_image=${image} \
Expand Down Expand Up @@ -731,6 +745,7 @@ ovn_image=${ovnkube_image} \
ovn_loglevel_nb=${ovn_loglevel_nb} ovn_loglevel_sb=${ovn_loglevel_sb} \
ovn_enable_interconnect=${ovn_enable_interconnect} \
ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \
ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \
j2 ../templates/ovnkube-single-node-zone.yaml.j2 -o ${output_dir}/ovnkube-single-node-zone.yaml

ovn_image=${ovnkube_image} \
Expand Down Expand Up @@ -785,13 +800,36 @@ ovn_image=${ovnkube_image} \
ovn_loglevel_nb=${ovn_loglevel_nb} ovn_loglevel_sb=${ovn_loglevel_sb} \
ovn_enable_interconnect=${ovn_enable_interconnect} \
ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \
ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \
j2 ../templates/ovnkube-zone-controller.yaml.j2 -o ${output_dir}/ovnkube-zone-controller.yaml

ovn_image=${image} \
ovn_image_pull_policy=${image_pull_policy} \
ovn_unprivileged_mode=${ovn_unprivileged_mode} \
j2 ../templates/ovs-node.yaml.j2 -o ${output_dir}/ovs-node.yaml

ovnkube_certs_dir="/tmp/ovnkube-certs"
ovnkube_webhook_name="ovnkube-webhook"
mkdir -p ${ovnkube_certs_dir}
path_prefix="${ovnkube_certs_dir}/${ovnkube_webhook_name}"

# Create self signed CA and webhook cert
openssl req -x509 -newkey rsa:4096 -nodes -keyout "${path_prefix}-ca.key" -out "${path_prefix}-ca.crt" -days 400 -subj "/CN=self-signed-ca"
openssl req -newkey rsa:4096 -nodes -keyout "${path_prefix}.key" -out "${path_prefix}.csr" -subj "/CN=localhost"
openssl x509 -req -in "${path_prefix}.csr" -CA "${path_prefix}-ca.crt" -CAkey "${path_prefix}-ca.key" -extfile <(printf "subjectAltName=DNS:localhost") -CAcreateserial -out "${path_prefix}.crt" -days 365

ovn_image=${ovnkube_image} \
ovn_image=${image} \
ovn_image_pull_policy=${image_pull_policy} \
ovn_master_count=${ovn_master_count} \
ovnkube_master_loglevel=${master_loglevel} \
ovn_enable_interconnect=${ovn_enable_interconnect} \
webhook_ca_bundle=$(cat "${path_prefix}-ca.crt" | base64 -w0) \
webhook_key=$(cat "${path_prefix}.key" | base64 -w0) \
webhook_cert=$(cat "${path_prefix}.crt" | base64 -w0) \
ovn_enable_multi_node_zone=${ovn_enable_multi_node_zone} \
j2 ../templates/ovnkube-identity.yaml.j2 -o ${output_dir}/ovnkube-identity.yaml

if ${enable_ipsec}; then
ovn_image=${image} \
j2 ../templates/ovn-ipsec.yaml.j2 -o ${output_dir}/ovn-ipsec.yaml
Expand All @@ -817,6 +855,14 @@ net_cidr=${net_cidr} svc_cidr=${svc_cidr} \
in_upgrade=${in_upgrade} \
j2 ../templates/ovn-setup.yaml.j2 -o ${output_dir}/ovn-setup.yaml

ovn_enable_interconnect=${ovn_enable_interconnect} \
ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \
j2 ../templates/rbac-ovnkube-node.yaml.j2 -o ${output_dir}/rbac-ovnkube-node.yaml

cp ../templates/rbac-ovnkube-identity.yaml.j2 ${output_dir}/rbac-ovnkube-identity.yaml
cp ../templates/rbac-ovnkube-master.yaml.j2 ${output_dir}/rbac-ovnkube-master.yaml
cp ../templates/rbac-ovnkube-db.yaml.j2 ${output_dir}/rbac-ovnkube-db.yaml
cp ../templates/rbac-ovnkube-cluster-manager.yaml.j2 ${output_dir}/rbac-ovnkube-cluster-manager.yaml
cp ../templates/ovnkube-monitor.yaml.j2 ${output_dir}/ovnkube-monitor.yaml
cp ../templates/k8s.ovn.org_egressfirewalls.yaml.j2 ${output_dir}/k8s.ovn.org_egressfirewalls.yaml
cp ../templates/k8s.ovn.org_egressips.yaml.j2 ${output_dir}/k8s.ovn.org_egressips.yaml
Expand Down
Loading
Loading