openstack/openstack-helm-infra
Code Issues Proposed changes

Merge ovs-db and ovs-vswitchd in one Daemonset

Browse Source 
There is no usecase in which ovs-db and ovs-vswitchd run on
different nodes.
In terms of version upgrade, ovs-db and ovs-vswitchd should be
upgraded together in every node.
This commit deploys ovs-db and ovs-vswitchd in one daemonset.

Change-Id: I791b9f7abfd3ca838dc2adfaa6c606bb1c88d19d
This commit is contained in:
root 2022-12-03 01:15:10 +11:00 committed by Chris Wedgwood
parent aa3efe9715
commit 73e2b3322d
5 changed files with 83 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openvswitch/Chart.yaml
View File

@ -15,7 +15,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm OpenVSwitch description: OpenStack-Helm OpenVSwitch
name: openvswitch name: openvswitch
version: 0.1.9 version: 0.1.10
home: http://openvswitch.org home: http://openvswitch.org
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
sources: sources:

118
openvswitch/templates/daemonset-ovs-db.yaml
View File

@ -1,118 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "ovsdblivenessProbeTemplate" }}
exec:
command:
- /usr/bin/ovs-vsctl
- show
{{- end }}
{{- define "ovsdbreadinessProbeTemplate" }}
exec:
command:
- /usr/bin/ovs-vsctl
- list
- Open_Vswitch
{{- end }}
{{- if .Values.manifests.daemonset_ovs_db }}
{{- $envAll := . }}
{{- $serviceAccountName := "openvswitch-db" }}
{{ tuple $envAll "db" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: openvswitch-db
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "openvswitch" "openvswitch-vswitchd-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
{{ tuple $envAll "openvswitch" "openvswitch-vswitchd-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll "ovs_db" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template:
metadata:
labels:
{{ tuple $envAll "openvswitch" "openvswitch-vswitchd-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "openvswitch-db" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
shareProcessNamespace: true
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "openvswitch_db_server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector:
{{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
{{ if $envAll.Values.pod.tolerations.openvswitch.enabled }}
{{ tuple $envAll "openvswitch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{ end }}
dnsPolicy: {{ .Values.pod.dns_policy }}
hostNetwork: true
initContainers:
{{ tuple $envAll "db" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: openvswitch-db-perms
{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "openvswitch_db_server" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- chown
- -R
- {{ $envAll.Values.pod.security_context.openvswitch_db_server.container.server.runAsUser | quote }}
- /run/openvswitch
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: run
mountPath: /run/openvswitch
containers:
- name: openvswitch-db
{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "openvswitch_db_server" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "component" "ovs_db" "container" "ovs_db" "type" "liveness" "probeTemplate" (include "ovsdblivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "ovs_db" "container" "ovs_db" "type" "readiness" "probeTemplate" (include "ovsdbreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
- /tmp/openvswitch-db-server.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/openvswitch-db-server.sh
- stop
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: openvswitch-bin
mountPath: /tmp/openvswitch-db-server.sh
subPath: openvswitch-db-server.sh
readOnly: true
- name: run
mountPath: /run/openvswitch
volumes:
- name: pod-tmp
emptyDir: {}
- name: openvswitch-bin
configMap:
name: openvswitch-bin
defaultMode: 0555
- name: run
hostPath:
path: /run/openvswitch
{{- end }}

99
openvswitch/templates/daemonset-ovs-vswitchd.yaml → openvswitch/templates/daemonset.yaml
View File

