SDN-5519: OVN-K: Localnet API support

[ormergi]

Introduce API for Localnet topology networks.

This proposal outlines the Localnet API utilizing OVN-Kubernetes ClusterUserDefinedNetwork (CUDN) CRD.
And extending the CUDN CRD to allow creating localnet topology networks.

https://issues.redhat.com/browse/SDN-5519

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[ormergi]

/cc @maiqueb @ricardomaraschini

[maiqueb]

Minor changes requested.

From my perspective, you can start fishing for an SDN reviewer, and an API reviewer.

[maiqueb]

start networking this PR in the SDN team, and find an API reviewer from them (I'd suggest @npinaeva ) and an approver.

We also want someone involved from the API team asap. We don't want them getting involved too late.

[maiqueb]

another summary ?

[ormergi]

I tried to express the proposal in few sentences to enable reviewers realize whats the proposed solution idea.

[maiqueb]

Suggested change

	bridge: br-ex <--------- OVN-K switch
	bridge: br-ex <--------- OVS switch

You're not forced to use br-ex. You can use nmstate to create and configure whatever other switch you want.

[ormergi]

Done

[maiqueb]

plus the physicalNetworkName and ignored subnets.

[ormergi]

Done

[maiqueb]

Suggested change

	The `spec.network.topology` serves as the union discriminator, it should accept `Locannet` option.
	The `spec.network.topology` serves as the union discriminator, it should accept `Localnet` option.

[ormergi]

Fixed

[maiqueb]

I'm conflicted. Should we actually move the subnets + excludesubnets attributes to IPAM ? ...

It kind of makes sense ... but would make it diverge from L2.

[ormergi]

I suggested changing IPAM config in recent IPAM config API changes to have subents but unfortunately it wasn't accepted.

Its like you said if we change it for localnet topology configuration, it diverge from other typologies. I think we should avoid that 😬

[npinaeva]

we definitely want all network types to be consistent, and we discussed this (more than once :D) before.
I think one of the reason to leave it separate was our plan to use subnets field for egress setup but with disabled ipam, so subnets isn't necessarily a part of ipam

[maiqueb]

I think the highest is 4094 actually. 4095 is reserved. Check for instance https://networkengineering.stackexchange.com/questions/24404/vlan-0-1-and-4095-are-reserved-what-are-they-reserved-for

[ormergi]

Thanks, fixed. Also added ref.

[maiqueb]

nit: could you fix the formatting ?

[ormergi]

Done

[ormergi]

Changes Address #1750 (review)

[maiqueb]

Requesting reviews from our peers .

[maiqueb]

@JoelSpeed could you review this API ? We've tried to keep it really small and focused on the API itself.

Or find someone on your team that could lend a hand.

[maiqueb]

@npinaeva you're my go-to API person in the SDN team.

Can we beg you for some reviews ?... Or has tried to keep this really short.

[maiqueb]

@ormergi you need to fix the markdown linter ...

[npinaeva]

makes sense!

[npinaeva]

what does "1 is the default" mean? I thought default option was unspecified?

[ormergi]

VLAN ID 1 is also reserved, it is used for management and usually the default. Sorry for confusion.
Fixed.

[npinaeva]

I don't know if we want to review CEL validation here or in the implementation PR, but I think this should be
!has(self.excludeSubnets) || has(self.subnets) not sure if we want to add IP family validation, may be costly for 25 items

[ormergi]

I removed CEL validation rules for now, we can revisit them in the implementation PR.

Thanks for the suggestion on this rule, noted 🙂

[npinaeva]

this will need its own type, DualStackCIDRs has MaxItems=2

[ormergi]

Good catch!
I changed it to []CIDR.

[npinaeva]

So what happened to vlan=1?

[ormergi]

VLAN ID 1 is also reserved by the standard, used for management.
The bridge (the bridging entity, e.g.: switch, linux-bridge) defines each port with VLAN 1if not spesifed.

