[neutron] add ovn-db-sync job and further improvements

openstack/neutron/templates/deployment-ovn-northd.yaml

@@ -9,15 +9,15 @@ metadata:
     kubernetes.io/description: This Deployment launches the ovn-northd.
 spec:
   progressDeadlineSeconds: 600
-  replicas: 1
+  replicas: {{ .Values.pod.replicas.ovn_northd }}
   revisionHistoryLimit: 10
   selector:
     matchLabels:
       name: neutron-ovn-northd
   strategy:
     rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
+      maxSurge: 2
+      maxUnavailable: {{ sub .Values.pod.replicas.ovn_northd 1 }}
     type: RollingUpdate
   template:
     metadata:
@@ -39,8 +39,9 @@ spec:
         command: ["/usr/bin/ovn-northd"]
         args:
           - "-vfile:off"
-          - "-vconsole:{{ .Values.ovn.logLevel | default "info" }}"
-          - "--n-threads={{ .Values.ovn.nThreads | default 1 }}"
+          - "-vconsole:{{ .Values.ovn.logLevel | default "INFO" }}"
+          - --pidfile
+          - --n-threads={{ .Values.ovn.nThreads | default 1 }}
       {{- if .Values.ovn.enableSsl }}
           - --certificate=/etc/pki/tls/certs/ovndb.crt
           - --private_key=/etc/pki/tls/certs/ovndb.key
@@ -58,13 +59,10 @@ spec:
             value: "tcp:neutron-ovsdb-sb.{{ .Release.Namespace }}.svc.kubernetes.{{ .Values.global.region }}.cloud.sap:{{ $ovsdb_sb.DB_PORT }}"
         readinessProbe:
           exec:
-            command: ["/usr/bin/pidof", "ovn-northd"]
-          initialDelaySeconds: 5
-          timeoutSeconds: 3
-          periodSeconds: 3
-        livenessProbe:
-          exec:
-            command: ["/usr/bin/pidof", "ovn-northd"]
+            command:
+            - sh
+            - -c
+            - ovn-appctl --target=/tmp/ovn-northd.1.ctl status | grep -qE "active|standby"
           initialDelaySeconds: 5
           timeoutSeconds: 5
           periodSeconds: 5

openstack/neutron/templates/etc/_ml2-conf.ini.tpl

@@ -62,6 +62,18 @@ enable_vxlan = false
 [ovn]
 {{- $ovsdb_nb := index (index .Values "ovsdb-nb") }}
 {{- $ovsdb_sb := index (index .Values "ovsdb-sb") }}
+# we always use TCP, encryption is recommended to be done by reverse proxy
 ovn_nb_connection = tcp:{{ required "ovsdb-nb.EXTERNAL_IP required!" $ovsdb_nb.EXTERNAL_IP }}:{{ $ovsdb_nb.DB_PORT }}
 ovn_sb_connection = tcp:{{ required "ovsdb-sb.EXTERNAL_IP required!" $ovsdb_sb.EXTERNAL_IP }}:{{ $ovsdb_sb.DB_PORT }}
+
+ovn_l3_mode = false
+ovsdb_log_level = {{ .Values.ovn.logLevel | default "INFO" }}
+ovn_metadata_enabled = {{ .Values.ovn.metadata_enabled | default "false" }}
+disable_ovn_dhcp_for_baremetal_ports = {{ .Values.ovn.disable_ovn_dhcp_for_baremetal_ports | default "false" }}
+{{ with .Values.ovn.dns_servers }}dns_servers = {{ . | join "," }}{{ end }}
+{{ with .Values.ovn.ovn_dhcp4_global_options }}ovn_dhcp4_global_options = {{ . }}{{ end }}
+{{ with .Values.ovn.ovn_dhcp6_global_options }}ovn_dhcp6_global_options = {{ . }}{{ end }}
+{{ with .Values.ovn.dhcp_default_lease_time }}dhcp_default_lease_time = {{ . }}{{ end }}
+mac_binding_age_threshold = 86400
 {{- end }}
+

openstack/neutron/templates/etc/_uwsgi.ini.tpl

@@ -13,6 +13,9 @@ http = :{{.Values.global.neutron_api_port_internal | default 9696}}
 plugins-dir = /var/lib/openstack/lib
 need-plugins = shortmsecs
 
