Route to kubevirt VMs using infra id as service label selector #2092
Conversation
openshift-ci
bot
added
the
approved
|
/test kubevirt-e2e-kubevirt-aws-ovn |
|
/hold I want to see the kubevirt e2e lane pass before we consider merging this. |
openshift-ci
bot
added
the
do-not-merge/hold
davidvossel
force-pushed
the
route-by-infra-id
branch
from
f46e36a to
d4a7117
Compare
|
/test kubevirt-e2e-kubevirt-aws-ovn |
|
/test kubevirt-e2e-kubevirt-aws-ovn |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/cc @orenc1 maybe you can review this? What I've done is add a new label to the VMI pods that allows us to identify them by the Hosted CLuster (using infraID) that the VMs belong to. This will let us create Services and Network Policies that target a specific cluster within a namespace rather than all VMs in a namespace... I think this level of identification for vms/vmis/pods could be important to us with your external infra work. It could be possible for people to use the same namespace on an external infra cluster to host VMs from multiple guest clusters. |
| } | ||
| service.Spec.Type = corev1.ServiceTypeClusterIP | ||
|
|
||
| service.Labels["hypershift.kubevirt.io/infra-id"] = hcp.Spec.InfraID |
There was a problem hiding this comment.
the string "hypershift.kubevirt.io/infra-id" appears in 2 locations. wouldn't it be better to put it in a variable, e.g. infraIDLabelKey, as you did in MachineTemplateSpec function
There was a problem hiding this comment.
oh, yeah definitely. I didn't realize i hadn't transitioned to a variable for that. good call.
|
/hold i've now figured out we have another problem if multiple ingress services and routes are created in the same infra namespace for multiple guest clusters - the service and the route are created with an hardcoded name: |
openshift-ci
bot
added
the
do-not-merge/hold
|
/lgtm cancel |
|
this PR needs more work. We identified a few more area's the infra id needs to be applied
|
davidvossel
force-pushed
the
route-by-infra-id
branch
from
d4a7117 to
c6f74ed
Compare
|
/hold cancel @orenc1 I updated this PR. We now add the infra id to both the infra LBs and PVCs in order to help associate those resources with the HostedCluster. I had to make a change to the cloud-provider-kubevirt config here [1] for this to work for the LBs. It doesn't matter what order these PRs get merged in though. Hypershift will attempt to set the labels on the cloud config, but they won't get actually applied to the LBs until [1] is merged. It doesn't break anything though. |
openshift-ci
bot
removed
the
do-not-merge/hold
@davidvossel , looks like the ingress service and route still have a constant name: route: if we're utilizing the same infra namespace for multiple guest clusters, we must have a unique service and route for each. |
ugh... you're right. I missed this. |
davidvossel
force-pushed
the
route-by-infra-id
branch
from
c6f74ed to
5b3819f
Compare
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
| cpService.Name = fmt.Sprintf("%s-%s", | ||
| manifests.IngressDefaultIngressPassthroughServiceName, | ||
| hcp.Spec.Platform.Kubevirt.GenerateID) | ||
|
|
||
| // Manifests for infra/mgmt cluster passthrough routes | ||
| cpPassthroughRoute := manifests.IngressDefaultIngressPassthroughRoute(hcpNamespace) | ||
|
|
||
| cpPassthroughRoute.Name = fmt.Sprintf("%s-%s", | ||
| manifests.IngressDefaultIngressPassthroughRouteName, | ||
| hcp.Spec.Platform.Kubevirt.GenerateID) | ||
|
|
There was a problem hiding this comment.
@orenc1 i fixed the issue with the route and service not being unique by adding some unique generated strings to the end of these resources.
davidvossel
force-pushed
the
route-by-infra-id
branch
from
fee2a9f to
36dc3bc
Compare
|
/test kubevirt-e2e-kubevirt-aws-ovn |
|
/hold i just want to look at this a little closer |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel I'm comfortable with this pr now. |
openshift-ci
bot
removed
the
do-not-merge/hold
|
me too. |
davidvossel
force-pushed
the
route-by-infra-id
branch
from
36dc3bc to
f7eab75
Compare
|
/test kubevirt-e2e-kubevirt-aws-ovn |
| @@ -680,6 +680,7 @@ type PlatformSpec struct { | |||
| } | |||
|
|
|||
| // KubevirtPlatformSpec specifies configuration for kubevirt guest cluster installations | |||
| // +kubebuilder:validation:XValidation:rule="!has(oldSelf.generateID) || has(self.generateID)", message="Kubevirt GenerateID is required once set" | |||
There was a problem hiding this comment.
what does it mean "is required once set" ?
if GenerateID is required, it must not be empty or missing in the first place.
so there is no meaning to "once set" in my opinion.
and same for the validation message below - "is immutable once set" - if that field can't be empty when the resource is created, the value is set on creation, and the "once set" is superfluousץ
There was a problem hiding this comment.
here's an explanation, and it's where i took the example from. https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification
The idea is that I want GenerateID to be allowed to be set exactly once, and never changed after that. Including removing the value entirely.
The line you reference !has(oldSelf.generateID) || has(self.generateID) is kind of odd. I believe what it's saying is that it's okay for the value to be set only when the old value was empty.
|
/hold i think this is good to go, but i want to run the new api field by another hypershift approver first |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel i talked with hypershift maintainers, we're good to go with this one. |
This comment was marked as duplicate.
This comment was marked as duplicate.
openshift-ci
bot
added
do-not-merge/hold
…n infra id label Signed-off-by: David Vossel <[email protected]>
davidvossel
force-pushed
the
route-by-infra-id
branch
from
f7eab75 to
51f8d7c
Compare
|
just want to confirm we are good with: and that we are not breaking: |
|
e2e-aws: looks like an infra issue: retesting to see if it was resolved already |
|
/test e2e-aws |
|
@davidvossel: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidvossel, orenc1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
As we're looking to expand the kubevirt platform to manage VMs on external infra (an ocp cluster external to the one hypershift runs on), it's possible that VMs from multiple clusters will get placed in the same namespace. As a result, we need to start labeling the components we place in these namespaces using the unique HostedCluster.Spec.InfraID.
This serves two purposes for us.