[npinaeva]

we definitely want all network types to be consistent, and we discussed this (more than once :D) before.
I think one of the reason to leave it separate was our plan to use subnets field for egress setup but with disabled ipam, so subnets isn't necessarily a part of ipam

[npinaeva]

I think it makes sense to leave role here explicitly, but is it ever possible to enable this for primary network?

[maiqueb]

We have no plans, and IMHO, the use-case is pointless.

It doesn't need egress, it will not have SNAT to the node's IP addresses, etc ...

I don't see it happening.

[ormergi]

@npinaeva PTAL

[ormergi]

VLAN ID 1 is also reserved, it is used for management and usually the default. Sorry for confusion.
Fixed.

[ormergi]

I removed CEL validation rules for now, we can revisit them in the implementation PR.

Thanks for the suggestion on this rule, noted 🙂

[ormergi]

Good catch!
I changed it to []CIDR.

[ormergi]

VLAN ID 1 is also reserved by the standard, used for management.
The bridge (the bridging entity, e.g.: switch, linux-bridge) defines each port with VLAN 1if not spesifed.

[ormergi]

Changes: address #1750 (review)

[ormergi]

@trozet could you please have a look? 🙏

[everettraven]

Is spec.network already a required field today?

[ormergi]

Yes, please see CUDN CRD definition here https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/cudn.go#L37

[everettraven]

Are you saying that spec.network should not be immutable only if the spec.network.topology is set to Localnet?

How do you plan to implement that change to the validation?

[ormergi]

Yes, and let me add some context to allowing spec mutations for localnet topology:
Allowing spec mutation for localnet motivation followed by recorded customer cases describing the current API limitations flaws (e.g.: immutable spec) and impact on UX (bad) https://issues.redhat.com/browse/PLMCORE-10896.
For starters we want to allow spec mutation mostly for the following fields: VLAN, MTU, excludeSubnets and physicalNetworkName.
Having it localnet topology settings mutable improve the UX because it save re-creating CRs in case of misconfiguration, and allow changes to the topology settings on day2.

Regarding to CEL rule validations required changes, what I had in mind is inverting the spec mutation validation we have today on spec.network as follows:

1. Remove mutation restrictions on spec.network.
2. Add CEL rule validations to restrict mutations of spec.network.topology, spec.network.layer2, and spec.network.layer3.
3. Add CEL rule validations to restrict mutation of localnet topology settings: spec.network.localnet.role, spec.network.localnet.subnetes and spec.network.topology.ipam.

Depending on OVN-K maintainers feedback we can, do broader change and allow spec mutations for other topologies as well (layer2 and layer3), naturally it will simplify the required CEL rule validations.

I though we better start with hardest restrictions we can that make sense, and upon necessity remove them later on, keeping things backward compatible.
WDYT?

[everettraven]

I think that approach sounds reasonable. I do think it would be worth explicitly including this approach in the enhancement.

[ormergi]

Added text about allowing spec mutations for localnet configurations, at the API level.

[everettraven]

Is the NetworkRole a type that already exists today? Does it have the appropriate enum tags to limit the allowed values to only Secondary?

[ormergi]

Yes, NetworkRole type exist and limited to Primary and Secondary,
please see https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/shared.go#L170.

[everettraven]

Are you intending for this field to also allow setting Primary and Secondary?

[ormergi]

Please see #1750 (comment)

For localnet typologies we dont see it happen in the near future, hence Secondary only for now.
Since we want to maintain similar semantics to exiting typologies, this field should remain required.
Make sense?

[maiqueb]

Clarifying here: there is no use case for having a primary UDN whose topology is localnet.

@everettraven what does the openshift API guidelines say about this scenario ?... What is more important ? Consistency across the API (forcing the user to specify always the same value) or make the user provide less input ?

[everettraven]

My specific concern here is that you specify that a user can only set Secondary in the Godoc, but the type you are using has validation that allows setting both Primary and Secondary. There is no additional validation that I see enforces that this must only be set to Secondary. Without that explicit validation in place your Godoc is not accurate.

