Merge "svc namespace isolation support for different octavia drivers"

2018-10-01 15:22:09 +00:00 · 2018-10-01 15:22:09 +00:00 · 79ec91f681
parent 927b5821a1 451add3543
commit 79ec91f681
5 changed files with 68 additions and 26 deletions
--- a/devstack/local.conf.ovn.sample
+++ b/devstack/local.conf.ovn.sample
@ -55,10 +55,11 @@ KURYR_K8S_LBAAS_USE_OCTAVIA=True
 # In case Octavia is used for LBaaS, you can choose the
 # Octavia's Load Balancer provider.
 # KURYR_EP_DRIVER_OCTAVIA_PROVIDER=default
-# Uncomment the next two to enable ovn provider. Note only L2 mode is
-# supported
+# Uncomment the next lines to enable ovn provider. Note L2 mode is used
+# to ensure member subnet is added
 # KURYR_EP_DRIVER_OCTAVIA_PROVIDER=ovn
 # KURYR_K8S_OCTAVIA_MEMBER_MODE=L2
+# KURYR_K8S_OCTAVIA_SG_MODE=create



--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -450,6 +450,7 @@ function configure_neutron_defaults {
    fi
    iniset "$KURYR_CONFIG" neutron_defaults external_svc_net "$ext_svc_net_id"
    iniset "$KURYR_CONFIG" octavia_defaults member_mode "$KURYR_K8S_OCTAVIA_MEMBER_MODE"
+    iniset "$KURYR_CONFIG" octavia_defaults sg_mode "$KURYR_K8S_OCTAVIA_SG_MODE"
    if [[ "$use_octavia" == "True" ]]; then
        # Octavia takes a very long time to start the LB in the gate. We need
        # to tweak the timeout for the LB creation. Let's be generous and give
--- a/devstack/settings
+++ b/devstack/settings
@ -62,6 +62,7 @@ OPENSHIFT_CNI_BINARY_URL=${OPENSHIFT_CNI_BINARY_URL:-https://github.com/containe
 # Octavia
 KURYR_K8S_LBAAS_USE_OCTAVIA=${KURYR_K8S_LBAAS_USE_OCTAVIA:-True}
 KURYR_K8S_OCTAVIA_MEMBER_MODE=${KURYR_K8S_OCTAVIA_MEMBER_MODE:-L3}
+KURYR_K8S_OCTAVIA_SG_MODE=${KURYR_K8S_OCTAVIA_SG_MODE:-update}

 # Kuryr_ovs_baremetal
 KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE=${KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE:-True}
--- a/kuryr_kubernetes/config.py
+++ b/kuryr_kubernetes/config.py
@ -219,6 +219,11 @@ octavia_defaults = [
               help=_("Define the communication mode between load balanacer "
                      "and its members"),
               default='L3'),
+    cfg.StrOpt('sg_mode',
+               help=_("Define the LBaaS SG policy."),
+               choices=[('create', 'replace the VIP SG with a new one'),
+                        ('update', 'add rules to the existing VIP SG')],
+               default='update'),
 ]

 cache_defaults = [
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@ -89,13 +89,17 @@ class LBaaSv2Driver(base.LBaaSDriver):
            self._release(loadbalancer, loadbalancer,
                          lbaas.delete_loadbalancer, loadbalancer.id)

-            sg_id = self._find_listeners_sg(loadbalancer)
-            if sg_id:
-                try:
-                    neutron.delete_security_group(sg_id)
-                except n_exc.NeutronClientException:
-                    LOG.exception('Error when deleting loadbalancer security '
-                                  'group. Leaving it orphaned.')
+        sg_id = self._find_listeners_sg(loadbalancer)
+        if sg_id:
+            # Note: reusing activation timeout as deletion timeout
+            self._wait_for_deletion(loadbalancer, _ACTIVATION_TIMEOUT)
+            try:
+                neutron.delete_security_group(sg_id)
+            except n_exc.NeutronClientException:
+                LOG.exception('Error when deleting loadbalancer security '
+                              'group. Leaving it orphaned.')
+            except n_exc.NotFound:
+                LOG.debug('Security group %s already deleted', sg_id)

    def _ensure_security_groups(self, loadbalancer, service_type):
        # We only handle SGs for legacy LBaaSv2, Octavia handles it dynamically
@ -152,24 +156,45 @@ class LBaaSv2Driver(base.LBaaSDriver):

    def _extend_lb_security_group_rules(self, loadbalancer, listener):
        neutron = clients.get_neutron_client()
-        sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
+
+        if CONF.octavia_defaults.sg_mode == 'create':
+            sg_id = self._find_listeners_sg(loadbalancer)
+            # if an SG for the loadbalancer has not being created, create one
+            if not sg_id:
+                sg = neutron.create_security_group({
+                    'security_group': {
+                        'name': loadbalancer.name,
+                        'project_id': loadbalancer.project_id,
+                        },
+                    })
+                sg_id = sg['security_group']['id']
+                loadbalancer.security_groups.append(sg_id)
+                vip_port = self._get_vip_port(loadbalancer)
+                neutron.update_port(
+                    vip_port.get('id'),
+                    {'port': {
+                        'security_groups': loadbalancer.security_groups}})
+        else:
+            sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
+
        for sg in loadbalancer.security_groups:
-            try:
-                neutron.create_security_group_rule({
-                    'security_group_rule': {
-                        'direction': 'ingress',
-                        'port_range_min': listener.port,
-                        'port_range_max': listener.port,
-                        'protocol': listener.protocol,
-                        'security_group_id': sg_id,
-                        'remote_group_id': sg,
-                        'description': listener.name,
-                    },
-                })
-            except n_exc.NeutronClientException as ex:
-                if ex.status_code != requests.codes.conflict:
-                    LOG.exception('Failed when creating security group rule '
-                                  'for listener %s.', listener.name)
+            if sg != sg_id:
+                try:
+                    neutron.create_security_group_rule({
+                        'security_group_rule': {
+                            'direction': 'ingress',
+                            'port_range_min': listener.port,
+                            'port_range_max': listener.port,
+                            'protocol': listener.protocol,
+                            'security_group_id': sg_id,
+                            'remote_group_id': sg,
+                            'description': listener.name,
+                        },
+                    })
+                except n_exc.NeutronClientException as ex:
+                    if ex.status_code != requests.codes.conflict:
+                        LOG.exception('Failed when creating security group '
+                                      'rule for listener %s.', listener.name)

        # ensure routes have access to the services
        service_subnet_cidr = self._get_subnet_cidr(loadbalancer.subnet_id)
@ -540,6 +565,15 @@ class LBaaSv2Driver(base.LBaaSDriver):

        raise k_exc.ResourceNotReady(loadbalancer)

+    def _wait_for_deletion(self, loadbalancer, timeout):
+        lbaas = clients.get_loadbalancer_client()
+
+        for remaining in self._provisioning_timer(timeout):
+            try:
+                lbaas.show_loadbalancer(loadbalancer.id)
+            except n_exc.NotFound:
+                return
+
    def _provisioning_timer(self, timeout):
        # REVISIT(ivc): consider integrating with Retry
        interval = 3