Merge ovs-db and ovs-vswitchd in one Daemonset

There is no usecase in which ovs-db and ovs-vswitchd run on different nodes. In terms of version upgrade, ovs-db and ovs-vswitchd should be upgraded together in every node. This commit deploys ovs-db and ovs-vswitchd in one daemonset. Change-Id: I791b9f7abfd3ca838dc2adfaa6c606bb1c88d19d
2022-12-03 01:15:10 +11:00 · 2022-12-03 01:15:10 +11:00 · 73e2b3322d
parent aa3efe9715
commit 73e2b3322d
5 changed files with 83 additions and 162 deletions
--- a/openvswitch/Chart.yaml
+++ b/openvswitch/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm OpenVSwitch
 name: openvswitch
-version: 0.1.9
+version: 0.1.10
 home: http://openvswitch.org
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
 sources:
--- a/openvswitch/templates/daemonset-ovs-db.yaml
+++ b/openvswitch/templates/daemonset-ovs-db.yaml
@ -1,118 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- define "ovsdblivenessProbeTemplate" }}
-exec:
-  command:
-    - /usr/bin/ovs-vsctl
-    - show
-{{- end }}
-{{- define "ovsdbreadinessProbeTemplate" }}
-exec:
-  command:
-    - /usr/bin/ovs-vsctl
-    - list
-    - Open_Vswitch
-{{- end }}
-
-{{- if .Values.manifests.daemonset_ovs_db }}
-{{- $envAll := . }}
-
-{{- $serviceAccountName := "openvswitch-db" }}
-{{ tuple $envAll "db" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: openvswitch-db
-  annotations:
-    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
-  labels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-spec:
-  selector:
-    matchLabels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-{{ tuple $envAll "ovs_db" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
-  template:
-    metadata:
-      labels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
-      annotations:
-{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
-        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "openvswitch-db" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
-    spec:
-      shareProcessNamespace: true
-      serviceAccountName: {{ $serviceAccountName }}
-{{ dict "envAll" $envAll "application" "openvswitch_db_server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
-      nodeSelector:
-        {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
-{{ if $envAll.Values.pod.tolerations.openvswitch.enabled }}
-{{ tuple $envAll "openvswitch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
-{{ end }}
-      dnsPolicy: {{ .Values.pod.dns_policy }}
-      hostNetwork: true
-      initContainers:
-{{ tuple $envAll "db" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
-        - name: openvswitch-db-perms
-{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "openvswitch_db_server" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          command:
-            - chown
-            - -R
-            - {{ $envAll.Values.pod.security_context.openvswitch_db_server.container.server.runAsUser | quote }}
-            - /run/openvswitch
-          volumeMounts:
-            - name: pod-tmp
-              mountPath: /tmp
-            - name: run
-              mountPath: /run/openvswitch
-      containers:
-        - name: openvswitch-db
-{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "openvswitch_db_server" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "component" "ovs_db" "container" "ovs_db" "type" "liveness" "probeTemplate" (include "ovsdblivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-{{ dict "envAll" $envAll "component" "ovs_db" "container" "ovs_db" "type" "readiness" "probeTemplate" (include "ovsdbreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-          command:
-            - /tmp/openvswitch-db-server.sh
-            - start
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /tmp/openvswitch-db-server.sh
-                  - stop
-          volumeMounts:
-            - name: pod-tmp
-              mountPath: /tmp
-            - name: openvswitch-bin
-              mountPath: /tmp/openvswitch-db-server.sh
-              subPath: openvswitch-db-server.sh
-              readOnly: true
-            - name: run
-              mountPath: /run/openvswitch
-      volumes:
-        - name: pod-tmp
-          emptyDir: {}
-        - name: openvswitch-bin
-          configMap:
-            name: openvswitch-bin
-            defaultMode: 0555
-        - name: run
-          hostPath:
-            path: /run/openvswitch
-{{- end }}
--- a/openvswitch/templates/daemonset-ovs-vswitchd.yaml
+++ b/openvswitch/templates/daemonset-ovs-vswitchd.yaml
@ -12,11 +12,26 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+{{- define "ovsdblivenessProbeTemplate" }}
+exec:
+  command:
+    - /usr/bin/ovs-vsctl
+    - show
+{{- end }}
+
+{{- define "ovsdbreadinessProbeTemplate" }}
+exec:
+  command:
+    - /usr/bin/ovs-vsctl
+    - list
+    - Open_Vswitch
+{{- end }}
+
 {{- define "ovsvswitchlivenessProbeTemplate" }}
 exec:
  command:
-{{- if .Values.pod.probes.ovs_vswitch.ovs_vswitch.liveness.exec }}
-{{ .Values.pod.probes.ovs_vswitch.ovs_vswitch.liveness.exec | toYaml | indent 4 }}
+{{- if .Values.pod.probes.ovs.ovs_vswitch.liveness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.liveness.exec | toYaml | indent 4 }}
 {{- else }}
    - /usr/bin/ovs-appctl
    - bond/list
@ -26,8 +41,8 @@ exec:
 {{- define "ovsvswitchreadinessProbeTemplate" }}
 exec:
  command:
-{{- if .Values.pod.probes.ovs_vswitch.ovs_vswitch.readiness.exec }}
-{{ .Values.pod.probes.ovs_vswitch.ovs_vswitch.readiness.exec | toYaml | indent 4 }}
+{{- if .Values.pod.probes.ovs.ovs_vswitch.readiness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.readiness.exec | toYaml | indent 4 }}
 {{- else if not .Values.conf.ovs_dpdk.enabled }}
    - /bin/bash
    - -c
@ -39,37 +54,33 @@ exec:
 {{- end }}
 {{- end }}

