Add ProactiveConf CRD and proactive_conf flag

Shaik Mahboob Shareef · Shaik Mahboob Shareef · commit 9c2786295e1b · 2024-09-04T17:10:31.000Z
This CRD is introduced to notify the OpFlex agent from Host agent to adjusts the frequency of the tunnel endpoint advertisement timer accordingly. config to create the CRD and enable the functionality: --- kube_config: proactive_conf: True # Default is False (cherry picked from commit 3e94d46) (cherry picked from commit 8f3fbb7)
diff --git a/provision/acc_provision/templates/aci-containers.yaml b/provision/acc_provision/templates/aci-containers.yaml
@@ -1342,6 +1342,56 @@ spec:
         type: object
 ---
 {% endif %} #}
+{% if config.kube_config.proactive_conf %}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: proactiveconfs.aci.pc
+spec:
+  group: aci.pc
+  names:
+    kind: ProactiveConf
+    listKind: ProactiveConfList
+    plural: proactiveconfs
+    singular: proactiveconf
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          apiVersion:
+            type: string
+            description: 'APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          kind:
+            type: string
+            description: 'Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          metadata:
+            type: object
+          spec:
+            properties:
+              TunnelEpAdvertisementInterval:
+                type: integer
+              VmmEpgDeploymentImmediacy:
+                enum:
+                - Immediate
+                - OnDemand
+                type: string
+            type: object
+---
+{% endif %}
 {% endif %}
 {% if config.sriov_config.enable or config.chained_cni_config.secondary_interface_chaining or config.chained_cni_config.primary_interface_chaining %}
 apiVersion: apiextensions.k8s.io/v1
@@ -1911,6 +1961,9 @@ data:
         {% if config.kube_config.apic_connection_retry_limit %}
         "apic-connection-retry-limit": {{ config.kube_config.apic_connection_retry_limit|json}},
         {% endif %}
+        {% if config.kube_config.proactive_conf %}
+        "proactive-conf": {{ config.kube_config.proactive_conf|json }},
+        {% endif %}
 {#
         Commenting code to disable the install_istio flag as the functionality
         is disabled to remove dependency from istio.io/istio package.
@@ -2108,6 +2161,9 @@ data:
         {% if config.kube_config.disable_hpp_rendering %}
         "disable-hpp-rendering": {{ config.kube_config.disable_hpp_rendering|json }},
         {% endif %}
+        {% if config.kube_config.proactive_conf %}
+        "proactive-conf": {{ config.kube_config.proactive_conf|json }},
+        {% endif %}
         "pod-subnet": {{ config.net_config.pod_subnet|json|indent(width=8) }},
         "node-subnet": {{ config.net_config.node_subnet|json|indent(width=8) }},
         "encap-type": {{ config.node_config.encap_type|json }},
@@ -2567,6 +2623,16 @@ and aci-containers-operator images for istio.io/istio package
   - update
   - patch
 {% endif %}
+{% if config.kube_config.proactive_conf %}
+- apiGroups:
+  - "aci.pc"
+  resources:
+  - proactiveconfs
+  verbs:
+  - get
+  - list
+  - watch
+{% endif %}
 ---
 apiVersion: {{ config.kube_config.use_rbac_api }}
 kind: ClusterRole
@@ -2748,6 +2814,16 @@ rules:
   - list
   - watch
 {% endif %}
+{% if config.kube_config.proactive_conf %}
+- apiGroups:
+  - "aci.pc"
+  resources:
+  - proactiveconfs
+  verbs:
+  - get
+  - list
+  - watch
+{% endif %}
 ---
 apiVersion: {{ config.kube_config.use_rbac_api }}
 kind: ClusterRoleBinding
diff --git a/provision/acc_provision/templates/provision-config.yaml b/provision/acc_provision/templates/provision-config.yaml
@@ -159,7 +159,8 @@ registry:
   # add_external_contract_to_default_epg: True          # override if needed, default is False
   # apic_connection_retry_limit: 5                      # number of times the controller tries to communicate with APIC before switching to next APIC if unsuccessful, default is 5
   # taint_not_ready_node: True                          # default is False, set to True if you want to make the node in not ready state unschedulable till the host agent initalization is complete.