[ormergi]

I added additional validation to ensure only Secondary value is accepted at the LocalnetConfig NetworkRole definition,
please see https://github.com/openshift/enhancements/compare/03fbe107f688b60a3e8fb8dda6d2f4f002b86746..1db8ce327af3d896fdbda53de337e098b8874d80#diff-7512349752d7cfc290273d99b4b60b705813d12aaf6d4db24cad883a630d7f9aR432

[everettraven]

Only use the +required tag.

[everettraven]

Additionally, ensure it is clearly stated in the Godoc that the field is required. Users using something like oc explain ... can't see the tags.

[ormergi]

Done

[everettraven]

References to fields in godoc should use the serialized field name as per OpenShift API conventions: https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#use-json-field-names-in-godoc

Suggested change

	// Role describes the network role in the pod.
	// role describes the network role in the pod.

[everettraven]

What is a "network role" ? Is this something that users are expected to already be familiar with? Why would they care about setting this value? What does it let them achieve?

These are all questions that I would expect to have answered when reading the godoc for this field.

For more guidance on some things to consider to write user readable documentation in godoc, see https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#write-user-readable-documentation-in-godoc

[ormergi]

What is a "network role" ? Is this something that users are expected to already be familiar with? Why would they care about setting this value? What does it let them achieve?

Network role control whether the pod interface will act as the primary or secondary. primary used as the default gateway for the pod. Its up to the user to deciede what kind of network they like to create.

[ormergi]

Added text to godoc.

[everettraven]

Explicitly mention that this field is optional in the godoc.

[ormergi]

Done

[everettraven]

Suggested change

	// MTU is the maximum transmission unit for a network.
	// mtu is the maximum transmission unit for a network.

Why does a user care about setting this field? What does it allow them to achieve?

[ormergi]

It enable users align the MTU used across the stack, fitting the MTU of the pod network interface to the MTU set on the node interface.

In a scenario physicalNetworkName points to a network interface who has certain MTU settings, e.g: 1600, the pod interface should have the exact same MTU as the node network interface.
Otherwise, the MTU wont be aligned across the stack (pod has MTU X node has MTU Y), it could result in network disruptions and bad performance.

[ormergi]

Added text to godoc

[everettraven]

Explicitly mention the minimum and maximum values in the Godoc so users using something like oc explain ... can see the minimum and maximum constraints.

You mentioned previously in the enhancement that this should have a higher minimum value if the subnets are IPv6 - is there any way to enforce that at admission time? if not, how are planning to enforce it?

[everettraven]

Building on this a bit more, if you aren't able to enforce this increased minimum based on subnet types (IPv4 vs IPv6) at admission time is it because of the API structure? is there a change you could make to the API structure to more easily enforce that at admission time?

[ormergi]

You mentioned previously in the enhancement that this should have a higher minimum value if the subnets are IPv6 - is there any way to enforce that at admission time? if not, how are planning to enforce it?

It is enforced using CEL validation rule on Layer2 and Layer3 configuration types, please see
https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/shared.go#L93
https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/shared.go#L28

The proposed Localnet topology configuration type should have similar validation.

[ormergi]

Added text to godoc about min/max constrains

[everettraven]

Suggested change

	// VLAN is the VLAN ID.
	// vlan is the VLAN ID.

Why does a user care about setting this field? What does it allow them to achieve?

[ormergi]

In a scenerio physicalNetworkName points to a network who has some VLAN applied, it should be configured in the spec.
Otherwise pods connected to the subject network will not be able to communicate with other hosts on the network.

[ormergi]

Added text to godoc

[everettraven]

Explicitly mention these constraints in the godoc.

[ormergi]

Done

[ormergi]

@everettraven thank you so much for the feedback, I am working on resolving you comments.

[ormergi]

Yes, please see CUDN CRD definition here https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/cudn.go#L37

[ormergi]

Yes, and let me add some context to allowing spec mutations for localnet topology:
Allowing spec mutation for localnet motivation followed by recorded customer cases describing the current API limitations flaws (e.g.: immutable spec) and impact on UX (bad) https://issues.redhat.com/browse/PLMCORE-10896.
For starters we want to allow spec mutation mostly for the following fields: VLAN, MTU, excludeSubnets and physicalNetworkName.
Having it localnet topology settings mutable improve the UX because it save re-creating CRs in case of misconfiguration, and allow changes to the topology settings on day2.