@ -12,11 +12,26 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{- define "ovsdblivenessProbeTemplate" }}
exec:
command:
- /usr/bin/ovs-vsctl
- show
{{- end }}
{{- define "ovsdbreadinessProbeTemplate" }}
exec:
command:
- /usr/bin/ovs-vsctl
- list
- Open_Vswitch
{{- end }}
{{- define "ovsvswitchlivenessProbeTemplate" }} {{- define "ovsvswitchlivenessProbeTemplate" }}
exec: exec:
command: command:
{{- if .Values.pod.probes.ovs_vswitch.ovs_vswitch.liveness.exec }} {{- if .Values.pod.probes.ovs.ovs_vswitch.liveness.exec }}
{{ .Values.pod.probes.ovs_vswitch.ovs_vswitch.liveness.exec | toYaml | indent 4 }} {{ .Values.pod.probes.ovs.ovs_vswitch.liveness.exec | toYaml | indent 4 }}
{{- else }} {{- else }}
- /usr/bin/ovs-appctl - /usr/bin/ovs-appctl
- bond/list - bond/list
@ -26,8 +41,8 @@ exec:
{{- define "ovsvswitchreadinessProbeTemplate" }} {{- define "ovsvswitchreadinessProbeTemplate" }}
exec: exec:
command: command:
{{- if .Values.pod.probes.ovs_vswitch.ovs_vswitch.readiness.exec }} {{- if .Values.pod.probes.ovs.ovs_vswitch.readiness.exec }}
{{ .Values.pod.probes.ovs_vswitch.ovs_vswitch.readiness.exec | toYaml | indent 4 }} {{ .Values.pod.probes.ovs.ovs_vswitch.readiness.exec | toYaml | indent 4 }}
{{- else if not .Values.conf.ovs_dpdk.enabled }} {{- else if not .Values.conf.ovs_dpdk.enabled }}
- /bin/bash - /bin/bash
- -c - -c
@ -39,37 +54,33 @@ exec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.manifests.daemonset_ovs_vswitchd }} {{- if .Values.manifests.daemonset }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $serviceAccountName := "openvswitch-vswitchd" }}
{{ tuple $envAll "vswitchd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: openvswitch-vswitchd name: openvswitch
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels: labels:
{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec: spec:
selector: selector:
matchLabels: matchLabels:
{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} {{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll "ovs_vswitchd" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} {{ tuple $envAll "ovs" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template: template:
metadata: metadata:
labels: labels:
{{ tuple $envAll "openvswitch" "openvswitch-vswitchd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "openvswitch-vswitchd" "containerNames" (list "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "openvswitch" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
shareProcessNamespace: true shareProcessNamespace: true
serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "ovs" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector: nodeSelector:
{{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
{{ if $envAll.Values.pod.tolerations.openvswitch.enabled }} {{ if $envAll.Values.pod.tolerations.openvswitch.enabled }}
@ -78,10 +89,24 @@ spec:
dnsPolicy: {{ .Values.pod.dns_policy }} dnsPolicy: {{ .Values.pod.dns_policy }}
hostNetwork: true hostNetwork: true
initContainers: initContainers:
{{ tuple $envAll "vswitchd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll "ovs" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: openvswitch-db-perms
{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "ovs" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- chown
- -R
- {{ $envAll.Values.pod.security_context.ovs.container.server.runAsUser | quote }}
- /run/openvswitch
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: run-openvswitch
mountPath: /run/openvswitch
- name: openvswitch-vswitchd-modules - name: openvswitch-vswitchd-modules
{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "ovs" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: command:
- /tmp/openvswitch-vswitchd-init-modules.sh - /tmp/openvswitch-vswitchd-init-modules.sh
volumeMounts: volumeMounts:
@ -96,11 +121,35 @@ spec:
mountPropagation: HostToContainer mountPropagation: HostToContainer
readOnly: true readOnly: true
containers: containers:
- name: openvswitch-db
{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "ovs" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "liveness" "probeTemplate" (include "ovsdblivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "readiness" "probeTemplate" (include "ovsdbreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
- /tmp/openvswitch-db-server.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/openvswitch-db-server.sh
- stop
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: openvswitch-bin
mountPath: /tmp/openvswitch-db-server.sh
subPath: openvswitch-db-server.sh
readOnly: true
- name: run
mountPath: /run
- name: openvswitch-vswitchd - name: openvswitch-vswitchd
{{- if .Values.conf.ovs_dpdk.enabled }} {{- if .Values.conf.ovs_dpdk.enabled }}
{{/* Run the container in priviledged mode due to the need for root {{/* Run the container in priviledged mode due to the need for root
permissions when using the uio_pci_generic driver. */}} permissions when using the uio_pci_generic driver. */}}
{{- $_ := set $envAll.Values.pod.security_context.openvswitch_vswitchd.container.vswitchd "privileged" true -}} {{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
{{/* Limiting CPU cores would severely affect packet throughput {{/* Limiting CPU cores would severely affect packet throughput
It should be handled through lcore and pmd core masks. */}} It should be handled through lcore and pmd core masks. */}}
{{- if .Values.pod.resources.enabled }} {{- if .Values.pod.resources.enabled }}
@ -109,12 +158,12 @@ It should be handled through lcore and pmd core masks. */}}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "openvswitch_vswitchd" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "ovs" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
# ensures this container can speak to the ovs database # ensures this container can speak to the ovs database
# successfully before its marked as ready # successfully before its marked as ready
{{ dict "envAll" $envAll "component" "ovs_vswitch" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "ovs_vswitch" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command: command:
- /tmp/openvswitch-vswitchd.sh - /tmp/openvswitch-vswitchd.sh
- start - start
@ -167,6 +216,10 @@ It should be handled through lcore and pmd core masks. */}}
hostPath: hostPath:
path: /run path: /run
type: Directory type: Directory
- name: run-openvswitch
hostPath:
path: /run/openvswitch
type: DirectoryOrCreate
- name: host-rootfs - name: host-rootfs
hostPath: hostPath:
path: / path: /
@ -204,4 +257,4 @@ It should be handled through lcore and pmd core masks. */}}
hostPath: hostPath:
path: /sys/fs/cgroup path: /sys/fs/cgroup
{{- end }} {{- end }}
{{- end }} {{- end }}

