Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-53140: Validation for API and Ingress VIPs when using user-managed load balancer #9571

Merged
merged 4 commits into from
Apr 1, 2025
Merged

OCPBUGS-53140: Validation for API and Ingress VIPs when using user-managed load balancer #9571

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ae32f27
Prevent default API and Ingress VIP generation for user-managed load …
dkokkino Mar 17, 2025
4770f5c
Add default load balancer if none is specified
dkokkino Mar 21, 2025
3fbebef
Add unit tests for OpenStack platform defaults
dkokkino Mar 25, 2025
6317f88
Edit manifest test
dkokkino Mar 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 35 additions & 23 deletions pkg/types/openstack/defaults/platform.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (

"github.com/apparentlymart/go-cidr/cidr"

configv1 "github.com/openshift/api/config/v1"
"github.com/openshift/installer/pkg/types"
"github.com/openshift/installer/pkg/types/openstack"
)
Expand All @@ -25,32 +26,43 @@ func SetPlatformDefaults(p *openstack.Platform, n *types.Networking) {
p.Cloud = DefaultCloudName
}
}
// APIVIP returns the internal virtual IP address (VIP) put in front
// of the Kubernetes API server for use by components inside the
// cluster. The DNS static pods running on the nodes resolve the
// api-int record to APIVIP.
if len(p.APIVIPs) == 0 && p.DeprecatedAPIVIP == "" {
vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 5)
if err != nil {
// This will fail validation and abort the install
p.APIVIPs = []string{fmt.Sprintf("could not derive API VIP from machine networks: %s", err.Error())}
} else {
p.APIVIPs = []string{vip.String()}
// When there is no loadbalancer present create a default Openshift managed loadbalancer
if p.LoadBalancer == nil {
p.LoadBalancer = &configv1.OpenStackPlatformLoadBalancer{
Type: configv1.LoadBalancerTypeOpenShiftManagedDefault,
}
}

// IngressVIP returns the internal virtual IP address (VIP) put in
// front of the OpenShift router pods. This provides the internal
// accessibility to the internal pods running on the worker nodes,
// e.g. `console`. The DNS static pods running on the nodes resolve
// the wildcard apps record to IngressVIP.
if len(p.IngressVIPs) == 0 && p.DeprecatedIngressVIP == "" {
vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 7)
if err != nil {
// This will fail validation and abort the install
p.IngressVIPs = []string{fmt.Sprintf("could not derive Ingress VIP from machine networks: %s", err.Error())}
} else {
p.IngressVIPs = []string{vip.String()}
// When using user-managed loadbalancer do not generate default API and Ingress VIPs
if p.LoadBalancer.Type != configv1.LoadBalancerTypeUserManaged {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

p.LoadBalancer might be nil, we should guard against it.

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/9571/pull-ci-openshift-installer-main-unit/1902411950734708736#1:build-log.txt%3A229

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for pointing this out. I have now added a guard to create a default openshift managed load balancer if one does not exist.

	if p.LoadBalancer == nil {
		p.LoadBalancer = &configv1.OpenStackPlatformLoadBalancer{
			Type: configv1.LoadBalancerTypeOpenShiftManagedDefault,
		}
	}

// APIVIP returns the internal virtual IP address (VIP) put in front
// of the Kubernetes API server for use by components inside the
// cluster. The DNS static pods running on the nodes resolve the
// api-int record to APIVIP.
if len(p.APIVIPs) == 0 && p.DeprecatedAPIVIP == "" {
vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 5)
if err != nil {
// This will fail validation and abort the install
p.APIVIPs = []string{fmt.Sprintf("could not derive API VIP from machine networks: %s", err.Error())}
} else {
p.APIVIPs = []string{vip.String()}
}
}

// IngressVIP returns the internal virtual IP address (VIP) put in
// front of the OpenShift router pods. This provides the internal
// accessibility to the internal pods running on the worker nodes,
// e.g. `console`. The DNS static pods running on the nodes resolve
// the wildcard apps record to IngressVIP.
if len(p.IngressVIPs) == 0 && p.DeprecatedIngressVIP == "" {
vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 7)
if err != nil {
// This will fail validation and abort the install
p.IngressVIPs = []string{fmt.Sprintf("could not derive Ingress VIP from machine networks: %s", err.Error())}
} else {
p.IngressVIPs = []string{vip.String()}
}
}
}

}
120 changes: 120 additions & 0 deletions pkg/types/openstack/defaults/platform_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
package defaults

import (
"testing"

"github.com/stretchr/testify/assert"

configv1 "github.com/openshift/api/config/v1"
"github.com/openshift/installer/pkg/ipnet"
"github.com/openshift/installer/pkg/types"
"github.com/openshift/installer/pkg/types/openstack"
)

func validPlatform() *openstack.Platform {
return &openstack.Platform{
Cloud: "test-cloud",
ExternalNetwork: "test-network",
}
}

func validNetworking() *types.Networking {
return &types.Networking{
NetworkType: "OVNKubernetes",
MachineNetwork: []types.MachineNetworkEntry{{
CIDR: *ipnet.MustParseCIDR("10.0.0.0/16"),
}},
}
}

func TestSetPlatformDefaults(t *testing.T) {
cases := []struct {
name string
platform *openstack.Platform
config *types.InstallConfig
networking *types.Networking
expectedLB configv1.PlatformLoadBalancerType
expectedAPIVIPs []string
expectedIngressVIPs []string
}{
{
name: "No load balancer provided",
platform: func() *openstack.Platform {
p := validPlatform()
return p
}(),
networking: validNetworking(),
expectedAPIVIPs: []string{"10.0.0.5"},
expectedIngressVIPs: []string{"10.0.0.7"},
expectedLB: "OpenShiftManagedDefault",
},
{
name: "Default Openshift Managed load balancer VIPs provided",
platform: func() *openstack.Platform {
p := validPlatform()
p.LoadBalancer = &configv1.OpenStackPlatformLoadBalancer{
Type: configv1.LoadBalancerTypeOpenShiftManagedDefault,
}
p.APIVIPs = []string{"10.0.0.2"}
p.IngressVIPs = []string{"10.0.0.3"}
return p
}(),
networking: validNetworking(),
expectedAPIVIPs: []string{"10.0.0.2"},
expectedIngressVIPs: []string{"10.0.0.3"},
expectedLB: "OpenShiftManagedDefault",
},
{
name: "Default Openshift Managed load balancer no VIPs provided",
platform: func() *openstack.Platform {
p := validPlatform()
p.LoadBalancer = &configv1.OpenStackPlatformLoadBalancer{
Type: configv1.LoadBalancerTypeOpenShiftManagedDefault,
}
return p
}(),
networking: validNetworking(),
expectedAPIVIPs: []string{"10.0.0.5"},
expectedIngressVIPs: []string{"10.0.0.7"},
expectedLB: "OpenShiftManagedDefault",
},
{
name: "User managed load balancer VIPs provided",
platform: func() *openstack.Platform {
p := validPlatform()
p.LoadBalancer = &configv1.OpenStackPlatformLoadBalancer{
Type: configv1.LoadBalancerTypeUserManaged,
}
p.APIVIPs = []string{"192.168.100.10"}
p.IngressVIPs = []string{"192.168.100.11"}
return p
}(),
networking: validNetworking(),
expectedAPIVIPs: []string{"192.168.100.10"},
expectedIngressVIPs: []string{"192.168.100.11"},
expectedLB: "UserManaged",
},
{
name: "User managed load balancer no VIPs provided",
platform: func() *openstack.Platform {
p := validPlatform()
p.LoadBalancer = &configv1.OpenStackPlatformLoadBalancer{
Type: configv1.LoadBalancerTypeUserManaged,
}
return p
}(),
networking: validNetworking(),
expectedAPIVIPs: []string(nil),
expectedIngressVIPs: []string(nil),
expectedLB: "UserManaged",
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
SetPlatformDefaults(tc.platform, tc.networking)
assert.Equal(t, tc.expectedLB, tc.platform.LoadBalancer.Type, "unexpected loadbalancer")
assert.Equal(t, tc.expectedAPIVIPs, tc.platform.APIVIPs, "unexpected APIVIPs")
assert.Equal(t, tc.expectedIngressVIPs, tc.platform.IngressVIPs, "unexpected IngressVIPs")
})
}
}
9 changes: 7 additions & 2 deletions scripts/openstack/manifest-tests/lb-default-stable/test_cluster-infra.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,13 @@ def setUp(self):
self.cluster_infra = yaml.load(f, Loader=yaml.FullLoader)

def test_load_balancer(self):
"""Assert that the Cluster infrastructure object does not contain the LoadBalancer configuration."""
self.assertNotIn("loadBalancer", self.cluster_infra["status"]["platformStatus"]["openstack"])
"""Assert that the Cluster infrastructure object contains the default LoadBalancer configuration."""
self.assertIn("loadBalancer", self.cluster_infra["status"]["platformStatus"]["openstack"])

loadBalancer = self.cluster_infra["status"]["platformStatus"]["openstack"]["loadBalancer"]

self.assertIn("type", loadBalancer)
self.assertEqual("OpenShiftManagedDefault", loadBalancer["type"])


if __name__ == '__main__':
Expand Down
4 changes: 4 additions & 0 deletions scripts/openstack/manifest-tests/lb-unmanaged/install-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,8 @@ platform:
cloud: ${OS_CLOUD}
loadBalancer:
type: UserManaged
apiVIPs:
- 10.0.128.10
ingressVIPs:
- 10.0.128.20
pullSecret: ${PULL_SECRET}