-  # unknown_mac_unicast_action: "flood"                  # override if needed, default is "proxy"
+  # unknown_mac_unicast_action: "flood"                 # override if needed, default is "proxy"
+  # proactive_conf: True                                # default is False, set to True to enable proactive configuration
 
 #
 # Configuration for ACI CNI Operator
diff --git a/provision/testdata/with_overrides.apic.txt b/provision/testdata/with_overrides.apic.txt
@@ -210,7 +210,7 @@ None
             {
                 "vmmInjectedClusterDetails": {
                     "attributes": {
-                        "accProvisionInput": "operator_managed_config:\n  enable_updates: true\n\naci_config:\n  system_id: kube\n  use_legacy_kube_naming_convention: True\n  cluster_tenant: demo\n  apic_hosts:\n    - 10.30.120.100\n  apic_login:\n    username: admin\n    \n  apic_version: \"5.0\"\n  aep: kube-aep\n  apic_subscription_delay: 100\n  opflex_device_delete_timeout: 1200\n  apic_refreshticker_adjust: 150\n  vrf:\n    name: kubernetes-vrf\n    tenant: common\n  l3out:\n    name: l3out\n    external_networks:\n    - l3out\n  physical_domain:\n    domain: kubernetes-control\n  sync_login:\n    certfile: user.crt\n    keyfile: user.key\n  vmm_domain:\n    domain: kubernetes1\n    controller: kubernetes1\n    encap_type: vxlan\n    mcast_range:\n        start: 225.2.1.1\n        end: 225.2.255.255\n  client_ssl: false\n\nnet_config:\n  node_subnet: 10.1.0.1/16\n  pod_subnet: 10.2.0.1/16\n  pod_subnet_chunk_size: 24\n  extern_dynamic: 10.4.0.1/16\n  extern_static: 10.3.0.1/24\n  node_svc_subnet: 10.6.0.1/24\n  kubeapi_vlan: 4001\n  service_vlan: 4003\n  infra_vlan: 4093\n  disable_wait_for_network: true\n\nkube_config:\n  aci_multipod: true\n  opflex_device_reconnect_wait_timeout: 10\n  dhcp_renew_max_retry_count: 10\n  dhcp_delay: 10\n  use_external_service_ip_allocator: true\n  use_privileged_containers: true\n  use_openshift_security_context_constraints: true\n  allow_kube_api_default_epg: true\n  no_wait_for_service_ep_readiness: true\n  hpp_optimization: true\n  service_graph_endpoint_add_delay:\n      delay: 30\n      services:\n      - name: ingress-service\n        namespace: openshift-ingress\n      - name: monitoring-service\n        namespace: openshift-monitoring\n        delay: 60\n  add_external_subnets_to_rdconfig: true\n  snat_operator:\n      disable_periodic_snat_global_info_sync: true\n      sleep_time_snat_global_info_sync: 60\n  node_snat_redirect_exclude:\n      - group: router\n        labels:\n        - worker\n        - router\n        - infra\n      - group: infra\n        labels:\n        - infra\n        - router\n  image_pull_policy: IfNotPresent\n  opflex_agent_policy_retry_delay_timer: 10\n  use_system_node_priority_class: True\n  ovs_memory_request: \"512Mi\"\n  ovs_memory_limit: \"2Gi\"  \n  aci_containers_controller_memory_request: \"256Mi\"\n  aci_containers_controller_memory_limit: \"5Gi\"\n  aci_containers_host_memory_request: \"256Mi\"\n  aci_containers_host_memory_limit: \"5Gi\"\n  mcast_daemon_memory_request: \"256Mi\"\n  mcast_daemon_memory_limit: \"5Gi\"\n  opflex_agent_memory_request: \"256Mi\"\n  opflex_agent_memory_limit: \"5Gi\"\n  acc_provision_operator_memory_request: \"256Mi\"\n  