From aa038523faacbb9927f9f18fa8942bcb89f331bc Mon Sep 17 00:00:00 2001 From: Luis Tomas Bolivar Date: Fri, 24 Nov 2023 15:12:16 +0100 Subject: [PATCH 1/3] Add a sample for deploying with BGP and OVN routing Kernel routing is used by default when deploying with BGP, but there is a new option to perform that routing directly in OVN, so that datapath acceleration is supported. This is a new template with a sample the configuration required for that. --- ...stackdataplanenodeset_bgp_ovn_cluster.yaml | 166 ++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 config/samples/dataplane_v1beta1_openstackdataplanenodeset_bgp_ovn_cluster.yaml diff --git a/config/samples/dataplane_v1beta1_openstackdataplanenodeset_bgp_ovn_cluster.yaml b/config/samples/dataplane_v1beta1_openstackdataplanenodeset_bgp_ovn_cluster.yaml new file mode 100644 index 000000000..752b9d484 --- /dev/null +++ b/config/samples/dataplane_v1beta1_openstackdataplanenodeset_bgp_ovn_cluster.yaml @@ -0,0 +1,166 @@ +apiVersion: dataplane.openstack.org/v1beta1 +kind: OpenStackDataPlaneNodeSet +metadata: + name: openstack-edpm +spec: + services: + - download-cache + - bootstrap + - configure-network + - validate-network + - frr + - install-os + - configure-os + - run-os + - ovn + - neutron-metadata + - ovn-bgp-agent + - libvirt + - nova + - telemetry + preProvisioned: true + nodes: + edpm-compute-0: + hostName: edpm-compute-0 + ansible: + ansibleHost: 192.168.122.100 + ansibleVars: + ctlplane_ip: 192.168.122.100 + internal_api_ip: 172.17.0.100 + storage_ip: 172.18.0.100 + tenant_ip: 172.19.0.100 + fqdn_internal_api: edpm-compute-0.example.com + networkAttachments: + - ctlplane + nodeTemplate: + ansibleSSHPrivateKeySecret: dataplane-ansible-ssh-private-key-secret + managementNetwork: ctlplane + ansible: + ansibleUser: cloud-admin + ansiblePort: 22 + ansibleVars: + timesync_ntp_servers: + - hostname: pool.ntp.org + # edpm_network_config + # Default nic config template for a EDPM compute node + # These vars are edpm_network_config role vars + edpm_network_config_hide_sensitive_logs: false + edpm_network_config_template: | + --- + {% set mtu_list = [ctlplane_mtu] %} + {% for network in role_networks %} + {{ mtu_list.append(lookup('vars', networks_lower[network] ~ '_mtu')) }} + {%- endfor %} + {% set min_viable_mtu = mtu_list | max %} + network_config: + - type: interface + name: nic1 + mtu: {{ ctlplane_mtu }} + dns_servers: {{ ctlplane_dns_nameservers }} + domain: {{ dns_search_domains }} + use_dhcp: false + addresses: + - ip_netmask: {{ ctlplane_ip }}/{{ ctlplane_subnet_cidr }} + {% for network in role_networks %} + {% if lookup('vars', networks_lower[network] ~ '_vlan_id', default='') %} + - type: vlan + device: nic1 + mtu: {{ lookup('vars', networks_lower[network] ~ '_mtu') }} + vlan_id: {{ lookup('vars', networks_lower[network] ~ '_vlan_id') }} + addresses: + - ip_netmask: + {{ lookup('vars', networks_lower[network] ~ '_ip') }}/{{ lookup('vars', networks_lower[network] ~ '_cidr') }} + routes: {{ lookup('vars', networks_lower[network] ~ '_host_routes') }} + {% endif %} + {%- endfor %} + - type: ovs_bridge + name: br-provider + use_dhcp: false + - type: ovs_bridge + name: {{ neutron_physical_bridge_name }} + mtu: {{ min_viable_mtu }} + use_dhcp: false + addresses: + - ip_netmask: {{ lookup('vars', 'bgp_net1_ip') }}/30 + members: + - type: interface + name: nic2 + mtu: {{ min_viable_mtu }} + # force the MAC address of the bridge to this interface + primary: true + - type: ovs_bridge + name: {{ neutron_physical_bridge_name }}-2 + mtu: {{ min_viable_mtu }} + use_dhcp: false + addresses: + - ip_netmask: {{ lookup('vars', 'bgp_net2_ip') }}/30 + members: + - type: interface + name: nic3 + mtu: {{ min_viable_mtu }} + # force the MAC address of the bridge to this interface + primary: true + - type: interface + name: lo + addresses: + - ip_netmask: {{ lookup('vars', 'bgp_main_net_ip') }}/32 + - ip_netmask: {{ lookup('vars', 'bgp_main_net6_ip') }}/128 + + # These vars are for the network config templates themselves and are + # considered EDPM network defaults. + neutron_physical_bridge_name: br-ex + neutron_public_interface_name: eth0 + ctlplane_mtu: 1500 + ctlplane_subnet_cidr: 24 + ctlplane_gateway_ip: 192.168.122.1 + ctlplane_host_routes: + - ip_netmask: 0.0.0.0/0 + next_hop: 192.168.122.1 + external_mtu: 1500 + external_vlan_id: 44 + external_cidr: '24' + external_host_routes: [] + internal_api_mtu: 1500 + internal_api_vlan_id: 20 + internal_api_cidr: '24' + internal_api_host_routes: [] + storage_mtu: 1500 + storage_vlan_id: 21 + storage_cidr: '24' + storage_host_routes: [] + tenant_mtu: 1500 + tenant_vlan_id: 22 + tenant_cidr: '24' + tenant_host_routes: [] + role_networks: + - InternalApi + - Storage + - Tenant + networks_lower: + External: external + InternalApi: internal_api + Storage: storage + Tenant: tenant + # edpm_nodes_validation + edpm_nodes_validation_validate_controllers_icmp: false + edpm_nodes_validation_validate_gateway_icmp: false + ctlplane_dns_nameservers: + - 192.168.122.1 + dns_search_domains: [] + gather_facts: false + enable_debug: false + # edpm firewall, change the allowed CIDR if needed + edpm_sshd_configure_firewall: true + edpm_sshd_allowed_ranges: ['192.168.122.0/24'] + edpm_frr_bgp_uplinks: ['nic2', 'nic3'] + edpm_frr_bgp_neighbor_password: f00barZ + edpm_frr_bgp_ipv4_src_network: bgp_main_net + edpm_frr_bgp_ipv6_src_network: bgp_main_net6 + edpm_frr_bgp_peers: ['100.64.1.5', '100.65.1.5'] + edpm_ovn_bgp_agent_expose_tenant_networks: true + edpm_ovn_bgp_agent_local_ovn_routing: true + edpm_ovn_bridge_mappings: ['bgp:br-provider'] + edpm_ovn_bgp_agent_local_ovn_external_nics: ['eth1', 'eth2'] + edpm_ovn_bgp_agent_local_ovn_peer_ips: ['100.64.1.5', '100.65.1.5'] + edpm_ovn_bgp_agent_exposing_method: ovn + edpm_ovn_bgp_agent_provider_networks_pool_prefixes: '172.16.0.0/16' From f312bba7ce74a6b6fe89bdff738562241d58f6fb Mon Sep 17 00:00:00 2001 From: rabi Date: Mon, 27 Nov 2023 12:28:00 +0530 Subject: [PATCH 2/3] Do limited webhook validation for update/patch Currently scale-out is broken with nill pointer error as we can't call ValidateUpdate() from baremetalset webhook. This changes to use a limited validation around spec changes for bmhLabelSelector and HardwareReqs. --- api/go.mod | 4 ++-- api/go.sum | 8 +++---- .../openstackdataplanenodeset_webhook.go | 24 +++---------------- go.mod | 2 +- go.sum | 6 ++--- 5 files changed, 13 insertions(+), 31 deletions(-) diff --git a/api/go.mod b/api/go.mod index b940d5d66..8b23a11e1 100644 --- a/api/go.mod +++ b/api/go.mod @@ -6,7 +6,7 @@ require ( github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20231122104142-3b449040167e github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231122111552-6bd6025ade37 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231122111552-6bd6025ade37 - github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231123111448-29e394985a34 + github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231127065111-347f7cf3b2f5 k8s.io/api v0.26.11 k8s.io/apimachinery v0.26.11 sigs.k8s.io/controller-runtime v0.14.7 @@ -47,7 +47,7 @@ require ( github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stretchr/testify v1.8.2 // indirect + github.com/stretchr/testify v1.8.3 // indirect golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect golang.org/x/net v0.18.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect diff --git a/api/go.sum b/api/go.sum index 1c8f4055c..0b642058d 100644 --- a/api/go.sum +++ b/api/go.sum @@ -231,8 +231,8 @@ github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.2023112211 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231122111552-6bd6025ade37/go.mod h1:/6//JWNEY68jOMoaoaSI0koL2jzpEKim3m60+jFCbqY= github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231122111552-6bd6025ade37 h1:F/sQ5+TzB1dVf4VyeyLDtcyNQDHnIkqZPK9V+cr/f6s= github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231122111552-6bd6025ade37/go.mod h1:PAcGzUsidkqZLBv7aVf7tJsq9pzxGUwFDvA5Zeaq0a4= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231123111448-29e394985a34 h1:7ZSX60sdoF5/CBpQu1PBPfo8RFRuT1lzIpnqrYbjMuo= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231123111448-29e394985a34/go.mod h1:JLCVgdpOAk/zcJPJ+od/d0qOb41vkKsi9kzfjSQ6BAU= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231127065111-347f7cf3b2f5 h1:eZvqDZn1+TnRwrwT0A0rsuFIhPX6iWLCJNtGA2vGcrM= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231127065111-347f7cf3b2f5/go.mod h1:JLCVgdpOAk/zcJPJ+od/d0qOb41vkKsi9kzfjSQ6BAU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -286,8 +286,8 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= +github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= diff --git a/api/v1beta1/openstackdataplanenodeset_webhook.go b/api/v1beta1/openstackdataplanenodeset_webhook.go index 9f35fb456..97a553ea2 100644 --- a/api/v1beta1/openstackdataplanenodeset_webhook.go +++ b/api/v1beta1/openstackdataplanenodeset_webhook.go @@ -22,7 +22,6 @@ import ( baremetalv1 "github.com/openstack-k8s-operators/openstack-baremetal-operator/api/v1beta1" apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/validation/field" @@ -97,7 +96,7 @@ func (r *OpenStackDataPlaneNodeSet) ValidateUpdate(old runtime.Object) error { oldNodeSet, ok := old.