25
openvswitch/values.yaml
View File

@ -45,7 +45,7 @@ pod:
operator: Exists operator: Exists
effect: NoSchedule effect: NoSchedule
probes: probes:
ovs_db: ovs:
ovs_db: ovs_db:
liveness: liveness:
enabled: true enabled: true
@ -59,7 +59,6 @@ pod:
initialDelaySeconds: 90 initialDelaySeconds: 90
periodSeconds: 30 periodSeconds: 30
timeoutSeconds: 5 timeoutSeconds: 5
ovs_vswitch:
ovs_vswitch: ovs_vswitch:
liveness: liveness:
enabled: true enabled: true
@ -74,7 +73,7 @@ pod:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 1 timeoutSeconds: 1
security_context: security_context:
openvswitch_db_server: ovs:
pod: pod:
runAsUser: 42424 runAsUser: 42424
container: container:
@ -86,10 +85,6 @@ pod:
runAsUser: 42424 runAsUser: 42424
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
openvswitch_vswitchd:
pod:
runAsUser: 0
container:
modules: modules:
runAsUser: 0 runAsUser: 0
capabilities: capabilities:
@ -108,11 +103,7 @@ pod:
upgrades: upgrades:
daemonsets: daemonsets:
pod_replacement_strategy: RollingUpdate pod_replacement_strategy: RollingUpdate
ovs_db: ovs:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
ovs_vswitchd:
enabled: true enabled: true
min_ready_seconds: 0 min_ready_seconds: 0
max_unavailable: 1 max_unavailable: 1
@ -199,13 +190,7 @@ dependencies:
- endpoint: node - endpoint: node
service: local_image_registry service: local_image_registry
static: static:
db: null ovs: null
vswitchd:
pod:
- requireSameNode: true
labels:
application: openvswitch
component: openvswitch-vswitchd-db
image_repo_sync: image_repo_sync:
services: services:
- endpoint: internal - endpoint: internal
@ -213,7 +198,7 @@ dependencies:
manifests: manifests:
configmap_bin: true configmap_bin: true
daemonset_ovs_db: true daemonset: true
daemonset_ovs_vswitchd: true daemonset_ovs_vswitchd: true
job_image_repo_sync: true job_image_repo_sync: true
network_policy: false network_policy: false

1
releasenotes/notes/openvswitch.yaml
View File

@ -10,4 +10,5 @@ openvswitch:
- 0.1.7 Enable taint toleration for Openstack services jobs - 0.1.7 Enable taint toleration for Openstack services jobs
- 0.1.8 Added OCI registry authentication - 0.1.8 Added OCI registry authentication
- 0.1.9 Enable ovs hardware offload - 0.1.9 Enable ovs hardware offload
- 0.1.10 Merge ovs-db and ovs-vswitchd in one Daemonset
... ...