Add primary UDN net-attach-def

[RamLavi]

What this PR does / why we need it:
This PR adds support to user-defined-network binding by deploying the appropriate NetworkAttachmentDefinition.
This is part of the process described on kubevirt user guide.
The behavior added is currently dev-preview. Hence, the NetworkAttachmentDefinition is not deployed by the proper component, but is deployed by ipam-extentions. This should change in future PRs.

Special notes for your reviewer:

Release note:

NONE

[oshoval]

instead all the changes in this file, since this yaml is generated by CNAO
you can just keep it in the data folder, and add it to line 176
which means what to not delete

rm -rf data/kubevirt-ipam-controller/!(002-rbac.yaml|<file_name_here>)

[RamLavi]

good idea. thanks!

[oshoval]

if the CRD is NA, we should add a fatal
so basically this isn't needed (just need to fatal if CRD is NA + conf.ipam == true)

the only advantage of having this var, is that we can disable it easily if needed
but imho it doesnt worth it for this reason
moreover we can check if CRD exists, only if conf.ipam == true, not always

wdyt ?

[RamLavi]

I think it was discussed that we want to fail early.. totally forgot. will fix. thanks!

[oshoval]

fail fast, ye but only if conf.ipam == true + nad doesnt exists please imo

[RamLavi]

@oshoval do you understand why it fails?

[oshoval]

@oshoval do you understand why it fails?

error: timed out waiting for the condition on kubevirts/kubevirt
for some reason lately it cant install kubevirt all the time

maybe it is because the wait was too fast, and wait doesnt wait for the resource to be created
and then need a loop of wait with shorter timeout, or to use the new flag of kubectl wait that waits for the resource to exists kubernetes/kubernetes#122994

unless it is something deeper, and to know we would need logs

[oshoval]

why SCCAvailable true ?

[RamLavi]

it shouldn't be. fixed.

[oshoval]

PrometheusRule is wrong here

[RamLavi]

ah copy err. thanks!

[oshoval]

but why we need all this logic if we just create the nad and if it doesnt exists we have the error that nad doesnt exists without any additional changes?

is it a must because it was added here ?
https://github.com/kubevirt/cluster-network-addons-operator/pull/1841/files#diff-dd3d0d54317e754fd95de914de01a73b5578626b42e755fdad4998186d552600R90

[RamLavi]

but why we need all this logic if we just create the nad

This code is for CNAO CI to make sure the NAD is deployed. It's now CNAO's responsibility, so CI should check it's deployed, and also removed.

and if it doesnt exists we have the error that nad doesnt exists without any additional changes?

small correction - only if the NAD's CRD doesn't exists then CNAO will fail to deploy with the error you mention.

is it a must because it was added here ? https://github.com/kubevirt/cluster-network-addons-operator/pull/1841/files#diff-dd3d0d54317e754fd95de914de01a73b5578626b42e755fdad4998186d552600R90

technically yeah, but it's intentional. As I mentioned above - it's CNAO's job to make sure the resources it is in charge of deploying are deployed.

[RamLavi]

@oshoval do you understand why it fails?

error: timed out waiting for the condition on kubevirts/kubevirt for some reason lately it cant install kubevirt all the time

maybe it is because the wait was too fast, and wait doesnt wait for the resource to be created and then need a loop of wait with shorter timeout, or to use the new flag of kubectl wait that waits for the resource to exists kubernetes/kubernetes#122994

unless it is something deeper, and to know we would need logs

Looks like kubevirt/kubevirt now wait 15m

[oshoval]

@oshoval do you understand why it fails?

error: timed out waiting for the condition on kubevirts/kubevirt for some reason lately it cant install kubevirt all the time
maybe it is because the wait was too fast, and wait doesnt wait for the resource to be created and then need a loop of wait with shorter timeout, or to use the new flag of kubectl wait that waits for the resource to exists kubernetes/kubernetes#122994
unless it is something deeper, and to know we would need logs

Looks like kubevirt/kubevirt now wait 15m

this change is 4y ago it seems, but worth to try to extend

[oshoval]

basically since all are false, those are the default values anyhow
so you can just create an empty struct
unless one of them is better to be explicit false, but this is not the case here

[RamLavi]

DONE

[oshoval]

@oshoval do you understand why it fails?