acc_provision_operator_memory_limit: \"5Gi\"\n  aci_containers_operator_memory_request: \"256Mi\"\n  aci_containers_operator_memory_limit: \"5Gi\"\n  toleration_seconds: 100\n  opflex_openssl_compat: true\n  enable_opflex_agent_reconnect: true\n  opflex_agent_statistics: false\n  opflex_startup_enabled: true\n  opflex_startup_policy_duration: 20\n  opflex_startup_resolve_aft_conn: true\n  opflex_switch_sync_delay: 10\n  opflex_switch_sync_dynamic: 20\n  add_external_contract_to_default_epg: True\n  apic_connection_retry_limit: 10\n  disable_hpp_rendering: True\n  taint_not_ready_node: True\n  unknown_mac_unicast_action: \"flood\"\n\nregistry:\n  image_prefix: noiro\n  aci_cni_operator_version: AciCniOperatorTag\n  use_digest : true\n\nlogging:\n  controller_log_level: debug\n  hostagent_log_level: debug\n  opflexagent_log_level: info\n  operator_log_level: debug\n\nnodepodif_config:\n  enable: true\n\ndrop_log_config:\n  disable_events: True\n",
+                        "accProvisionInput": "operator_managed_config:\n  enable_updates: true\n\naci_config:\n  system_id: kube\n  use_legacy_kube_naming_convention: True\n  cluster_tenant: demo\n  apic_hosts:\n    - 10.30.120.100\n  apic_login:\n    username: admin\n    \n  apic_version: \"5.0\"\n  aep: kube-aep\n  apic_subscription_delay: 100\n  opflex_device_delete_timeout: 1200\n  apic_refreshticker_adjust: 150\n  vrf:\n    name: kubernetes-vrf\n    tenant: common\n  l3out:\n    name: l3out\n    external_networks:\n    - l3out\n  physical_domain:\n    domain: kubernetes-control\n  sync_login:\n    certfile: user.crt\n    keyfile: user.key\n  vmm_domain:\n    domain: kubernetes1\n    controller: kubernetes1\n    encap_type: vxlan\n    mcast_range:\n        start: 225.2.1.1\n        end: 225.2.255.255\n  client_ssl: false\n\nnet_config:\n  node_subnet: 10.1.0.1/16\n  pod_subnet: 10.2.0.1/16\n  pod_subnet_chunk_size: 24\n  extern_dynamic: 10.4.0.1/16\n  extern_static: 10.3.0.1/24\n  node_svc_subnet: 10.6.0.1/24\n  kubeapi_vlan: 4001\n  service_vlan: 4003\n  infra_vlan: 4093\n  disable_wait_for_network: true\n\nkube_config:\n  aci_multipod: true\n  opflex_device_reconnect_wait_timeout: 10\n  dhcp_renew_max_retry_count: 10\n  dhcp_delay: 10\n  use_external_service_ip_allocator: true\n  use_privileged_containers: true\n  use_openshift_security_context_constraints: true\n  allow_kube_api_default_epg: true\n  no_wait_for_service_ep_readiness: true\n  hpp_optimization: true\n  service_graph_endpoint_add_delay:\n      delay: 30\n      services:\n      - name: ingress-service\n        namespace: openshift-ingress\n      - name: monitoring-service\n        namespace: openshift-monitoring\n        delay: 60\n  add_external_subnets_to_rdconfig: true\n  snat_operator:\n      disable_periodic_snat_global_info_sync: true\n      sleep_time_snat_global_info_sync: 60\n  node_snat_redirect_exclude:\n      - group: router\n        labels:\n        - worker\n        - router\n        - infra\n      - group: infra\n        labels:\n        - infra\n        - router\n  image_pull_policy: IfNotPresent\n  opflex_agent_policy_retry_delay_timer: 10\n  use_system_node_priority_class: True\n  ovs_memory_request: \"512Mi\"\n  ovs_memory_limit: \"2Gi\"  \n  aci_containers_controller_memory_request: \"256Mi\"\n  aci_containers_controller_memory_limit: \"5Gi\"\n  aci_containers_host_memory_request: \"256Mi\"\n  aci_containers_host_memory_limit: \"5Gi\"\n  mcast_daemon_memory_request: \"256Mi\"\n  mcast_daemon_memory_limit: \"5Gi\"\n  opflex_agent_memory_request: \"256Mi\"\n  opflex_agent_memory_limit: \"5Gi\"\n  acc_provision_operator_memory_request: \"256Mi\"\n  acc_provision_operator_memory_limit: \"5Gi\"\n  aci_containers_operator_memory_request: \"256Mi\"\n  aci_containers_operator_memory_limit: \"5Gi\"\n  toleration_seconds: 100\n  opflex_openssl_compat: true\n  enable_opflex_agent_reconnect: true\n  opflex_agent_statistics: false\n  opflex_startup_enabled: true\n  opflex_startup_policy_duration: 20\n  opflex_startup_resolve_aft_conn: true\n  opflex_switch_sync_delay: 10\n  opflex_switch_sync_dynamic: 20\n  add_external_contract_to_default_epg: True\n  apic_connection_retry_limit: 10\n  disable_hpp_rendering: True\n  taint_not_ready_node: True\n  unknown_mac_unicast_action: \"flood\"\n  proactive_conf: True\n\nregistry:\n  image_prefix: noiro\n  aci_cni_operator_version: AciCniOperatorTag\n  use_digest : true\n\nlogging:\n  controller_log_level: debug\n  hostagent_log_level: debug\n  opflexagent_log_level: info\n  operator_log_level: debug\n\nnodepodif_config:\n  enable: true\n\ndrop_log_config:\n  disable_events: True\n",
                         "userKey": "dummy\n",
                         "userCert": "dummy\n"
                     }
diff --git a/provision/testdata/with_overrides.inp.yaml b/provision/testdata/with_overrides.inp.yaml
@@ -112,6 +112,7 @@ kube_config:
   disable_hpp_rendering: True
   taint_not_ready_node: True
   unknown_mac_unicast_action: "flood"
+  proactive_conf: True
 
 registry:
   image_prefix: noiro
diff --git a/provision/testdata/with_overrides.kube.yaml b/provision/testdata/with_overrides.kube.yaml

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,8 @@ registry:`
`159`	`159`	`# add_external_contract_to_default_epg: True # override if needed, default is False`
`160`	`160`	`# apic_connection_retry_limit: 5 # number of times the controller tries to communicate with APIC before switching to next APIC if unsuccessful, default is 5`
`161`	`161`	`# taint_not_ready_node: True # default is False, set to True if you want to make the node in not ready state unschedulable till the host agent initalization is complete.`
`162`		`- # unknown_mac_unicast_action: "flood" # override if needed, default is "proxy"`
	`162`	`+ # unknown_mac_unicast_action: "flood" # override if needed, default is "proxy"`
	`163`	`+ # proactive_conf: True # default is False, set to True to enable proactive configuration`
`163`	`164`
`164`	`165`	`#`
`165`	`166`	`# Configuration for ACI CNI Operator`
Original file line number	Diff line number	Diff line change
`@@ -210,7 +210,7 @@ None`
`210`	`210`	`{`
`211`	`211`	`"vmmInjectedClusterDetails": {`
`212`	`212`	`"attributes": {`