Regarding to CEL rule validations required changes, what I had in mind is inverting the spec mutation validation we have today on spec.network as follows:

1. Remove mutation restrictions on spec.network.
2. Add CEL rule validations to restrict mutations of spec.network.topology, spec.network.layer2, and spec.network.layer3.
3. Add CEL rule validations to restrict mutation of localnet topology settings: spec.network.localnet.role, spec.network.localnet.subnetes and spec.network.topology.ipam.

Depending on OVN-K maintainers feedback we can, do broader change and allow spec mutations for other topologies as well (layer2 and layer3), naturally it will simplify the required CEL rule validations.

I though we better start with hardest restrictions we can that make sense, and upon necessity remove them later on, keeping things backward compatible.
WDYT?

[ormergi]

The network will be defined as a secondary network, pods will need to specify Mutltus networks annotation in other to connect to that network. For example: given CR with metadata.name mynet, pod should have k8s.v1.cni.cncf.io/networks: mynet annotation.

What makes it work is the fact the CUDN controller creates a NAD at the target namespace, allowing pods to connect to it.
The corresponding NAD meta.name will be the same as the CUDN CR meta.name.

[ormergi]

Yes, NetworkRole type exist and limited to Primary and Secondary,
please see https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/shared.go#L170.

[ormergi]

The JSON tag name should be PhysicalNetworkName, sorry for the confusion I will fix it.

There is not interaction with other fields in this API.
There is an interaction with Kubernetes-nmsate NodeNetworkConfigurationPolicy (NNCP) API though:
the CUDN spec.network.localnet.physicalNetworkName should point to the NNCP spec.desiredState.ovn.bridge-mappings as mentioned earlier in the doc.

[ormergi]

The IPAM stands for OVN-K IPAM configuration for the subject network, its implemented for Layer2 topology configuration type, please see [1] it has prerry nice godoc explaining what it does 🙂

The proposal is to have Localnet topology configuration type has similar ipam cofiguration type as Layer2 has.

[ormergi]

You mentioned previously in the enhancement that this should have a higher minimum value if the subnets are IPv6 - is there any way to enforce that at admission time? if not, how are planning to enforce it?

It is enforced using CEL validation rule on Layer2 and Layer3 configuration types, please see
https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/shared.go#L93
https://github.com/ovn-kubernetes/ovn-kubernetes/blob/master/go-controller/pkg/crd/userdefinednetwork/v1/shared.go#L28

The proposed Localnet topology configuration type should have similar validation.

[ormergi]

In a scenerio physicalNetworkName points to a network who has some VLAN applied, it should be configured in the spec.
Otherwise pods connected to the subject network will not be able to communicate with other hosts on the network.

[ormergi]

It enable users align the MTU used across the stack, fitting the MTU of the pod network interface to the MTU set on the node interface.

In a scenario physicalNetworkName points to a network interface who has certain MTU settings, e.g: 1600, the pod interface should have the exact same MTU as the node network interface.
Otherwise, the MTU wont be aligned across the stack (pod has MTU X node has MTU Y), it could result in network disruptions and bad performance.

[ormergi]

What is a "network role" ? Is this something that users are expected to already be familiar with? Why would they care about setting this value? What does it let them achieve?

Network role control whether the pod interface will act as the primary or secondary. primary used as the default gateway for the pod. Its up to the user to deciede what kind of network they like to create.

[ormergi]

Changes: resolve #1750 (review)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from trozet. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• enhancements/network/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[npinaeva]

Yes, you can mutate NADs. You only need to restart the workloads attached to it for them to consume the new version - assuming the network is in-sync.

thank you for clarifying! I think this part should go in the enhancement, considering it is the first time we allow to mutate spec. Otherwise /lgtm

@npinaeva its mentioned here, is it fine or you expect something else?

