OCPBUGS-55962: Provide config map to force loose isolation for UDN networks

[pperiyasamy]

This PR adds support for configuring loose isolation mode for the BGP advertised UDN networks. The config map with name openshift-network-operator/udn-config-overrides must be created with force-loose-isolation key set to true which rolls out the loose mode by recreating ovnkube-node daemonset pods.

Steps to roll out loose isolation mode:

1. Create a below config map.

kind: ConfigMap
apiVersion: v1
metadata:
  name: udn-config-overrides
  namespace: openshift-network-operator
data:
  force-loose-isolation: "true"

2. Wait for ovnkube-node DS rollout to complete.
3. Create BGP advertised UDN networks.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pperiyasamy
Once this PR has been reviewed and has the lgtm label, please assign trozet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@pperiyasamy: This pull request references Jira Issue OCPBUGS-55962, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @zhaozhanqi

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This PR adds support for configuring loose isolation mode for the BGP advertised UDN networks. The config map with name openshift-network-operator/udn-config-overrides must be created with force-loose-isolation key set to true which rolls out the loose mode by recreating ovnkube-node daemonset pods.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pperiyasamy]

/retest

[pperiyasamy]

/assign @kyrtapz @jcaamano

[pperiyasamy]

/retest

[openshift-ci-robot]

@pperiyasamy: This pull request references Jira Issue OCPBUGS-55962, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @Meina-rh

In response to this:

This PR adds support for configuring loose isolation mode for the BGP advertised UDN networks. The config map with name openshift-network-operator/udn-config-overrides must be created with force-loose-isolation key set to true which rolls out the loose mode by recreating ovnkube-node daemonset pods.

Steps to roll out loose isolation mode:

1. Create a below config map.

kind: ConfigMap
apiVersion: v1
metadata:
 name: udn-config-overrides
 namespace: openshift-network-operator
data:
 force-loose-isolation: "true"

2. Wait for ovnkube-node DS rollout to complete.
3. Create BGP advertised UDN networks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pperiyasamy]

/assign @Meina-rh @anuragthehatter @jechen0648

[openshift-ci]

@pperiyasamy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade	c9d43f1	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade
ci/prow/security	c9d43f1	link	false	/test security
ci/prow/e2e-aws-hypershift-ovn-kubevirt	c9d43f1	link	false	/test e2e-aws-hypershift-ovn-kubevirt
ci/prow/4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade	c9d43f1	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade
ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade	c9d43f1	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6	c9d43f1	link	false	/test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	c9d43f1	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/e2e-aws-ovn-upgrade-ipsec	c9d43f1	link	true	/test e2e-aws-ovn-upgrade-ipsec

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[arkadeepsen]

Overall looks good apart from the minor comments. Do we have e2e tests for this feature in the origin repo?

[arkadeepsen]

Suggested change

	if err := client.ClientFor("").CRClient().Get(context.TODO(),
	if err := client.Default().CRClient().Get(context.TODO(),

[arkadeepsen]

Should udn-config-overrides be added as a constant? Then the constant can be used here.

[jcaamano]

I was thinking if we should go more generic with the name and use ovn-kubernetes-config-overrides and this be a more generic getOVNKConfigOverrides returning a map. Just to prevent us from spreading on config map names.

[pliurh]

Can we just use the existing env-overrides configmap instead of creating a new configmap?

[pliurh]

I created a new PR #2752 according to @jcaamano 's comments. PTAL.

[arkadeepsen]

Suggested change

	// UDN networks. In loose isolation mode, those network pods can communicate with each other accoding to
	// UDN networks. In loose isolation mode, those network pods can communicate with each other according to

nit

[jcaamano]

I don't think this matches what ovn-kubernetes/ovn-kubernetes@3dd6149 expects. The setting there is called
ROUTED_UDN_ISOLATION instead of UDN_ISOLATION_MODE. Also the values it takes are Disabled or Enabled not loose.

This should preferably be passed as a command line argument in script-lib rather than an environment variable for consistency.

I think UDN_ISOLATION_MODE is fine, I would probably use Strict and Loose for values rather than DisabledorEnabled`.

[jcaamano]

Maybe just use the same key/value that we pass to ovnk for consistency? So UDNRoutedIsolationMode and Strict,Loose values? Any non expected value should return error.

[jcaamano]

I was thinking if we should go more generic with the name and use ovn-kubernetes-config-overrides and this be a more generic getOVNKConfigOverrides returning a map. Just to prevent us from spreading on config map names.

[pperiyasamy]

closing it in favor of #2752.

[openshift-ci-robot]

@pperiyasamy: This pull request references Jira Issue OCPBUGS-55962. The bug has been updated to no longer refer to the pull request using the external bug tracker.

In response to this:

This PR adds support for configuring loose isolation mode for the BGP advertised UDN networks. The config map with name openshift-network-operator/udn-config-overrides must be created with force-loose-isolation key set to true which rolls out the loose mode by recreating ovnkube-node daemonset pods.

Steps to roll out loose isolation mode:

1. Create a below config map.

kind: ConfigMap
apiVersion: v1
metadata:
 name: udn-config-overrides
 namespace: openshift-network-operator
data:
 force-loose-isolation: "true"

2. Wait for ovnkube-node DS rollout to complete.
3. Create BGP advertised UDN networks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.