`213`		- "accProvisionInput": "operator_managed_config:\n enable_updates: true\n\naci_config:\n system_id: kube\n use_legacy_kube_naming_convention: True\n cluster_tenant: demo\n apic_hosts:\n - 10.30.120.100\n apic_login:\n username: admin\n \n apic_version: \"5.0\"\n aep: kube-aep\n apic_subscription_delay: 100\n opflex_device_delete_timeout: 1200\n apic_refreshticker_adjust: 150\n vrf:\n name: kubernetes-vrf\n tenant: common\n l3out:\n name: l3out\n external_networks:\n - l3out\n physical_domain:\n domain: kubernetes-control\n sync_login:\n certfile: user.crt\n keyfile: user.key\n vmm_domain:\n domain: kubernetes1\n controller: kubernetes1\n encap_type: vxlan\n mcast_range:\n start: 225.2.1.1\n end: 225.2.255.255\n client_ssl: false\n\nnet_config:\n node_subnet: 10.1.0.1/16\n pod_subnet: 10.2.0.1/16\n pod_subnet_chunk_size: 24\n extern_dynamic: 10.4.0.1/16\n extern_static: 10.3.0.1/24\n node_svc_subnet: 10.6.0.1/24\n kubeapi_vlan: 4001\n service_vlan: 4003\n infra_vlan: 4093\n disable_wait_for_network: true\n\nkube_config:\n aci_multipod: true\n opflex_device_reconnect_wait_timeout: 10\n dhcp_renew_max_retry_count: 10\n dhcp_delay: 10\n use_external_service_ip_allocator: true\n use_privileged_containers: true\n use_openshift_security_context_constraints: true\n allow_kube_api_default_epg: true\n no_wait_for_service_ep_readiness: true\n hpp_optimization: true\n service_graph_endpoint_add_delay:\n delay: 30\n services:\n - name: ingress-service\n namespace: openshift-ingress\n - name: monitoring-service\n namespace: openshift-monitoring\n delay: 60\n add_external_subnets_to_rdconfig: true\n snat_operator:\n disable_periodic_snat_global_info_sync: true\n sleep_time_snat_global_info_sync: 60\n node_snat_redirect_exclude:\n - group: router\n labels:\n - worker\n - router\n - infra\n - group: infra\n labels:\n - infra\n - router\n image_pull_policy: IfNotPresent\n opflex_agent_policy_retry_delay_timer: 10\n use_system_node_priority_class: True\n ovs_memory_request: \"512Mi\"\n ovs_memory_limit: \"2Gi\" \n aci_containers_controller_memory_request: \"256Mi\"\n aci_containers_controller_memory_limit: \"5Gi\"\n aci_containers_host_memory_request: \"256Mi\"\n aci_containers_host_memory_limit: \"5Gi\"\n mcast_daemon_memory_request: \"256Mi\"\n mcast_daemon_memory_limit: \"5Gi\"\n opflex_agent_memory_request: \"256Mi\"\n opflex_agent_memory_limit: \"5Gi\"\n acc_provision_operator_memory_request: \"256Mi\"\n acc_provision_operator_memory_limit: \"5Gi\"\n aci_containers_operator_memory_request: \"256Mi\"\n aci_containers_operator_memory_limit: \"5Gi\"\n toleration_seconds: 100\n opflex_openssl_compat: true\n enable_opflex_agent_reconnect: true\n opflex_agent_statistics: false\n opflex_startup_enabled: true\n opflex_startup_policy_duration: 20\n opflex_startup_resolve_aft_conn: true\n opflex_switch_sync_delay: 10\n opflex_switch_sync_dynamic: 20\n add_external_contract_to_default_epg: True\n apic_connection_retry_limit: 10\n disable_hpp_rendering: True\n taint_not_ready_node: True\n unknown_mac_unicast_action: \"flood\"\n\nregistry:\n image_prefix: noiro\n aci_cni_operator_version: AciCniOperatorTag\n use_digest : true\n\nlogging:\n controller_log_level: debug\n hostagent_log_level: debug\n opflexagent_log_level: info\n operator_log_level: debug\n\nnodepodif_config:\n enable: true\n\ndrop_log_config:\n disable_events: True\n",