error: timed out waiting for the condition on kubevirts/kubevirt for some reason lately it cant install kubevirt all the time
maybe it is because the wait was too fast, and wait doesnt wait for the resource to be created and then need a loop of wait with shorter timeout, or to use the new flag of kubectl wait that waits for the resource to exists kubernetes/kubernetes#122994
unless it is something deeper, and to know we would need logs

Looks like kubevirt/kubevirt now wait 15m

this change is 4y ago it seems, but worth to try to extend

I think the best we cant do is to install kubevirt using kind.sh
for that we need to add an option to bypass kubevirt-ipam-controller installation / ipam claim crd / cert-manager
or to undeploy them after installation is done
one of the reasons is that kind.sh does this when installing kubevirt (among few other little things)
or we can also just add those in our repo

        $OCI_BIN exec -t $node bash -c "echo 'fs.inotify.max_user_watches=1048576' >> /etc/sysctl.conf"
        $OCI_BIN exec -t $node bash -c "echo 'fs.inotify.max_user_instances=512' >> /etc/sysctl.conf"
        $OCI_BIN exec -i $node bash -c "sysctl -p /etc/sysctl.conf"
        if [[ "${node}" =~ worker ]]; then
            kubectl label nodes $node node-role.kubernetes.io/worker="" --overwrite=true
        fi

[oshoval]

do we need update ? (maybe the reconcile use it when it recreate?)

please consider moving it under the else of allowMultus
otherwise there are duplicate / overlapping rbacs due to multusClusterRoles in U/S, which i tried to refrain from (well indeed on some places like get list watch i did add, because it was just for NAD and needed on both U/S and D/S, so whatever you prefer)

you can move the flag into multusClusterRoles and it will determine if to add * or to add just the diff needed please

[RamLavi]

do we need update ? (maybe the reconcile use it when it recreate?)

We do.

please consider moving it under the else of allowMultus otherwise there are duplicate / overlapping rbacs due to multusClusterRoles in U/S, which i tried to refrain from

you can move the flag into multusClusterRoles and it will determine if to add * or to add just the diff needed please

OK, DONE

[RamLavi]

@oshoval do you understand why it fails?

error: timed out waiting for the condition on kubevirts/kubevirt for some reason lately it cant install kubevirt all the time
maybe it is because the wait was too fast, and wait doesnt wait for the resource to be created and then need a loop of wait with shorter timeout, or to use the new flag of kubectl wait that waits for the resource to exists kubernetes/kubernetes#122994
unless it is something deeper, and to know we would need logs

Looks like kubevirt/kubevirt now wait 15m

this change is 4y ago it seems, but worth to try to extend

I think the best we cant do is to install kubevirt using kind.sh for that we need to add an option to bypass kubevirt-ipam-controller installation / ipam claim crd / cert-manager or to undeploy them after installation is done one of the reasons is that kind.sh does this when installing kubevirt (among few other little things) or we can also just add those in our repo

        $OCI_BIN exec -t $node bash -c "echo 'fs.inotify.max_user_watches=1048576' >> /etc/sysctl.conf"
        $OCI_BIN exec -t $node bash -c "echo 'fs.inotify.max_user_instances=512' >> /etc/sysctl.conf"
        $OCI_BIN exec -i $node bash -c "sysctl -p /etc/sysctl.conf"
        if [[ "${node}" =~ worker ]]; then
            kubectl label nodes $node node-role.kubernetes.io/worker="" --overwrite=true
        fi

Maybe, but it should be done in a separate PR to be sure.
IIRC this is the first time that lane began to be flaky, am I correct?

[oshoval]

Maybe, but it should be done in a separate PR to be sure. IIRC this is the first time that lane began to be flaky, am I correct?

started lately
saw it one time or so before this PR

[oshoval]

what about just always allow 10s ?
and then we can drop this code

[RamLavi]

yeah I tend to agree..