-{{- if .Values.manifests.daemonset_ovs_vswitchd }}
+{{- if .Values.manifests.daemonset }}
 {{- $envAll := . }}
-
-{{- $serviceAccountName := "openvswitch-vswitchd" }}
-{{ tuple $envAll "vswitchd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: openvswitch-vswitchd
+  name: openvswitch
  annotations:
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
  labels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
  selector:
    matchLabels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-{{ tuple $envAll "ovs_vswitchd" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "ovs" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
  template:
    metadata:
      labels:
-{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "openvswitch-vswitchd" "containerNames" (list "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "openvswitch" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
      shareProcessNamespace: true
-      serviceAccountName: {{ $serviceAccountName }}
-{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "ovs" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      nodeSelector:
        {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
 {{ if $envAll.Values.pod.tolerations.openvswitch.enabled }}
@ -78,10 +89,24 @@ spec:
      dnsPolicy: {{ .Values.pod.dns_policy }}
      hostNetwork: true
      initContainers:
-{{ tuple $envAll "vswitchd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll "ovs" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: openvswitch-db-perms
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - {{ $envAll.Values.pod.security_context.ovs.container.server.runAsUser | quote }}
+            - /run/openvswitch
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: run-openvswitch
+              mountPath: /run/openvswitch
        - name: openvswitch-vswitchd-modules
 {{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/openvswitch-vswitchd-init-modules.sh
          volumeMounts:
@ -96,11 +121,35 @@ spec:
              mountPropagation: HostToContainer
              readOnly: true
      containers:
+        - name: openvswitch-db
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "liveness" "probeTemplate" (include "ovsdblivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "readiness" "probeTemplate" (include "ovsdbreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/openvswitch-db-server.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/openvswitch-db-server.sh
+                  - stop
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: openvswitch-bin
+              mountPath: /tmp/openvswitch-db-server.sh
+              subPath: openvswitch-db-server.sh
+              readOnly: true
+            - name: run
+              mountPath: /run
        - name: openvswitch-vswitchd
 {{- if .Values.conf.ovs_dpdk.enabled }}
 {{/* Run the container in priviledged mode due to the need for root
 permissions when using the uio_pci_generic driver. */}}
-{{- $_ := set $envAll.Values.pod.security_context.openvswitch_vswitchd.container.vswitchd "privileged" true -}}
+{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
 {{/* Limiting CPU cores would severely affect packet throughput
 It should be handled through lcore and pmd core masks. */}}
 {{- if .Values.pod.resources.enabled }}
@ -109,12 +158,12 @@ It should be handled through lcore and pmd core masks. */}}
 {{- end }}
 {{- end }}
 {{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          # ensures this container can speak to the ovs database
          # successfully before its marked as ready
-{{ dict "envAll" $envAll "component" "ovs_vswitch" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-{{ dict "envAll" $envAll "component" "ovs_vswitch" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
          command:
            - /tmp/openvswitch-vswitchd.sh
            - start
@ -167,6 +216,10 @@ It should be handled through lcore and pmd core masks. */}}
          hostPath:
            path: /run
            type: Directory
+        - name: run-openvswitch
+          hostPath:
+            path: /run/openvswitch
+            type: DirectoryOrCreate
        - name: host-rootfs
          hostPath:
            path: /
@ -204,4 +257,4 @@ It should be handled through lcore and pmd core masks. */}}
          hostPath:
            path: /sys/fs/cgroup
 {{- end }}
-{{- end }}
+{{- end }}
--- a/openvswitch/values.yaml
+++ b/openvswitch/values.yaml
@ -45,7 +45,7 @@ pod:
        operator: Exists
        effect: NoSchedule
  probes:
-    ovs_db:
+    ovs:
      ovs_db:
        liveness:
          enabled: true
@ -59,7 +59,6 @@ pod:
            initialDelaySeconds: 90
            periodSeconds: 30
            timeoutSeconds: 5
-    ovs_vswitch:
      ovs_vswitch:
        liveness:
          enabled: true
@ -74,7 +73,7 @@ pod:
            periodSeconds: 10
            timeoutSeconds: 1
  security_context:
-    openvswitch_db_server:
+    ovs:
      pod:
        runAsUser: 42424
      container:
@ -86,10 +85,6 @@ pod:
          runAsUser: 42424
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
-    openvswitch_vswitchd:
-      pod:
-        runAsUser: 0
-      container:
        modules:
          runAsUser: 0
          capabilities:
@ -108,11 +103,7 @@ pod:
    upgrades:
      daemonsets:
        pod_replacement_strategy: RollingUpdate
-        ovs_db:
-          enabled: true
-          min_ready_seconds: 0
-          max_unavailable: 1
-        ovs_vswitchd:
+        ovs:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 1
@ -199,13 +190,7 @@ dependencies:
          - endpoint: node
            service: local_image_registry
  static:
-    db: null
-    vswitchd:
-      pod:
-        - requireSameNode: true
-          labels:
-            application: openvswitch
-            component: openvswitch-vswitchd-db
+    ovs: null
    image_repo_sync:
      services:
        - endpoint: internal
@ -213,7 +198,7 @@ dependencies:

 manifests:
  configmap_bin: true
-  daemonset_ovs_db: true
+  daemonset: true
  daemonset_ovs_vswitchd: true
  job_image_repo_sync: true
  network_policy: false
--- a/releasenotes/notes/openvswitch.yaml
+++ b/releasenotes/notes/openvswitch.yaml
@ -10,4 +10,5 @@ openvswitch:
  - 0.1.7 Enable taint toleration for Openstack services jobs
  - 0.1.8 Added OCI registry authentication
  - 0.1.9 Enable ovs hardware offload
+  - 0.1.10 Merge ovs-db and ovs-vswitchd in one Daemonset
 ...