	`213`	+ "accProvisionInput": "operator_managed_config:\n enable_updates: true\n\naci_config:\n system_id: kube\n use_legacy_kube_naming_convention: True\n cluster_tenant: demo\n apic_hosts:\n - 10.30.120.100\n apic_login:\n username: admin\n \n apic_version: \"5.0\"\n aep: kube-aep\n apic_subscription_delay: 100\n opflex_device_delete_timeout: 1200\n apic_refreshticker_adjust: 150\n vrf:\n name: kubernetes-vrf\n tenant: common\n l3out:\n name: l3out\n external_networks:\n - l3out\n physical_domain:\n domain: kubernetes-control\n sync_login:\n certfile: user.crt\n keyfile: user.key\n vmm_domain:\n domain: kubernetes1\n controller: kubernetes1\n encap_type: vxlan\n mcast_range:\n start: 225.2.1.1\n end: 225.2.255.255\n client_ssl: false\n\nnet_config:\n node_subnet: 10.1.0.1/16\n pod_subnet: 10.2.0.1/16\n pod_subnet_chunk_size: 24\n extern_dynamic: 10.4.0.1/16\n extern_static: 10.3.0.1/24\n node_svc_subnet: 10.6.0.1/24\n kubeapi_vlan: 4001\n service_vlan: 4003\n infra_vlan: 4093\n disable_wait_for_network: true\n\nkube_config:\n aci_multipod: true\n opflex_device_reconnect_wait_timeout: 10\n dhcp_renew_max_retry_count: 10\n dhcp_delay: 10\n use_external_service_ip_allocator: true\n use_privileged_containers: true\n use_openshift_security_context_constraints: true\n allow_kube_api_default_epg: true\n no_wait_for_service_ep_readiness: true\n hpp_optimization: true\n service_graph_endpoint_add_delay:\n delay: 30\n services:\n - name: ingress-service\n namespace: openshift-ingress\n - name: monitoring-service\n namespace: openshift-monitoring\n delay: 60\n add_external_subnets_to_rdconfig: true\n snat_operator:\n disable_periodic_snat_global_info_sync: true\n sleep_time_snat_global_info_sync: 60\n node_snat_redirect_exclude:\n - group: router\n labels:\n - worker\n - router\n - infra\n - group: infra\n labels:\n - infra\n - router\n image_pull_policy: IfNotPresent\n opflex_agent_policy_retry_delay_timer: 10\n use_system_node_priority_class: True\n ovs_memory_request: \"512Mi\"\n ovs_memory_limit: \"2Gi\" \n aci_containers_controller_memory_request: \"256Mi\"\n aci_containers_controller_memory_limit: \"5Gi\"\n aci_containers_host_memory_request: \"256Mi\"\n aci_containers_host_memory_limit: \"5Gi\"\n mcast_daemon_memory_request: \"256Mi\"\n mcast_daemon_memory_limit: \"5Gi\"\n opflex_agent_memory_request: \"256Mi\"\n opflex_agent_memory_limit: \"5Gi\"\n acc_provision_operator_memory_request: \"256Mi\"\n acc_provision_operator_memory_limit: \"5Gi\"\n aci_containers_operator_memory_request: \"256Mi\"\n aci_containers_operator_memory_limit: \"5Gi\"\n toleration_seconds: 100\n opflex_openssl_compat: true\n enable_opflex_agent_reconnect: true\n opflex_agent_statistics: false\n opflex_startup_enabled: true\n opflex_startup_policy_duration: 20\n opflex_startup_resolve_aft_conn: true\n opflex_switch_sync_delay: 10\n opflex_switch_sync_dynamic: 20\n add_external_contract_to_default_epg: True\n apic_connection_retry_limit: 10\n disable_hpp_rendering: True\n taint_not_ready_node: True\n unknown_mac_unicast_action: \"flood\"\n proactive_conf: True\n\nregistry:\n image_prefix: noiro\n aci_cni_operator_version: AciCniOperatorTag\n use_digest : true\n\nlogging:\n controller_log_level: debug\n hostagent_log_level: debug\n opflexagent_log_level: info\n operator_log_level: debug\n\nnodepodif_config:\n enable: true\n\ndrop_log_config:\n disable_events: True\n",
`214`	`214`	`"userKey": "dummy\n",`
`215`	`215`	`"userCert": "dummy\n"`
`216`	`216`	`}`