[oshoval]

nit: maybe the commit message of that need to be changed please

[oshoval]

about the workflow failure - this is not a solution but maybe a temporary workaround and then we can fix it on a follow-up (imo 10s is not enough as we spoke):
please check if you want this function deploy_cnao_cr, and make sure multus is in the CR before the ipam one
it will save some reconcile cycles

EDIT - if CNAO waits for processing / ready state too short, it might fail because in the middle the state becomes fail for various errors, only eventually it will be processing / ready - not sure if relevant here, but i did saw it before
in areas that remind this area - to conclude we should be here more tolerant imho and eventually consistent, not too strict

[oshoval]

The condition can be moved into the function
but we can consider please doing it on a follow-up for all those methods not in this PR

same for the checkForNetworkAttachmentDefinition family

[RamLavi]

but we can consider doing it on a follow-up for all those methods not in this PR

+1

[RamLavi]

about the workflow failure - this is not a solution but maybe a temporary workaround and then we can fix it on a follow-up (imo 10s is not enough as we spoke): please check if you want this function deploy_cnao_cr, and make sure multus is in the CR before the ipam one it will save some reconcile cycles

EDIT - if CNAO waits for processing / ready state too short, it might fail because in the middle the state becomes fail for various errors, only eventually it will be processing / ready - not sure if relevant here, but i did saw it before in areas that remind this area - to conclude we should be here more tolerant imho and eventually consistent, not too strict

The issue was not relevant to timing, something much more dumb.
Removed the timeouts, let's see how we handle without them.

[oshoval]

Please let me know once all is passing and ready for review,
I think it will be better for us both.
of course if there are any questions just mention me please
Thanks

[oshoval]

nits, beside that lgtm
thanks

[oshoval]

please use
if ...; err != nil {
}

[RamLavi]

It's a cosmetic change, that should be done to all of the checkForX functions above. Let's do it in a separate refactor PR that does not change logic.

[oshoval]

well this is a new function, but i wont insist

[RamLavi]

I will make the change in a separate PR after this one is merged

[oshoval]

sure thx

[oshoval]

here you can just return err basically, but one can consider it less readable (imho it is fine fwiw)
so either this please or short writing

if ...; err != nil {
}

[RamLavi]

same

[oshoval]

one thing we can consider
limit this to specific NS (i.e default atm)
or even better - use it as Role instead ClusterRole
well for that we need a Role / RoleBinding in the default NS (not that this is risky a bit with backward compatibility once the NS is changed - for this reason we can postpone thinking of it and keep it ClusterRole atm)

[RamLavi]

My thoughts exactly.. we can decide to use more specifc RBAC when we decide what the final resting place of this NAD

[oshoval]

/lgtm cancel

please at least consider #1841 (comment)
if needed we can done it on a follow-up (in this case please consider to open an issue to track it),
but if it is possible to do it in this one it is better

EDIT - since using a Role can be risky later for backward compatibility in case the NS will be changed
we better postpone thinking about it and just use ClusterRole atm

[qinqon]

first pass let's not reference UDN here.

[qinqon]

Let's keep this primary-user-defined-network naming just for the name of the kubevirt binding, so it's exposed to users just as VM spec,

We should be specific here same ass we are with passt-binding-cni DaemonSet

So name should be something like

name: [CNAO namespace]-kubevirt-passt-binding-plugin

[RamLavi]

[CNAO namespace]

why CNAO namespace? CNAO only deploys, the ns has nothing to do with this NAD..

Also, CNAO's ns change on U/S,D/S, do we want the NAD's name to be different? (I mean, it's not braking anything, it's just kinda strange)

[qinqon]

After some back and forth let's name this

name: primary-udn-kubevirt-binding

[RamLavi]

DONE

[qinqon]

Let's differenciate from nad name, since those are different

name: [CNAO namespace]-kubevirt-passt-binding-plugin-net

[qinqon]

After some back and forth let's name this

name: primary-udn-kubevirt-binding

[RamLavi]

DONE

[qinqon]

ditto: Let's not reference UDN at the nad, just at the kubevirt CR config on HCO.

[RamLavi]

hmm, I'm not against this, but how will anyone ever understand the connection between the NAD and the binding? shouldn't they have at least something in common? a label maybe?

[qinqon]

Let's name this

004-primary-udn-kubevirt-binding-networkattachdef.yaml

[oshoval]

maybe just short nad ?
004-primary-udn-kubevirt-binding-nad.yaml

[RamLavi]

DONE

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.8% Duplication on New Code

See analysis details on SonarCloud

[RamLavi]

Change: Fixes for @qinqon 's review

[qinqon]

/lgtm

[RamLavi]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RamLavi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [RamLavi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[oshoval]

Please create a patch release, so it will be consumed wherever needed