(*OpenStackDataPlaneNodeSet) if !ok { return apierrors.NewInternalError( - fmt.Errorf("Expected a OpenStackDataPlaneNodeSet object, but got %T", oldNodeSet)) + fmt.Errorf("expected a OpenStackDataPlaneNodeSet object, but got %T", oldNodeSet)) } var errors field.ErrorList @@ -107,26 +106,9 @@ func (r *OpenStackDataPlaneNodeSet) ValidateUpdate(old runtime.Object) error { // If the BaremetalSetTemplate is changed, we will offload the parsing of these details // to the openstack-baremetal-operator webhook to avoid duplicating logic. if !reflect.DeepEqual(r.Spec.BaremetalSetTemplate, oldNodeSet.Spec.BaremetalSetTemplate) { - // Initialize OpenStackBaremetalSet with old spec details - oldBaremetalSetObject := &baremetalv1.OpenStackBaremetalSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: r.Name, - Namespace: r.Namespace, - }, - } - oldNodeSet.Spec.BaremetalSetTemplate.DeepCopyInto(&oldBaremetalSetObject.Spec) - - // Initialize OpenStackBaremetalSet with new spec details - baremetalSetObject := &baremetalv1.OpenStackBaremetalSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: r.Name, - Namespace: r.Namespace, - }, - } - r.Spec.BaremetalSetTemplate.DeepCopyInto(&baremetalSetObject.Spec) - // Call openstack-baremetal-operator ValidateUpdate() webhook to parse changes - err := baremetalSetObject.ValidateUpdate(oldBaremetalSetObject) + // Call openstack-baremetal-operator webhook Validate() to parse changes + err := r.Spec.BaremetalSetTemplate.Validate(oldNodeSet.Spec.BaremetalSetTemplate) if err != nil { errors = append(errors, field.Forbidden( field.NewPath("spec.baremetalSetTemplate"), diff --git a/go.mod b/go.mod index cf3da4153..c2fa8e10f 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231122111552-6bd6025ade37 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20231122111552-6bd6025ade37 github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.0 - github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231123111448-29e394985a34 + github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231127065111-347f7cf3b2f5 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.26.11 diff --git a/go.sum b/go.sum index 1326dbb79..c52bc7d5b 100644 --- a/go.sum +++ b/go.sum @@ -247,8 +247,8 @@ github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.202311221115 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20231122111552-6bd6025ade37/go.mod h1:xKsHwzBHiAeEGs0mwxnxs1PRZOYU48bTQ1WFNxICIOI= github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.0 h1:QSAPaJ5pR1LUscHC7V/TSdyKwUKwd+1zjkzeyHkfHF0= github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.0/go.mod h1:UxWKFScj0gVurdBfTwenf2QyRANjFkMWkFz3KPcsWv0= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231123111448-29e394985a34 h1:7ZSX60sdoF5/CBpQu1PBPfo8RFRuT1lzIpnqrYbjMuo= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231123111448-29e394985a34/go.mod h1:JLCVgdpOAk/zcJPJ+od/d0qOb41vkKsi9kzfjSQ6BAU= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231127065111-347f7cf3b2f5 h1:eZvqDZn1+TnRwrwT0A0rsuFIhPX6iWLCJNtGA2vGcrM= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20231127065111-347f7cf3b2f5/go.mod h1:JLCVgdpOAk/zcJPJ+od/d0qOb41vkKsi9kzfjSQ6BAU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -304,7 +304,7 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= From b524b4ed2f2a7b455a204c3716dfe61fbf8ce6e4 Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Tue, 28 Nov 2023 17:44:43 +0100 Subject: [PATCH 3/3] [doc]Change ssh migration key to ECDSA Even though the recent FIPS standard[1] allows ED25519 ssh keys, the current FIPS profile in centos9 stream does not allow it. So the current migration ssh key isn't usable. This PR changes the key type to ECDSA until the profile is updated. [1] https://csrc.nist.gov/pubs/fips/186-5/final --- docs/deploying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploying.md b/docs/deploying.md index e728d0186..bfde8055d 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -374,7 +374,7 @@ configuration before the deployment can be started. * The service needs an SSH key-pair provided. Generate an ssh key-pair and store it in a Secret named `nova-migration-ssh-key`. ```console $ cd "$(mktemp -d)" - $ ssh-keygen -f ./id -t ed25519 -N '' + $ ssh-keygen -f ./id -t ecdsa-sha2-nistp521 -N '' $ oc create secret generic nova-migration-ssh-key \ -n openstack \ --from-file=ssh-privatekey=id \