I mean the fact that you need to restart workloads to consume the new changes

[ormergi]

Changes: resolve #1750 (comment)

[ormergi]

I mean the fact that you need to restart workloads to consume the new changes

@npinaeva I have added text to clarify this point please see https://github.com/openshift/enhancements/compare/dca226ce6916f77252e10f97ad4e5a9093596245..c44363a24ffebf59b4d2cafd3584499da82afb06

[everettraven]

If NetworkRole already specifies an enum validation tag this won't work. To use an Enum tag this needs to be its own type alias to a string or a string. The only other path to restrict this further in this case would be a CEL expression.

[everettraven]

using a CEL expression you would end up with a potentially misleading CRD schema though because Primary would show up as an allowed value in the schema but in reality it would be blocked by your XValidation

[ormergi]

I think we can avoid it by moving the enum validation for NetworkRole definition to each topology config definition (where NetworkRole used), as follows:

1. Remove the enum validation exist on NetworkRole definition
2. On Layer2Config definition, add enum validation to role field allowing Primary or Secondary.
3. On Layer3Config definition, add enum validation to role field allowing Primary or Secondary.
4. Finally, in the proposed LocalnetConfig definition, add enum validation to role field allowing Secondary only.

@everettraven WDYT?

[everettraven]

I think that sounds reasonable

[ormergi]

Added text about required changes to topology role validations https://github.com/openshift/enhancements/compare/6fc5b82ece4e9bdaaedf6d7208f56681dc40bcdc..7caa6a8f94524aa3218f9ea2ef845bcc377e4893#diff-65ff4f11b53425ec17e6fbd228843c58470c309f5031c38c345010775bb378d9R508-R519

[ormergi]

Changes:

• Fix excludeSubent validation
• Add validations to physicalNetworkName, resolves SDN-5519: OVN-K: Localnet API support #1750 (comment)
• Added text about required changes to topology role validations, resolves SDN-5519: OVN-K: Localnet API support #1750 (comment)

[ormergi]

@everettraven @maiqueb @npinaeva I think I resolved all comments, could you please take another look?

[ormergi]

Changes: fix indentations

[maiqueb]

Some comments, nothing big.

Real close to having the +1 again.

[maiqueb]

should actually match the localnet attribute of an item on that slice / array.

[ormergi]

Added text to clarify that

[maiqueb]

defined in .1 , for clarity.

[ormergi]

Done

[maiqueb]

nit:

Suggested change

	For the new the spec to take place, restarting the workloads is necessary.
	For the new network configuration (defined in the spec) to take place, the user must restart the workloads.

[ormergi]

Done

[maiqueb]

I still prefer physicalNetworkName but, maybe just name is good enough.

[maiqueb]

I miss explicitly indicating which is the default. Which I assume to be false.

[ormergi]

Yes default is false. Added text to clarify that.

[maiqueb]

there's no use case for primary UDN in localnet. It's pointless.

... but I understand your point.

[ormergi]

I changed the text to omit primary role

[maiqueb]

for completeness, let's also exclude the GW IPs here (one for each subnet).

[ormergi]

Done

[maiqueb]

shouldn't this be a /32 ?

[maiqueb]

shouldn't this label be on the namespace ?...

[ormergi]

The CRDs controller label NADs with this label making it easier to aggregate for maintenance by admins (view all UDN NAD, etc..).
The primary UDN label for namespace is the same.

[maiqueb]

OK, fair enough.

[maiqueb]

I kind of always seen this the other way around; Localnet topology (which is an OVN term) attaches to the physical network .

[ormergi]

I changed the text saying localnet attach to physical network

[maiqueb]

Suggested change

	`spec.network.localnet.role`, `spec.network.localnet.subnetes` and `spec.network.topology.ipam`.
	`spec.network.localnet.role`, `spec.network.localnet.subnets` and `spec.network.topology.ipam`.

[ormergi]

Thanks. Fixed.

[ormergi]

Changes: address #1750 (review)
@maiqueb PTAL 🙏

[maiqueb]

/lgtm

I just think you have a typo (using a /31 subnet instead of a /32)

[openshift-ci]

@ormergi: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.