+# For ML2/OVN hash register initialization
+start-time = %t
+
 # Connection tuning
 vacuum = true
 lazy-apps = true

openstack/neutron/templates/job-ovn-db-sync.yaml

@@ -0,0 +1,79 @@
+{{- if .Values.ovn.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: neutron-ovn-db-sync-{{ randAlphaNum 4 | lower }}
+  labels:
+    system: openstack
+    type: configuration
+    component: neutron
+spec:
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: "{{ .Release.Name }}-ovn-db-sync"
+    spec:
+      restartPolicy: OnFailure
+      {{ include "utils.proxysql.job_pod_settings" . | nindent 6 }}
+      initContainers:
+        - name: dependencies
+          image: {{.Values.global.registry}}/loci-neutron:{{default .Values.imageVersion | required "Please set neutron.imageVersion or similar"}}
+          imagePullPolicy: IfNotPresent
+          command:
+            - kubernetes-entrypoint
+          env:
+            - name: COMMAND
+              value: "true"
+            - name: NAMESPACE
+              value: {{ .Release.Namespace }}
+            - name: DEPENDENCY_SERVICE
+              value: "{{ .Release.Name }}-server,{{ .Release.Name }}-ovsdb-nb,{{ .Release.Name }}-ovsdb-sb,{{ .Release.Name }}-mariadb"
+            {{ include "utils.sentry_config" . | nindent 12 }}
+      containers:
+        - name: {{ .Release.Name }}-ovn-db-sync
+          image: {{.Values.global.registry}}/loci-neutron:{{default .Values.imageVersion | required "Please set neutron.imageVersion or similar"}}
+          imagePullPolicy: IfNotPresent
+          command: ["dumb-init", "--"]
+          args:
+            - bash
+            - -c
+            - |
+              set -e
+              neutron-ovn-db-sync-util \
+              --config-file /etc/neutron/neutron.conf \
+              --config-file /etc/neutron/ml2-conf.ini \
+              --config-dir /etc/neutron/secrets \
+              --ovn-neutron_sync_mod repair
+              {{ include "utils.script.job_finished_hook" . | nindent 14 }}
+          env:
+            {{ include "utils.trust_bundle.env" . | nindent 12 }}
+          volumeMounts:
+            - mountPath: /etc/neutron
+              name: etc-neutron
+              readOnly: true
+            {{ include "utils.trust_bundle.volume_mount" . | nindent 12 }}
+            {{ include "utils.proxysql.volume_mount" . | nindent 12 }}
+          {{ include "utils.proxysql.container" . | nindent 8 }}
+      volumes:
+        - name: etc-neutron
+          projected:
+            defaultMode: 420
+            sources:
+            - configMap:
+                items:
+                - key: neutron.conf
+                  path: neutron.conf
+                - key: ml2-conf.ini
+                  path: ml2-conf.ini
+                - key: logging.conf
+                  path: logging.conf
+                name: neutron-etc
+            - secret:
+                name: neutron-server-secrets
+                items:
+                  - key: neutron-server-secrets.conf
+                    path: secrets/neutron-server-secrets.conf
+        {{ include "utils.trust_bundle.volumes" . | nindent 8 }}
+        {{ include "utils.proxysql.volumes" . | nindent 8 }}
+{{- end }}

openstack/neutron/values.yaml

@@ -38,7 +38,7 @@ pod:
   replicas:
     server: 3
     rpc_server: 2
-    ovn_db: 3
+    ovn_northd: 2
   lifecycle:
     upgrades:
       deployments:
@@ -252,26 +252,42 @@ ovn:
   enableSsl: false
 
 ovsdb-sb:
+  service:
+    # requirements to be accessible from outside with Calico
+    type: LoadBalancer
+    external_traffic_policy: Local
+  replicaCount: 3
   RAFT_PORT: 6644
   DB_TYPE: sb
   DB_PORT: 6442
   OVN_LOG_LEVEL: "info"
   OVN_ELECTION_TIMER: "10000"
   OVN_INACTIVITY_PROBE: "60000"
   OVN_PROBE_INTERVAL_TO_ACTIVE: "60000"
-  service:
-    # requirements to be accessible from outside with Calico
-    type: LoadBalancer
-    external_traffic_policy: Local
+  resources:
+    limits:
+      cpu: 500m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
 
 ovsdb-nb:
+  replicaCount: 3
   RAFT_PORT: 6643
   DB_TYPE: nb
   DB_PORT: 6441
   OVN_LOG_LEVEL: "info"
   OVN_ELECTION_TIMER: "10000"
   OVN_INACTIVITY_PROBE: "60000"
   OVN_PROBE_INTERVAL_TO_ACTIVE: "60000"
+  resources:
+    limits:
+      cpu: 500m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
 
 asr:
   config_agents: []
@@ -465,6 +481,9 @@ logging_sapccsentry:
     networking_arista:
       handlers: stdout, sentry_events, sentry_breadcrumbs
       level: DEBUG
+    neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovsdb_monitor:
+      handlers: stdout, sentry_events, sentry_breadcrumbs
+      level: INFO
 
 
 pgmetrics: